Is reporting a website free?

Reporting is free for individual victims and consumer cases. For brand-owner mandates that require ongoing monitoring and case management we offer paid retainers, but a single report — including a phishing URL targeting an everyday user — is always free.

Will the operator know who reported them?

No. We do not share reporter identity with the operator of the abusive site. When we contact a host or registrar we share only the evidence necessary to substantiate the abuse, and we redact reporter details unless you give explicit permission.

Public-service intake

Report a phishing, scam or malicious website.

Q: How do I report a phishing website?

Send the URL and any context to support@overload.su, message our Telegram bot @OverSupBot, or use the report form on this page. We acknowledge every submission with a case number, evaluate it within hours, and contact the host, registrar and browser safe-browsing partners for action.

Q: What information should I include?

The full URL, a short description of the harm (credential phishing, fake checkout, malware download, scam investment, etc.), and any screenshots, emails or SMS that led you to the site. The more original artefacts you can attach the faster a host or registrar can act.

Q: How long does a takedown take?

For clear phishing on compliant infrastructure, browser-level blocking is usually live within an hour and host-level removal within 24 hours. Hosting jurisdictions outside major abuse-cooperation frameworks can extend the timeline. We track each milestone separately and update the case until closure.

SiteReport is the public-facing intake of 78 OVER 37 LIMITED. Send us a suspicious URL — phishing, fake shop, fraudulent investment, malware download, impersonation — and we'll investigate, capture evidence and initiate the takedown with the host, registrar and browser safe-browsing partners.

Submit a report Or message Telegram bot →

33m fast-track block

<24h median host action

96% closure rate

0 € for victims to report

Report a website

This form opens your email client. Add screenshots before sending. You can also email support@overload.su directly.

Suspicious URL * Type of abuse Brand or person being impersonated (if any) What happened? Your email (we'll send a case number)

Submitting this form does not waive your right to also report the site to your bank, the police or your country's CERT. Please do that as well if you believe a crime has occurred.

What you can report

Every kind of abusive website you might encounter

Phishing portals

Fake login pages for banks, postal services, government portals, social platforms or wallets. The page asks you to enter credentials, a one-time code, a card number or a seed phrase, and forwards them to the operator.

Fake online shops

Sites selling discounted electronics, designer goods, medications or limited-edition items that never arrive — typically on a freshly registered domain with stolen product photography and fake review widgets.

Investment & crypto scams

Cloned trading platforms, "AI" investment dashboards, fake exchange withdrawal pages, romance-investment funnels, fraudulent ICOs and rug-pull token sites with cloned whitepapers.

Malware & drive-by download

Sites pushing fake "browser updates", cracked-software bundles, drainer wallets, info-stealers or remote-access trojans. We coordinate with browser safe-browsing partners and antivirus vendors for blocking.

Brand impersonation

Look-alike domains pretending to be a real company's customer-support page, refund portal, tax page or shipping tracker. Often paired with a smishing or social-media advert that pushes traffic to the fake site.

Defamation & extortion

Sites publishing fabricated allegations against an individual, sextortion landing pages, ransom payment portals, or "review" sites built to extort a removal fee from the listed business.

SiteReport intake summary showing a reported domain flagged as Phishing and Malicious with security headers missing and six security violations recorded. — Sample of the case-card a reporter sees after submission: domain category (Phishing), risk verdict (Malicious), security-header gaps and certificate audit — captured at the moment of report and immutably stored.

What the operator's victims see after we act

Within the first hour we usually have browser-level safe-browsing partners showing this warning to anyone who clicks the abuser's smishing or social-ad bait.

Mobile browser warning screen reading 'Suspected Malware — this website has been reported for potentially distributing malware'. — Mobile · Suspected Malware

Mobile browser 'Suspected Phishing' warning displayed for a reported domain, with Cloudflare verifying the visitor in the foreground. — Mobile · Suspected Phishing

Mobile browser 'Suspected Malware' warning shown for a reported short domain, with Cloudflare verification banner. — Mobile · Suspected Malware

How it works

From the moment you submit to the moment the site is gone

You submit the URL

By form, email or Telegram bot. Attach any screenshots, the original SMS or email, and the brand or person being impersonated. You'll receive an automatic acknowledgement and a case number.

