How to Report Phishing Emails and Websites Hosted on an IP Address

Phishing remains the most common initial attack vector for data breaches, and the window between when a phishing page goes live and when it captures its first set of credentials is often measured in minutes. The average phishing site stays active for less than 24 hours — not because hosts are fast at taking them down, but because attackers cycle through disposable domains and IPs at a rapid pace. Every hour a phishing page remains online is another set of stolen passwords, credit card numbers, or session tokens.

This is article #7 in my complete guide to reporting IP abuse. Here I focus specifically on phishing — how to identify it, gather evidence, trace it to a hosting IP, and file effective takedown requests with every relevant party.

How to Identify Phishing

Email Red Flags

Most phishing campaigns start with an email. Before you can report one, you need to confirm it is actually phishing and not just aggressive marketing. Here are the indicators I look for:

• Spoofed sender address. The display name says "PayPal Security" but the actual From address is something like [email protected]. Always inspect the full email header, not just the display name.
• Urgency and threats. "Your account will be suspended in 24 hours" or "Unauthorized login detected — verify immediately." Legitimate services rarely threaten immediate account closure via email.
• Suspicious URLs. Hover over links before clicking. The anchor text might say https://www.paypal.com/verify but the actual href points to https://paypal-secure-login.sketchy-domain.com/verify.
• Generic greetings. "Dear Customer" or "Dear User" instead of your actual name. Most services you have an account with know your name.
• Mismatched Reply-To. The From address is one domain, but Reply-To points to a completely different one.
• Attachment traps. HTML files disguised as invoices, PDFs with embedded links, or password-protected ZIP files containing executables.

If the email claims to be from a brand you use, go directly to that brand's website by typing the URL yourself — never click the link in the email.

Website Indicators

Phishing websites are designed to look identical to the real thing. These are the technical signals that give them away:

• Lookalike domains. Typosquatting (paypa1.com), subdomain abuse (paypal.secure-login.com), or homoglyph attacks using Unicode characters that look identical to Latin letters.
• Recently registered domain. Most phishing domains are registered within days or hours of the campaign launch. A WHOIS lookup showing a creation date from the current week is a strong indicator.
• SSL certificate mismatches. The site has HTTPS (which is trivial to obtain via Let's Encrypt), but the certificate is issued to a different domain or a generic hosting provider rather than the brand being impersonated.
• URL structure anomalies. Long paths stuffed with the target brand's name (/paypal/secure/login/verify/account), random query parameters used to track victims, or base64-encoded data in the URL.

Finding the Hosting IP

Once you have identified a phishing site, the next step is to find where it is actually hosted. Do not visit the phishing URL directly in a browser — use command-line tools instead.

# Find the A record for the phishing domain
dig +short phishing-domain.com A

# If it's behind Cloudflare or another CDN, check for the origin
dig +short phishing-domain.com ANY

# nslookup alternative
nslookup phishing-domain.com

You can also use the DNS Inspector to look up the domain's A, AAAA, CNAME, and NS records without touching the site directly. If the domain is using a CDN like Cloudflare, the IP you see will be the CDN's edge, not the origin server — in that case, you will need to report to the CDN provider as well.

Use the Propagation Checker to confirm the domain resolves globally. If it only resolves from certain locations, the attacker may be using geo-targeted DNS to serve the phishing page selectively.

Evidence Gathering Checklist

Hosting providers and anti-phishing organizations process thousands of reports daily. The more complete your evidence, the faster they can act. Gather all of the following before filing a report:

• Full email headers. In Gmail, click the three dots and select "Show original." In Outlook, open the message properties. The headers contain the actual sending server's IP, authentication results (SPF, DKIM, DMARC pass/fail), and the routing path.
• Screenshots of the phishing page. Capture the login form, any brand impersonation elements, and the URL bar showing the domain. Use a sandboxed browser or a URL screenshot service — do not enter any credentials.
• The phishing URL. The complete URL including path and query parameters. Some phishing kits encode victim-specific tracking data in the URL.
• Hosting IP address. Obtained via dig or the DNS Inspector as described above.
• WHOIS data. Domain registrar, registration date, registrant information (if not privacy-protected). Run a WHOIS lookup on the phishing domain — one registered yesterday that claims to be a major bank is clearly fraudulent.
• Domain registration date. This deserves its own bullet because it is one of the strongest indicators. Newly registered domains serving login pages for established brands are phishing until proven otherwise.
• SSL certificate details. Who issued it, when, and for what domain. You can check this with openssl s_client -connect phishing-domain.com:443 or by clicking the lock icon in a browser.
• Email authentication results. Did the phishing email pass SPF, DKIM, and DMARC checks? If it did, the sending infrastructure may be compromised. If it failed, the brand's DMARC policy should have caught it.

