Introduction

Takedowns are a common part of the internet. Companies and individuals regularly seek to have harmful or unauthorized content removed, but the process is rarely straightforward. As a victim, the goal is binary: is the offending content gone or not? As practitioners, we know the answer is incredibly nuanced.

While the outcome is black-and-white, getting there requires navigating a grey area of jurisdictions, policies, and technical details. The right path depends on the type of abuse and the entities involved.

(This article is part of PhishFort's The Nuance of Takedowns series.)

The Key Players in a Domain Takedown

At the heart of most takedown requests is a domain name which is the string of text that directs users to the offending content. Behind every domain, a hierarchy of organizations sets and enforces the rules:

• ICANN: A non-profit organization that oversees the domain name system and sets baseline policies for most domains.
• The Registry: The entity that manages a specific top-level domain (TLD), like Verisign for .com or a national authority like CIRA for Canada's .ca.
• The Registrar: The customer-facing company where the domain was purchased, such as GoDaddy or Squarespace.

For most generic TLDs (like .com or .org), these players are bound by ICANN contracts that require them to provide mechanisms for mitigating DNS abuse and handling trademark disputes through the Uniform Domain Name Dispute Resolution Policy (UDRP).

However, three key factors complicate this process:

1. Policy Interpretation: The registrar, registry, and ICANN may interpret their obligations differently, leading to inconsistent enforcement.
2. Jurisdiction: Country-code TLDs (ccTLDs, like .de or .jp) are not bound by ICANN agreements. They operate under their own national policies, which may offer little recourse for abuse.
3. UDRP Is Not a Silver Bullet: The UDRP process is expensive, can be slow, and requires you to prove the domain was registered in "bad-faith", which means the complainant must show evidence that the registrant had a goal such as harming the business, intent on reselling the domain, causing confusion, or outright blocking the trademark holder. This can be a high bar, depending on the evidence submitted.

The main takeaway is that while a framework for takedowns exists, consistent outcomes aren't guaranteed, especially with ccTLDs. For this article, we'll assume the goal is a full domain suspension, known as a "clientHold" (by the registrar) or "serverHold" (by the registry).

Common Takedown Scenarios: A Path of Escalation

The correct takedown strategy is dictated by what the offending domain is actually doing. Here are three common scenarios involving trademark infringement, each with a different path to resolution.

Scenario 1: Trademark Squatting (No Malicious Content)

An unknown actor registers a domain containing your trademark. The domain has no website or content, leaving you to worry about its future use for phishing or fraud.

Unfortunately, without proof of malicious activity, registrars and registries will not act. They view this as a potential trademark dispute, not DNS abuse, and will not adjudicate it. From their perspective, the registrant could be a cybersquatter hoping for a payday or someone completely unaware of your brand.

Your Options:

• Attempt to purchase the domain from the current owner: This option is not for everyone. Companies that are frequently targeted with typosquatting or phishing attacks will not have the money available to purchase every single domain permutation of their name. Further, buying the domain off the squatter validates their behavior. However, this is the best path for a trademark holder wanting to ensure that the domain is absolutely not used to tarnish their brand in any capacity.
• Actively monitor the domain for any changes that indicate malicious use: Though this path comes with the risk of a registrant using the domain maliciously first and reacting second, there is always the possibility that the domain is not used for malicious reasons first. The key with this approach is to use a service, like PhishFort, to quickly detect and report the domain for immediate takedown once the domain is found to be abusive.
• File a UDRP complaint, though success is unlikely without evidence of "bad-faith": Is a If a domain is simply registered but never hosts content or sends an email, what is the evidence of “bad-faith”? Perhaps the registrant had no idea your brand even existed. Obviously, this may be different if you are a globally recognized brand versus a small start up. However, this still does not overcome the time and cost component of this option.

Each option comes with pros and cons. As a trademark holder, it requires a review of the risk, cost, and reward of taking action against such domains.

Scenario 2: Brand Impersonation (No Phishing)

The domain now hosts a perfect copy of your website or online store, but it doesn't appear to be collecting credentials, payment details, or personally identifiable information (PII).

While you now have clear evidence of “bad-faith” use, registrars and registries will likely still refuse to suspend the domain. They classify this as a "content issue" rather than technical abuse of the domain system. Intervening in content disputes is a slippery slope they avoid, as it positions them as "internet police."

Your Options:

• File a UDRP complaint, which now has a much higher chance of success with this evidence.
• Investigate further to find hidden forms or scripts that are collecting PII, which would escalate the issue to clear DNS abuse.
• Run a public campaign to warn your customers about the impersonating site.

Scenario 3: Active Phishing or Fraud

The domain infringes on your trademark and hosts a site actively trying to steal PII, login credentials, or payment information.

This is the most straightforward scenario for a takedown. The activity has crossed the line from a content dispute into clear, actionable DNS abuse. Providing the registrar or registry with evidence, such as screenshots or a screen recording of the phishing attempt, will almost always result in a swift suspension. However, it's important to keep monitoring the domain, as bad actors can sometimes get a suspension lifted by temporarily removing the malicious content.

Beyond Trademark Abuse: Other Takedown Paths

Not all takedowns are related to trademark infringement. Different types of abuse require different strategies.

Copyright Infringement (DMCA)

If a site is using your copyrighted work (like text, images, or software) but not necessarily your trademark in the domain name, the best path is often a DMCA takedown notice. This notice is sent to the hosting provider, not the domain registrar. The DMCA is a powerful tool for content removal in jurisdictions that recognize it, but it won't result in the suspension of the domain itself.

Phishing Without Trademark Infringement

A domain doesn't need to contain a trademark to be used for phishing. Scammers often register generic-sounding domains like account-services-login.com or secure-payment-portal.net to trick users.

In these cases, the trademark is irrelevant. The malicious action of phishing is all that matters. These domains can be reported directly to the registrar and registry for DNS abuse, just like in Scenario 3, because the harm is in how the domain is being used.

Conclusion

The key to a successful takedown is understanding that the strategy must match the specific harm being done. There is no single playbook. Is it a trademark issue best suited for a legal UDRP process, a content problem for the hosting provider, or clear technical abuse for the domain registrar? By correctly identifying the type of violation and the right entity to contact, you can navigate the nuances of the system and more effectively protect your brand online.