How to mark a lookalike for takedown

Solution 1: (Bulk approach)

Tick the Lookalikes and select the "Block & Mark as threat" from the Actions dropdown.

Lookalikes are then moved to THREATS. OnDOMAIN will continue monitoring them until you decide to either "Mark as Safe" or simply "Delete" them if they are no longer posing a threat to your organization.

However, if OnDOMAIN has provided you with reasons to believe a lookalike domain has been spun up, navigate to the THREATS tab, select the lookalike you wish to disarm, and click "Mark for Takedown". It will then also appear in the TAKEDOWNS tab.

Solution 2: (Individual approach)

Click on the vertical ellipsis and select "Mark for takedown". This domain will then be moved to the TAKEDOWNS tab. The lookalike will also appear in THREATS where OnDOMAIN will continue monitoring it for suspicious activities.

Important Note:

  • Each takedown request is reviewed independently.

  • You can only mark one domain for takedown at a time.

So, what happens next?

Lookalike(s) will appear in the TAKEDOWNS tab with the status: "Not started". At this stage, no action is taken by Red Sift. This is a list of your lookalike(s) that you intend to potentially action.

In order to start the takedown process and view related details, click on the lookalike from the table above.

This is what you will see in the Takedown Details section:

ID: Unique ID number for the Takedown generated automatically from the platform.

Status: What stage the Takedown is at.

Classification: Type of Takedown (Fraud or Brand).

Takedown registered: Date when the Takedown started.

Takedown complete: Date when the Takedown was completed.

Last updated at: Shows the latest time the takedown was updated.

Important Note:

The Additional evidence section below is used when you have additional evidence to submit, such as a phishing email sent by the lookalike domain. This evidence can be shared as part of the takedown process to effect takedown more quickly. It might also have been requested by the Takedown provider.

Once you have submitted optional evidence and wish to proceed with takingdown a domain, follow these simple steps:

  1. Click on the "APPLY FOR TAKEDOWN" button

  2. Read and accept the Terms and Conditions

  3. Click on "APPLY TAKEDOWN"

By following these steps, the Customer confirms the intention of paying the invoice.

The Status will automatically change from Not Started to In review (See Below).

Evidence is collected in the background by OnDOMAIN and sent automatically to be reviewed.

Once the analysis of the Evidence is completed, a new Status and Classification will appear on the Lookalike Takedown Details window to let you know the next course of action to take.

Here are the different statuses and what they mean:

Note: The Fraud or Brand classification is determined after review.

Not started: No Action taken yet.

In review: Evidence is being looked at.

In progress: No further news at this point.

Ready (Fraud): The Lookalike is Ready to be Taken down as it is fraudulent.

Ready (Brand): The Lookalike is Ready to be Taken down as it is brand abuse.

Evidence Required: The Customer is required to upload more Evidence to back up the claim.

Referred To Customer Success: The Customer Success Team will engage with the Customer directly on the next course of action.

Closed - Successful: The Lookalike was Taken down and completed successfully.

Closed - Failed: The Lookalike takedown failed to succeed.

Did this answer your question?