Finding the Abuse Contact

With the hosting IP in hand, you need to find who is responsible for the server. The IP Location tool is the fastest way to do this — enter the phishing site's IP address and it will return the hosting provider, ASN, geographic location, and most importantly, the abuse contact information including any specialized phishing reporting addresses.

Many large hosting providers maintain dedicated phishing contacts separate from their general abuse desk:

• AWS: [email protected] (or use the AWS abuse report form)
• Google Cloud: Submit via the Google Cloud abuse form
• Cloudflare: [email protected] (they act as the CDN, not the host — they will reveal the origin if the report is valid)
• DigitalOcean: [email protected]
• OVH: [email protected]
• Hetzner: [email protected]

If the IP Location results show the server is behind a CDN, you will need to report to both the CDN provider and attempt to identify the origin hosting provider.

Phishing Takedown Request Template

When emailing the hosting provider's abuse contact, use a structured report. Abuse desks process reports faster when they follow a consistent format.

Subject: Phishing Takedown Request — [Brand Being Impersonated] — [IP Address]

To: [abuse contact / phishing contact from IP Location lookup]

REPORT TYPE: Phishing / Credential Harvesting

PHISHING URL:
[Full URL of the phishing page]

HOSTING IP ADDRESS:
[IP address from dig/DNS Inspector lookup]

DOMAIN:
[phishing-domain.com]
Registration Date: [date from WHOIS]
Registrar: [registrar name]

BRAND BEING IMPERSONATED:
[Company name and URL of the legitimate site]

DESCRIPTION:
This IP address is hosting a phishing website that impersonates [brand name].
The site presents a fake login page designed to harvest user credentials.
The domain was registered on [date], which is [X] days ago, and the site
is actively receiving traffic.

EVIDENCE:
- Screenshot of phishing page: [attached or linked]
- Full email headers of phishing email: [attached]
- SSL certificate issued to: [certificate subject]
- WHOIS registration date: [date]

REQUESTED ACTION:
Please suspend the hosting account and take down the phishing content
immediately. This site is actively harvesting credentials.

CONTACT:
[Your name]
[Your email]
[Your organization, if applicable]

Where to Report Phishing

Reporting to the hosting provider is the most direct path to a takedown, but you should also report to multiple other parties to maximize coverage. Each organization contributes to a different layer of defense.

Hosting Provider

Send your takedown request to the abuse contact found via the IP Location tool. Most reputable hosting providers will act on clear phishing reports within 4 to 24 hours.

Domain Registrar

The registrar can suspend the domain entirely, which is more effective than a hosting takedown since the attacker cannot simply point the domain to a new server. Find the registrar from the WHOIS data and submit a report through their abuse process.

Google Safe Browsing

Report the URL at https://safebrowsing.google.com/safebrowsing/report_phish/. Once confirmed, Google Safe Browsing will display a warning in Chrome, Firefox, and Safari for anyone who tries to visit the site. This is one of the most impactful reports you can file because it protects users across multiple browsers.

Microsoft SmartScreen

Report via https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest. This adds the URL to Microsoft Defender SmartScreen, which protects Edge users and integrates with Windows security.

APWG (Anti-Phishing Working Group)

Forward phishing emails to [email protected]. APWG aggregates reports from across the industry and shares them with member organizations including browser vendors, ISPs, and law enforcement. This single email address is one of the most efficient ways to get a phishing URL into multiple blocklists simultaneously.

PhishTank

Submit the URL at https://phishtank.org/. PhishTank maintains a community-verified database of phishing URLs that is used by security tools, email filters, and browser extensions.

