5 Critical Evidence Types for Fast Phishing Domain Suspension
Mar 30, 2026 
By Dejan Baker‑Petkovich 
Here’s the reality: most DNS abuse reports fail not because the registrar doesn’t care, but because you’re not giving them what they need to act.
You submit “this domain is phishing our client,” attach a screenshot, and expect action. Days later, nothing. The site’s still live, credentials are still getting harvested, and you’re wondering why registrars are ignoring obvious abuse.
They’re not ignoring it. Your evidence is incomplete.
Phishing domains impersonate legitimate brands to steal credentials, payment details, or personal information. Registrars process thousands of these complaints daily and are obligated under ICANN’s Registrar Accreditation Agreement to investigate promptly and take action on fraudulent domains. But they can only act when the abuse is unmistakable.
After handling hundreds of DNS abuse cases at BrandSec, here are the five evidence types that actually get registrars to move fast.
1. Specific Technical Phishing Indicators
Stop writing “this domain is phishing.” That tells registrars nothing.
- Exact credential harvesting mechanism (login forms, payment forms, data collection fields)
- Attack infrastructure (mobile-only phishing, obfuscated redirects, typosquatting)
- Brand impersonation specifics (unauthorised logos, cloned design)
- Deceptive tactics (fake security badges, urgency messaging)
Example: Mobile-only phishing targeting a frequent flyer program. We documented: “URL only resolves on mobile browsers, redirects through obfuscated chain to evade desktop security tools, collects member credentials via fake rewards page.” Domain suspended in 24 hours.
2. Timestamped Visual Evidence
Phishing sites change fast. Some only display malicious content under specific conditions. If you can’t prove the abuse existed at a specific moment, registrars can’t act on it.
- Full-page screenshots with visible URL bar
- Timestamp metadata embedded automatically
- Multiple captures showing complete attack flow
- Mobile browser screenshots if attack is mobile-only
Use screenshot tools that embed timestamps directly. If the phishing page has multiple stages, capture all of them.
3. Complete Infrastructure Chain
Here’s where most reports fail: they’re sent to the wrong party.
- Domain registrar (WHOIS lookup)
- Hosting provider (IP/ASN lookup)
- IP address of the phishing site
- Any security vendor referrals
Example: When a security vendor flagged a phishing domain and referred us to the hosting provider, we included: “Cloudflare forwarded this abuse report to your infrastructure as the identified hosting provider.” The registrar acted immediately because the infrastructure responsibility was crystal clear.
Don’t assume the registrar and hosting provider are the same entity. Many phishing domains are registered at one provider but hosted on completely different infrastructure.
4. Official Brand Information and Client Authorisation
Registrars need to confirm the complaint is legitimate and you’re authorised to file it.
- Official website URL of the legitimate brand
- Clear authorisation statement
- Direct comparison showing how the phishing domain differs
- Trademark registration references if applicable
Example: “Official website: [legitimate-brand].com. Phishing domain: [legitimate-brand].flyer-program.com uses unauthorised subdomain to impersonate legitimate frequent flyer program.”
If you’re working on behalf of a client, include authorisation documentation upfront. This eliminates verification delays.
5. Third-Party Security Vendor Validation
Your complaint carries significantly more weight when independent security vendors have already flagged the domain as malicious.
Here’s the key: Don’t just check if these flags exist. Proactively get the domain flagged before submitting your DNS abuse report.
- Google Safe Browsing: Submit reports at safebrowsing.google.com/safebrowsing/report_phish/. Google typically reviews within hours and flags confirmed phishing sites.
- Cloudflare: If the domain uses Cloudflare, report at cloudflare.com/trust-safety/abuse-approach/. They'll investigate and display warnings if confirmed.
Example: In a recent airline phishing case, we submitted the domain to Google Safe Browsing and Cloudflare before contacting the registrar. Within 24 hours, both flagged it. Our report stated: “Both Cloudflare and Google Safe Browsing have independently flagged this content as malicious phishing.” Domain placed on ClientHold the same day.
Common Mistakes That Kill DNS Abuse Reports
Key Takeaways
Most DNS abuse reports fail because the evidence is incomplete. Registrars are required to investigate abuse complaints and act on fraudulent domains, but they can’t act on vague descriptions, missing infrastructure details, or claims without proof.
When you provide specific technical indicators, timestamped screenshots, complete infrastructure chains, official brand information, and third-party security validation, you remove every excuse for inaction.
Build your reports with forensic detail from the start. Get security vendors to flag the domain before you even contact the registrar. Make it impossible for them to ignore you.
That’s the difference between domains that get suspended in hours and domains that stay live for weeks.
About unphish
unphish is a threat detection and disruption platform built to identify and take down phishing, scams, and digital impersonation at scale. We combine intelligence-led detection with automated enforcement to help organisations protect their brand, customers, and digital ecosystem.