ClearPhish
[ 02 ] What we report

The abuse patterns we handle

Brand impersonation rarely arrives alone. We document the full kit — the lure, the infrastructure behind it, and the techniques used to evade review — so a provider sees the complete picture, not a fragment.

Brand-impersonation domains

Look-alike sites that pose as a protected brand's official entry point — often styled as a "current address", "login" or "official" page — to capture the brand's search traffic and convert it. Frequently registered in bulk on disposable domains and fronted by a CDN to hide the origin.

  • Brand name in the domain, title and on-page copy
  • Disposable, recently-registered domains
  • Often paired with the cloaking technique below

Phishing & credential theft

Pages that imitate a login or account flow to harvest usernames, passwords and one-time codes. The captured credentials are used to take over accounts or are resold. These pages are time-sensitive: the faster they are blocklisted, the fewer victims.

  • Cloned login / account screens
  • Form posts to attacker-controlled endpoints
  • Submitted to browser blocklists for fast user protection

Payment & deposit fraud

Fake deposit or bank-transfer ("havale") pages that intercept payments and harvest names, amounts and account numbers, then redirect the victim onward to mask the theft. These cause direct financial loss and warrant the strongest, fastest action.

  • Forms collecting name, amount and IBAN / account
  • Money routed to attacker-controlled accounts
  • Reported as phishing / financial fraud to every channel

Search-engine cloaking

Sites that serve two different pages for the same URL: an innocuous decoy to ordinary browsers and human reviewers, and the abusive page to search-engine crawlers — so the impersonation ranks under a brand while evading manual review. We capture both variants to prove the deception.

  • Decoy shown to normal user-agents
  • Brand / gambling / fraud page served to crawlers
  • A reproduction command that reveals the difference

Typosquats & look-alikes

Misspellings, inserted words, hyphenations and alternate TLDs registered to ride on a brand's name and reputation. Individually low-effort, collectively a campaign — we treat them as a set and watch for the next batch.

  • Character swaps, additions and homoglyphs
  • Alternate and country-code TLDs
  • Tracked as campaigns, not one-offs

Fake apps & profiles

Impersonating mobile apps, store listings and social-media accounts that borrow a brand's identity to funnel users toward the same fraudulent infrastructure. Reported to the relevant platform alongside the web infrastructure they depend on.

  • Look-alike app listings and social accounts
  • Links back to the impersonation infrastructure
  • Reported to the hosting platform's abuse channel
Scope

What we don't do

Clear boundaries keep our notices credible and our work lawful.

We don't access or disrupt systems

We only observe what any visitor or search engine would see. We never attempt to log in, alter, overload or otherwise interfere with third-party systems, and we don't try to defeat any provider's security controls.

We don't report what we can't reproduce

Every pattern above is filed only with captured, reproducible evidence. We don't forward unverified tips, and we don't name a brand as impersonated unless the page actually does so.

Seeing one of these against your brand?

Send us the URL and the brand it's imitating. We'll reproduce it, document it, and route it to everyone who can act.

Report abuse to us Where we report