Phishing: How To Take a Phishing Site Offline

Phishing takedown process with core sentinel logoCONGRATULATIONS, you just won a trip to the Bahamas!

Update your password now!

Please confirm your account information.

You have a tax refund waiting for you.

These are the common introductory statements you can find on phishing emails or phishing sites. In this day and age where all transactions involving credit cards could be done online, phishing is becoming more common. It’s necessary for IT practitioners to know how to take a phishing site down to protect their company’s information and to prevent scammers from using their details for fraudulent activities.

Phishing alert spam scam malware spyware with hands typing on laptop keyboard

The following process works very effectively in having phishing sites taken offline, suspended, and blocked by browsers and content filters – usually within 24 hours.

Step 1

Examine the fraudulent email for malicious domain links and email addresses and take note of them.

Step 2

Forward the original phishing email to the following email addresses:

Step 3

Copy the malicious URL of the phishing site and use it to report to the following anti phishing services

Step 4

Use the web based GeekTools Whois to look up the phishing domain and take note of the details. (You can also use the whois command from within linux.) The output will look something like this:

Geektools whois lookup of

Specifically we are looking for details of;

  • 1) Name Servers
  • 2) Registrant & Registrar
  • 3) Abuse contacts

A black computer with coggs and hard drive icon and ip address plus domain name

The name servers are normally associated with the organisation where the website is hosted, and this is the most important contact for a successful suspension of the account so we will repeat the whois lookup process on the name servers to find out how to contact them.

Step 5

For malicious domains, contact the hosting service and the domain registry to notify them of the scam, requesting that they take action to suspend the account or take it offline. Often this email is sent to abuse@. Follow up with a phone call to both the hosting service and the domain registry with the request

Step 6

Often with phishing sites, the actual domain is a legitimate business whose website has been hacked due to system vulnerabilities. The attacker uses this vulnerability to upload their phishing site to a subdirectory of the legitimate website. (And this illustrates why performing a penetration test on a website is a good idea so that the vulnerabilities can be found and patched before they are exploited by criminals.)

A laptop with coloured text in front of a larger screen with a red alert light flashing

In this case where a legitimate business site has been hacked;

  • Contact the business;
  • Notify them of the phishing site hosted on their domain; and
  • Ask them to take action to remove it

Where possible, it is also worth asking the business owner to provide a zipped up copy of the phishing site code for further analysis. Analysing this code can lead to further investigation as to how the phished data is processed, and provide more information for investigation such as email addresses in the code.

Step 7

For malicious email addresses identified, contact the email provider and notify them of the email address/account which is being used for fraudulent purposes. This is often as simple as sending an email to abuse@.

A screen with envelopes on it with an explanation mark in one and a skull and cross bones in the other

Our final advice to you is be wary of suspicious sounding messages. And if you suspect that a website is not what it purports to be, LEAVE immediately. Perform the procedure outlined above, and have the website taken down if found to be malicious.

Also, if you’ve been hacked or if the security of your website has been compromised, seek expert assistance.

Core Sentinel logo over a blue circuitboard

Core Sentinel’s mission is to help businesses, institutions, and organisations stay a step ahead of hackers. Our consultants work with some of the world’s biggest brands, in a range of industries around the world. The right knowledge, tools, and experience to guide you through the security of your website is only a phone call away.

Download as eBook

Other Articles You Might Like

What is DMARC? And How to Configure it

Ransomware: Mitigating The Threat

How to Effectively Build Hacker Personas