We triage within hours

An analyst confirms the abuse vector, identifies the host, registrar, certificate issuer and (where applicable) the payment processor. Critical phishing is fast-tracked into the safe-browsing block channels first.

Evidence is captured

Time-anchored screenshots, source HTML, redirection chains, DNS, WHOIS and certificate transparency are hashed and stored in immutable archives so the case is admissible if it ever needs to escalate.

Outreach is parallel, not sequential

We contact the host, the registrar, the registry, browser safe-browsing partners and (when relevant) ad networks at the same time. Speed matters: a campaign that lives an extra two hours can claim hundreds more victims.

We monitor for re-emergence

Most operators have rehost infrastructure ready. We track new hosting, new domains and new IP ranges, and re-engage abuse channels until the campaign is no longer economical.

We close the case and report back

If you provided an email when reporting, we send a closure note: when the site went dark, where it tried to rehost, and what to watch for if you see a similar pattern again.

Why use SiteReport

Reporting to a registrar is hard. SiteReport does the hard part.

One channel, every host

You don't need to figure out who hosts the site, which registrar to write to, or how to draft an abuse complaint that actually triggers action. We've done it tens of thousands of times. We know which abuse desks need a screenshot vs source HTML vs a notarised affidavit, and we send the right pack first time.

Forensic evidence, not just a screenshot

We hash, time-anchor and chain-of-custody every artefact. If the case ever has to escalate to law enforcement, a UDRP-adjacent dispute or a defamation claim, you don't lose the evidence to a deletion or a CDN cache flush.

Reporter privacy preserved

We do not pass reporter identity to the operator of the abusive site. Hosts and registrars receive only the evidence they need to act. Your email is used only to send a case number and a closure note unless you explicitly ask for more contact.

Brand-defense team behind it

SiteReport is operated by the same team behind Overload.su's domain-takedown practice — a paid B2B service for major brands. The intake here is the consumer-facing entry point with the same closure standard.

Security risk report card flagging a reported website as a Scam Website with multiple vendors marking it Malicious, Malware, Phishing or Warned. — What our evidence pack looks like to the third-party platforms we engage with: a multi-vendor security-risk view that turns one report into a defensible takedown across the entire ecosystem.

FAQ

Frequently asked questions about reporting websites

How do I report a phishing website?

Use the report form on this page, email support@overload.su, or message @OverSupBot on Telegram. Include the full URL, screenshots if you have them, the original SMS or email that pointed you at the site, and the brand or person being impersonated. We acknowledge every submission with a case number and triage within hours.

Is it free to report a website?

Yes — for individual victims and one-off consumer reports it is always free. We absorb the cost as part of our public-service intake, and recover it on the brand-owner side through retainers and case management. If you are a brand owner with ongoing monitoring needs we'll quote a retainer separately.

What information should I include in a report?

At a minimum: the full URL (don't trim parameters; they can identify the campaign). Ideally: a screenshot of the page, the email or SMS that referred you to the site, and the brand the operator is impersonating. If money has been lost or credentials entered, also report this to your bank, your country's CERT and your local police; we'll cooperate with their investigators on request.

How long does a takedown take?

For clear phishing on compliant hosts, browser-level blocking via safe-browsing partners typically lands within 33 minutes; full host-level removal within 24 hours. Less responsive hosts and offshore registrars can extend the timeline to several days. Some campaigns operate from non-cooperating jurisdictions; in those cases we focus on browser blocking, payment-processor disruption and ad-network removal as the practical end-game.

Will the operator find out who reported them?

No. We do not share reporter identity with the abusive operator. We share only the evidence required by the host or registrar to act, and we redact reporter details by default unless you tell us we may include them.

I think the URL was sent to me by SMS. Can you take that down too?

The site itself, yes. The SMS sender, partly: we coordinate with mobile-operator abuse desks and the URL-shortener provider in the message, but SMS-level blocking ultimately depends on the carrier. If you can forward the original SMS (with header information), we will include it in the case file.

Can I report a website that is defaming me personally?

Yes. Defamation cases need slightly different evidence: the page content, the date of publication, why the statements are false and (where relevant) any proof of harm. We will tell you which evidence we still need after intake.

How do I report a phishing website to Google directly?

You can submit phishing pages directly to Google Safe Browsing at safebrowsing.google.com. We file Google Safe Browsing reports as part of our standard workflow, but reporting a critical phishing page to multiple channels in parallel never hurts.