How to Report a Scam Website

Published: 22 March 20267 min readBy ScanTotal Security Team
Last reviewed: 4 May 2026 by Kumari Rajapaksha, Founder, ScanTotal

Last year I found a fake site pretending to be Kmart Australia: same logo, same layout, and Boxing Day sale prices that were suspiciously good. I scanned the URL through our tool and it flagged immediately. But what surprised me was how many people I spoke to afterwards who said "I would've just closed the tab and moved on." They wouldn't have reported it. And that's the problem, because every hour that site stays live is another hour someone's mum or grandad could be handing over their credit card details.

Reporting takes a few minutes but can protect thousands of people. Here's exactly where and how to do it for maximum impact.

Step 1: Report to Google Safe Browsing

This is the single most impactful report you can make. Google Safe Browsing protects users across Chrome, Firefox, Safari, and Android. When a site is flagged, billions of users see a red warning page before they can access it.

Go to safebrowsing.google.com/safebrowsing/report_phish/ and submit the scam URL. Google reviews reports and can apply warnings within hours. This alone can prevent thousands of people from falling victim to the same site.

Step 2: Report to Your Browser

If you encountered the scam in your browser, report it directly. In Chrome, click the three dots menu > Help > Report an issue. In Firefox, click the menu > Help > Report Deceptive Site. In Safari, go to Safari menu > Report Fraudulent Website. In Microsoft Edge, click the three dots > Help and Feedback > Report Unsafe Site. These reports feed into each browser's own protection databases.

Step 3: Report to Government Agencies

Government agencies collect scam reports to build cases and issue public warnings. In Australia, report to Scamwatch at scamwatch.gov.au, they're run by the ACCC and are the primary national reporting body. You can also report to ReportCyber (cyber.gov.au) for cybercrime. In the United States, report to the FTC at reportfraud.ftc.gov and the FBI's IC3 at ic3.gov. In the United Kingdom, use Action Fraud at actionfraud.police.uk. In Canada, use the Canadian Anti-Fraud Centre.

Even if individual reports don't lead to immediate takedowns, they help authorities identify patterns, track scam networks, and prioritise enforcement actions.

This is what frustrates me most about online scams, so many people assume reporting is pointless because "nothing ever happens." That's simply not true. Google Safe Browsing warnings alone protect billions of browser users, and the ACCC's Scamwatch data directly shapes where enforcement resources go. Your report isn't disappearing into a void; it's genuinely making scam operations harder and more expensive to run. Every single report matters.

🔍 Verify the site first

Before reporting, confirm the site is actually malicious. Our URL scanner checks against multiple security databases and gives you a detailed safety report to include with your report.

Scan a URL, Free

Step 4: Report to the Hosting Provider

Every website runs on a hosting provider's servers. If the hosting provider is notified that a site on their servers is fraudulent, they can take it offline. To find the hosting provider, do a WHOIS lookup on the domain (search "WHOIS lookup" on Google and use any free tool). Look for the hosting company or nameservers listed in the results. Most hosting providers have an abuse contact email, typically abuse@hostingcompany.com. Send them the scam URL along with a clear explanation of why the site is fraudulent and any evidence you have. It takes five minutes. Do it.

Step 5: Report to the Domain Registrar

The domain registrar is the company where the scam domain was registered. Like hosting providers, registrars have abuse policies and can suspend fraudulent domains. The WHOIS lookup will also show the registrar. Look for their abuse contact and submit a report. ICANN (the organization overseeing domain names) also accepts complaints at icann.org/compliance/complaint.

Step 6: Report to the Impersonated Company

If the scam site impersonates a real company (a fake bank login, fake Amazon store, etc.), report it to that company. Most large companies have dedicated phishing or abuse reporting channels. For example, PayPal has spoof@paypal.com, Amazon has stop-spoofing@amazon.com, and most banks have a fraud reporting page on their website. These companies have legal teams that actively pursue takedowns of sites impersonating them.

Step 7: Report to Social Media (If Applicable)

If you found the scam through a social media ad or post, report it on that platform. On Facebook and Instagram, click the three dots on the ad or post and select "Report." On X (Twitter), click Report and select "Misleading" or "Scam." On TikTok, long-press the content and select Report. This can get the ad removed and potentially get the scammer's advertising account banned.

What Evidence to Collect

Before reporting, gather as much evidence as possible. Save screenshots of the scam website including the URL bar. Copy the full URL. Save any emails or messages that led you to the site. Keep transaction receipts if you made a purchase. Note timestamps and any contact details the scammer used. Save this evidence before the site potentially goes offline, scam sites often disappear and reappear under new domains.

Frequently Asked Questions

How long does it take to get a scam site taken down?

Google Safe Browsing warnings can appear within hours. Hosting providers take 24-72 hours. Domain takedowns can take days to weeks. More reports from different people speeds the process.

Does reporting actually help?

Yes. Google Safe Browsing reports directly protect users with warnings. Hosting and registrar reports can take sites offline. Law enforcement reports help build cases. Each report makes scam operations more costly.

Can I report a scam anonymously?

Most channels accept anonymous reports including Google Safe Browsing, browser reporting, and many government agencies. Contact information is for follow-up, not published publicly.

What evidence should I save?

Screenshots of the site (including the URL bar), the full URL, emails/messages that led to the site, transaction receipts, scammer contact details, and timestamps. Save evidence before the site goes offline.

What I'd Tell You to Do Right Now

If you've got a scam site open in your browser right now, grab a screenshot, copy the URL, run it through our scanner, and report it to Google Safe Browsing first, that's the one that protects the most people the fastest. Then hit up Scamwatch (or your country's equivalent) and the hosting provider if you can find them. I reported that fake Kmart site to three different places and it was showing a Google warning within two days. Ten minutes of effort, thousands of people protected. That's a pretty good return.

Report Scams Scam Websites Phishing Consumer Protection Online Safety

Before you report it, scan the URL to gather evidence.

Our free scanner verifies URLs against security databases, useful for your report.

Scan the Scam URL

Sources & Further Reading

Related Articles

What Is Phishing?
Most scam websites are phishing operations.
How to Check If a Link Is Safe
Verify a site is a scam before reporting it.
Top Online Scams in 2026
Understand the most common types of scam websites.