What to Do When Someone Impersonates Your Business Online

Someone is pretending to be your business online. Maybe they cloned your website. Maybe they created a fake social media account with your logo. Maybe they are sending emails that look like they came from you. Whatever the form, brand impersonation is an attack on your reputation, your customers, and your revenue.

Your response in the first 24 hours matters. Move quickly and methodically, and you can often shut down impersonators before they do serious damage. Move slowly or miss a step, and the attack can spread, confuse your customers, and cause lasting harm.

This guide is your emergency response playbook. Follow these steps in order to contain the threat, gather evidence, initiate takedowns, protect your customers, and prevent future attacks.

Phase 1: Immediate Assessment (First Hour)

Before you start firing off takedown requests, you need to understand the scope of the attack. Panic leads to mistakes, and mistakes waste precious time.

Step 1: Document the Impersonation

Open an incident folder on your computer or cloud storage. Name it clearly with the date and nature of the attack (e.g., "2026-02-03 Website Impersonation Incident").

Capture everything:

• Full-page screenshots of the impersonating website or profile
• The exact URL or username being used
• Any emails, messages, or ads promoting the fake presence
• WHOIS data for fake domains (use who.is or lookup.icann.org)
• IP addresses (ping the domain or use online lookup tools)
• Date and time you discovered the impersonation
• How you discovered it (customer report, monitoring tool, etc.)

Use tools like the Wayback Machine to see if the fake site has been active for a while. Check for variations — attackers often register multiple similar domains at once.

Step 2: Assess the Threat Level

Not all impersonation is equally dangerous. Rate the threat to prioritise your response:

Critical (Immediate action required):

• Active phishing (collecting credentials or payments)
• Customer data being harvested
• Financial transactions being processed
• Malware being distributed
• Active promotion through ads or large-scale email campaigns

High (Same-day action required):

• Convincing website clone without active phishing yet
• Fake social media accounts with significant followers
• Impersonation targeting your customers directly

Medium (Action within 24-48 hours):

• Parked domains or placeholder pages
• Low-engagement fake social accounts
• Typosquats not yet actively used

Step 3: Check for Related Attacks

Attackers rarely stop at one domain or account. Search for:

• Similar domain variations (try common typos, different TLDs, hyphenated versions)
• Related social media accounts (search your brand name on all major platforms)
• Lookalike accounts on LinkedIn pretending to be your employees
• Fake mobile apps in app stores
• Domain registrations with common suffixes like "-official", "-support", "-help"

Phase 2: Immediate Containment (Hours 1-4)

Now that you know what you are dealing with, it is time to start shutting it down.

Step 4: Report to Browser Safe Browsing

This is the fastest way to protect users. When a site is flagged by Google Safe Browsing or Microsoft SmartScreen, browsers will display warning pages before users can access the malicious site.

• Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/
• Microsoft SmartScreen: microsoft.com/wdsi/support/report-unsafe-site

Reports typically take effect within 2-4 hours. This does not take down the site, but it neutralises the threat by warning visitors.

Step 5: Contact the Domain Registrar

Domain registrars are legally obligated to investigate abuse reports. Find the registrar through a WHOIS lookup, then locate their abuse reporting process (usually at [registrar].com/abuse or in their support center).

Your abuse report should include:

• Your business name and trademark registration numbers (if applicable)
• The infringing domain name
• Clear explanation of the impersonation or phishing activity
• Screenshots showing the violation
• Your contact information
• A formal request for suspension under their Acceptable Use Policy

For phishing and trademark infringement, most registrars will suspend domains within 24-48 hours of a valid abuse report.

Step 6: Contact the Hosting Provider

If registrar action is slow or you want parallel tracks, go directly to the hosting provider. Use tools like SecurityTrails, IPinfo, or BuiltWith to identify who hosts the fake site.

Major hosting provider abuse contacts:

• Cloudflare: cloudflare.com/abuse
• Amazon AWS: aws.amazon.com/premiumsupport/knowledge-center/report-abuse/
• Google Cloud: support.google.com/code/contact/cloud_platform_report
• GoDaddy: godaddy.com/help/report-abuse-27154
• Namecheap: namecheap.com/support/knowledgebase/article.aspx/9196/5/how-to-report-abuse
• DigitalOcean: digitalocean.com/legal

Step 7: File DMCA or Trademark Complaints

If the impersonation uses your copyrighted content (logo images, website text, product photos), file a DMCA takedown notice. If it uses your trademarked name or logo, file a trademark complaint.

For DMCA:

• Most hosting providers and platforms have DMCA forms
• Include the exact URLs of infringing content
• State that you have a good faith belief the use is not authorised
• Include your contact information and electronic signature

For trademark infringement:

• Most platforms have brand protection/trademark report forms
• Provide your trademark registration numbers
• Explain how the use creates confusion with your brand

Step 8: Report Social Media Impersonation

If the impersonation extends to social platforms, report through each platform's brand protection channels:

• Facebook/Instagram: facebook.com/help/contact/357439354283890 (for business impersonation)
• LinkedIn: linkedin.com/help/linkedin/ask/TS-RPP
• X/Twitter: help.twitter.com/forms/impersonation
• TikTok: tiktok.com/legal/report/feedback
• YouTube: support.google.com/youtube/answer/2801947

Phase 3: Customer Protection (Hours 4-24)

While takedown efforts are underway, protect the customers who might encounter the impersonation.

