Overview of a Well-Evidenced Phishing Report
The purpose of a well-evidenced phishing report is to ensure the reported abuse is accurately escalated to the Registrar/ Registry to act on the reported abuse in hopes of minimizing the harm inflicted on users. Strong reports consist of the alleged abusive domain, the URL, evidence of the reported abuse, and a brief explanation of the suspected observed abuse. Ensure you have contacted the registrant (if they're unlikely to be a malicious actor), the hosting provider, the registrar, registry, and queried the WHOIS record to determine the status of the domain. Include the evidence and the correspondence from the prior level with each escalation.
The following is intended to guide users in reporting phishing. CleanDNS is not responsible for any damages that stem from use, misuse, or misunderstanding of this guidance nor anything that stems from reporting the phish.
Gathering Evidence
To properly evidence the phishing report CleanDNS deems the following methods effective in gathering phishing evidence. The evidence should clearly display the phish and include the URL of the phish.
- Screenshots of the Phish
- Videos of the Phish
- Screenshot of a sandbox tool (ex. Any.run) depicting the Phish
- Link to a VirusTotal page, blacklist site, any.run report, etc. that supports your claim that the domain is being used as an alleged Phishing site
- Any geolocation or device requirements, if applicable (ie: from Canada using an iPhone)
Lastly, a brief written explanation of the observed abuse including the victim organization is required when submitting the abuse report.
Submitting a Report
A report that is too technical may not be actioned because the connection is not clear enough to the individual reviewing the report. A report without enough detail is likely to be dismissed as inadequate. Once all the required information is gathered for the report, please submit via the appropriate form or email the appropriate abuse email address.