All Collections
Integrated takedown
How to mark a lookalike for takedown - and what happens next
How to mark a lookalike for takedown - and what happens next
Stéphane Puthod avatar
Written by Stéphane Puthod
Updated over a week ago

How to mark lookalike(s) for takedown

Solution 1: (Bulk approach)

Tick the Lookalikes and select the "Mark as high risk and add to OnINBOX threat list" from the Actions dropdown.

Lookalikes are then moved to HIGH RISK. OnDOMAIN will continue monitoring them until you decide to either "Mark as low risk" or simply "Delete" them if they are no longer posing a threat to your organisation.

However, if OnDOMAIN has provided you with reasons to believe a lookalike domain has been spun up, navigate to the HIGH RISK tab, select the lookalike you wish to disarm, and click "Mark for Takedown". It will then also appear in the TAKEDOWNS tab.

Solution 2: (Individual approach)

Click on the vertical ellipsis and select "Mark for takedown". This domain will then be moved to the TAKEDOWNS tab. The lookalike will also appear in HIGH RISK where OnDOMAIN will continue monitoring it for suspicious activities.

Important Note:

  • Each takedown request is reviewed independently.

  • You can only mark one lookalike for takedown at a time.

So, what happens next?

Lookalike(s) will appear in the TAKEDOWNS tab with the status: "Not started". At this stage, no action is taken by Red Sift. This is a list of your lookalike(s) that you intend to potentially action.

In order to start the takedown process and view related details, click on the lookalike from the table above.

This is what you will see in the Takedown Details section:

ID: Unique ID number for the Takedown generated automatically from the platform.

Status: What stage the Takedown is at.

Classification: Type of Takedown Fraud.

Takedown registered: Date when the Takedown started.

Takedown complete: Date when the Takedown was completed.

Last updated at: Shows the latest time the takedown was updated.

Important Note:

The Additional evidence section below is used when you have additional evidence to submit, such as a phishing email sent by the lookalike domain. This evidence can be shared as part of the takedown process to effect takedown more quickly. It might also have been requested by the Takedown provider.

Once you have submitted optional evidence and wish to proceed with taking down a domain, follow these simple steps:

  1. Click on the "APPLY FOR TAKEDOWN" button

  2. Read and accept the Terms and Conditions

  3. Click on "APPLY TAKEDOWN"

By following these steps, the Customer confirms the intention of paying the invoice.

The Status will automatically change from Not Started to In review (See Below).

Evidence is collected in the background by OnDOMAIN and sent automatically to be reviewed.

Once the analysis of the Evidence is completed, a new Status and Classification will appear on the Lookalike Takedown Details window to let you know the next course of action to take.

Here are the different statuses and what they mean:

Note: The Fraud classification is determined after review.

Not started: No Action taken yet.

In review: Evidence is being looked at.

In progress: No further news at this point.

Ready (Fraud): The Lookalike is Ready to be Taken down.

Evidence Required: The Customer is required to upload more Evidence to back up the claim.

Closed - Successful: The Lookalike was Taken down and completed successfully.

Closed - Failed: The Lookalike takedown failed to succeed.

Did this answer your question?