Step 9: Issue a Customer Alert

Transparency builds trust. Proactively communicate the threat:

• Send an email to your customer list describing the impersonation
• Post warnings on your official social media accounts
• Add a banner to your website if the threat is significant
• Update your support team so they can answer customer questions

Your alert should include:

• Description of the impersonation (fake website URL, social accounts, etc.)
• Your official website and social media handles
• How customers can verify legitimate communications from you
• What to do if they interacted with the fake site (change passwords, contact banks, etc.)
• Your official customer service contact for questions

Step 10: Activate Your Incident Response Team

If you have a team, brief them immediately:

• Customer support: Prepare responses for inquiries about the fake site
• Social media team: Monitor for mentions and respond to confused customers
• Legal: Prepare for potential escalations or customer claims
• IT/Security: Check if any internal systems were compromised (if the impersonation involved stolen content)
• Leadership: Keep executives informed of status and potential business impact

Step 11: Report to Relevant Authorities

Depending on the severity, report to appropriate authorities:

• United States: FBI IC3 (ic3.gov) for significant fraud; FTC (reportfraud.ftc.gov) for consumer protection
• United Kingdom: Action Fraud (actionfraud.police.uk)
• Australia: ReportCyber (cyber.gov.au/acsc/report)
• EU: National cybercrime units via Europol links

Include all the evidence you collected in Phase 1. Law enforcement moves slowly, but a report creates a record if the issue escalates.

Phase 4: Recovery and Hardening (Day 2-7)

Once the immediate threat is contained, focus on preventing recurrence.

Step 12: Verify Complete Takedown

Confirm the impersonation is fully removed:

• Check that the domain returns an error or parked page
• Verify social media accounts are suspended
• Confirm fake apps are removed from app stores
• Check for any new variations the attacker might have registered
• Monitor for DNS changes that might indicate the attacker is moving hosts

Step 13: Conduct a Post-Incident Review

Document what happened and how you responded:

• Timeline of the attack and your response
• How the impersonation was discovered
• Which takedown methods were most effective
• Any customer impact (complaints, reported fraud, refund requests)
• Lessons learned and process improvements

Step 14: Implement Proactive Monitoring

The best response to impersonation is preventing it from happening again. You need continuous monitoring that alerts you to lookalike domains and accounts before they are used against you.

DoppelDown provides automated domain monitoring that detects:

• Typosquats and character-swapped domains
• Homoglyph attacks using lookalike Unicode characters
• Combosquats with appended words like "-support" or "-official"
• New TLD variations of your brand
• Active website content on suspicious domains

With DoppelDown, you will know about impersonation attempts within hours of domain registration — often before the attacker has even built the fake site. Real-time alerts, risk scoring, and automated evidence collection mean you can initiate takedowns faster than ever before.

When to Consider Legal Action

Most brand impersonation can be resolved through takedown requests, but some situations warrant legal action:

• Significant financial losses: If customers lost money or you suffered measurable revenue impact
• Repeat offenders: When the same attacker keeps registering new domains
• Registrar non-compliance: If registrars refuse to act on valid abuse reports
• Data breaches: If customer data was stolen through the impersonation
• Defamation: If the fake site damages your reputation beyond standard impersonation

Legal options include:

• Cease and desist letters: Often sufficient for clear-cut cases
• UDRP proceedings: For domain name disputes under ICANN rules (costs $1,500-5,000)
• Court injunctions: To force immediate takedown
• Civil litigation: To recover damages in severe cases

Consult an intellectual property attorney familiar with internet law. Many offer flat-fee packages for standard takedown situations.

Building Your Brand Protection Playbook

Do not wait for the next incident. Create a documented brand protection playbook now:

1. Assign roles: Who is responsible for monitoring, who handles takedowns, who communicates with customers?
2. Document your official presence: Maintain a list of your exact domain names, social media handles, and app store listings
3. Create templates: Pre-write abuse report templates for common registrars and platforms
4. Establish relationships: Connect with platform trust and safety teams before you need them
5. Set up monitoring: Implement automated detection that alerts you to new threats
6. Review quarterly: Update your playbook as your online presence evolves

Prevention Is Your Strongest Defense

Brand impersonation is stressful, time-consuming, and damaging. Every hour you spend fighting a fake site is an hour not spent growing your business. The businesses that avoid this fate are not lucky — they are prepared.

DoppelDown exists to make that preparation automatic. Our platform monitors the entire domain namespace for threats to your brand, alerting you to lookalike domains, suspicious registrations, and active impersonation attempts in real-time.

Instead of discovering impersonation through customer complaints, you will know about it before the site even goes live. Instead of scrambling to collect evidence, you will have automated documentation ready for takedown requests. Instead of constantly watching for the next attack, you will have peace of mind knowing DoppelDown is watching for you.

Start protecting your brand with DoppelDown today — it is free to start, requires no credit card, and takes less than five minutes to set up. Do not wait for the next impersonation crisis. Get ahead of it.