The Brand Being Impersonated

Most major companies have dedicated phishing reporting mechanisms. Forward the phishing email to the brand's security team — common addresses include phishing@[brand].com, abuse@[brand].com, or spoof@[brand].com. Banks and financial institutions are especially responsive because they face direct liability.

Law Enforcement

For large-scale phishing campaigns or those targeting financial institutions, report to law enforcement. I cover this in detail in my guide to reporting cybercrime to law enforcement. In the US, the FBI's IC3 (ic3.gov) accepts phishing reports. In the UK, report to Action Fraud. Europol coordinates across EU member states.

Phishing Sub-Scenarios

Credential Harvesting Pages

The most common phishing type. The site presents a login form that looks identical to the target brand, captures entered credentials, and often redirects the victim to the real site afterward so they do not realize their credentials were stolen. When reporting, emphasize that the site is actively collecting credentials and include screenshots of the fake login form.

Brand Impersonation

When a phishing site copies a brand's entire visual identity — logos, color schemes, legal text — the brand's legal team can issue a takedown under trademark infringement, which some hosting providers process faster than abuse reports. If you are the brand being impersonated, consider filing a DMCA notice for the copied creative assets in parallel with the phishing report.

Spear Phishing

Targeted phishing directed at specific individuals, often using personal information gathered from LinkedIn, company websites, or previous breaches. Spear phishing is harder to report through automated systems because the URLs are often unique to each victim and may be short-lived. Prioritize reporting to the hosting provider directly and include all available evidence.

Pharming via DNS Hijacking

Some phishing attacks do not rely on fake domains at all — they compromise DNS infrastructure to redirect the legitimate domain to a phishing server. If you suspect DNS-level manipulation, check whether the domain's DNS records have been altered using the DNS Inspector and read my detailed writeup on DNS hijacking. In pharming cases, you need to report to the domain's registrar and DNS provider rather than the hosting provider.

What to Expect After Reporting

Response times vary dramatically depending on the hosting provider:

• Major cloud providers (AWS, Google Cloud, Azure): Typically act within 4 to 12 hours for confirmed phishing. They have automated systems that can suspend accounts quickly.
• Large hosting companies (OVH, Hetzner, DigitalOcean): Usually respond within 12 to 24 hours. Most have dedicated abuse teams that process reports during business hours.
• Smaller hosts: Response times range from 24 to 72 hours. Staffing is limited and abuse handling may not be a dedicated function.
• Bulletproof hosting providers: These providers intentionally ignore abuse reports and cater to malicious actors. If the phishing site is hosted on bulletproof infrastructure, your best path is reporting to upstream transit providers, browser safe browsing databases, and domain registrars. The hosting provider itself is unlikely to act.

If you do not receive a response within 48 hours, escalate by reporting to the hosting provider's upstream network provider (found via the ASN information in the IP Location tool), and ensure you have submitted to Google Safe Browsing and APWG. For spam-related phishing campaigns, my guide on reporting spam from an IP address covers additional email-specific reporting channels.

Prevention Tips

Reporting phishing is reactive. These measures reduce the likelihood that phishing succeeds against your organization in the first place:

• Enforce DMARC with p=reject. A properly configured DMARC policy prevents attackers from sending emails that appear to come from your domain. Without DMARC enforcement, anyone can spoof your From address.
• User security training. Regular phishing simulations and training reduce click-through rates on phishing emails. The best technical controls are useless if users paste their credentials into a fake login page.
• Browser-based protections. Ensure Google Safe Browsing and Microsoft SmartScreen are enabled across your organization. These block known phishing URLs before users can interact with them.
• Multi-factor authentication. MFA does not prevent credential phishing, but it prevents stolen passwords from being used to access accounts. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant because they are bound to the legitimate domain.
• Domain monitoring. Use services that monitor for newly registered domains similar to your brand name. Check if the domain is blacklisted across DNSBL databases, and check website reputation to see if security vendors have already flagged it. Early detection of typosquatting and lookalike domains lets you file takedowns before the phishing campaign launches.
• Email gateway filtering. Modern email security gateways analyze URLs in real time, sandbox attachments, and check against threat intelligence feeds. They catch the majority of commodity phishing before it reaches user inboxes.