Where this guide comes from
We file takedowns for a living. Over the past few years, Hunto's analysts and agents have submitted thousands of takedown requests to registrars, hosting providers, CDNs, and social platforms on behalf of banks, fintechs, and e-commerce companies, part of the 1M+ threats our platform has neutralized. Some requests got a phishing site removed in under an hour. Others sat unanswered for three weeks while the campaign kept harvesting credentials.
This guide is the difference between those two outcomes. No theory. Just what we've watched work, repeatedly, and what we've watched fail.
The first hours decide the outcome
Phishing campaigns are front-loaded. The bulk of victim clicks land within the first day of a lure going out, often within hours, because attackers send the emails or SMS blasts as soon as the site is live. A takedown that completes on day four protects almost nobody.
That changes what detection has to look like. Waiting for a customer to report the site is too late. We watch certificate transparency logs and new domain registrations instead, which is why most of the phishing infrastructure we flag is under 48 hours old, and a good chunk of it hasn't sent a single lure yet. Killing a site pre-launch is the only takedown that protects everyone.
What actually gets a site removed
- A full-page screenshot showing the impersonation, with the URL visible
- WHOIS and DNS records tying the domain to the content at the time of filing
- The specific policy violated: the registrar's AUP clause, the host's ToS section, or the law
- Proof of the brand being targeted: trademark registration number or a letter of authorization
- A clear, one-line ask: suspend the domain, remove the content, or disable the account
- A working reply address that a human answers, because abuse desks do follow up
Response times by channel
| Channel | What we typically see | What speeds it up |
|---|---|---|
| Registrars | Hours to 2 weeks, wildly uneven between companies | Citing the exact AUP clause; prior relationship with the abuse desk |
| Hosting providers | Same day to 1 week | Evidence the content is live right now, not a stale screenshot |
| CDN / reverse proxies | 1 to 3 days to reveal origin or act | Filing with the CDN and the origin host in parallel |
| Free subdomain and site builders | Often under 24 hours | Using their dedicated abuse form instead of email |
| Social platforms and app stores | 1 day to 3 weeks | Verified brand accounts and trademark documentation |
| National CERTs | 1 day to 2 weeks | Concise evidence packages; CERTs escalate what they can verify quickly |
Domains come back
A takedown isn't the end of a campaign. It's a speed bump. Kit operators buy domains in bulk on cheap TLDs, and when one goes down the same kit reappears on a sibling domain, sometimes the same day, often with one character changed. We've watched a single operator burn through dozens of domains against one bank.
So we never close a case at "site down". The kit's fingerprint, the registrant pattern, and the hosting ASN all go on watch, and re-registrations get flagged at certificate issuance. If your takedown process has no memory, you're paying to fight the same site over and over.
Five mistakes that stall takedowns
- Emailing a generic support address instead of the abuse contact listed in WHOIS or RDAP
- Sending anger instead of evidence: "this site is fake, remove it" gives an abuse desk nothing to act on
- Filing with only one party when the domain, host, and CDN can each act independently
- Letting a request die silently: no follow-up at 48 hours, no escalation path to a CERT or legal notice
- Treating every case as done once the site is offline, with no watch for re-registration
Run it in-house, or don't
Can a security team do this themselves? Yes. The mechanics aren't secret, and for a company facing a few incidents a year, a well-documented internal runbook is fine.
The economics change with volume. Takedowns are a relationship business: abuse desks respond faster to filers with a track record of accurate reports, and that record takes hundreds of filings to build. If you're facing weekly impersonations, the honest math usually favors a service that already has the relationships and the re-registration watchlists. That's the job our takedown service and brand monitoring do together: spot the site early, kill it fast, and remember the operator.
Frequently asked questions
In our experience, anywhere from under an hour to about three weeks. Free subdomain platforms and responsive hosts act within a day; slow registrars and some social platforms take one to three weeks. The evidence package and the escalation follow-up matter more than the channel.
It's harder but not impossible. Phishing violates registrar and host acceptable-use policies on its own, so clear evidence of credential harvesting often suffices. Trademark documentation mainly accelerates brand-impersonation cases where the page content is more ambiguous.
Escalate. File with the hosting provider and CDN in parallel, involve the relevant national CERT, and follow up on a fixed cadence. Most "ignored" takedowns we inherit were filed once, to one party, with no follow-up.
Usually not by itself. Operators re-register look-alike domains quickly, so lasting protection comes from monitoring registration and certificate data for the operator's pattern and filing on the replacements before lures go out.
Want to see this in practice?
Book a demo and watch Hunto AI run discovery, verification, and takedown on live data.
