How to Take Down a Fake Website Selling Your Products (2026)
A scam site cloned your store, stole your product photos, and is running ads to your customers. Here's the layered takedown playbook: host, registrar, payment processors, and ad networks.
The short answer
To take down a fake website, attack all four of its dependencies in parallel on the same day: a DMCA notice to the hosting provider (1–5 days), a fraud/IP complaint to the domain registrar (1–3 weeks), counterfeit reports to its payment processors (often the fastest kill), and ad/search takedowns via Google and Meta plus a Safe Browsing report. The parallel approach typically neutralizes a scam site in one to three weeks.
A customer emails asking where their order is — except they didn't buy from you. They bought from a website using your product photos, your descriptions, sometimes your brand name with one letter changed, running paid ads to your audience. The site either ships a counterfeit, ships nothing, or harvests card numbers.
Fake storefronts feel harder to fight than marketplace listings because there's no "report" button. But every scam site depends on four pieces of infrastructure it doesn't control — hosting, a domain, payment processing, and traffic. Each one is a takedown surface, and the fastest results come from attacking several at once.
Step 1: Preserve evidence before the site changes
Scam sites rotate content and domains quickly. Before filing anything, capture: full-page screenshots of the homepage, product pages using your assets, and checkout; the exact URLs; and an archived copy via the Wayback Machine if possible. Note which of your copyrighted assets appear — specific photos, text passages, logo files. If customers were defrauded, save their reports too; fraud evidence unlocks channels that pure IP complaints don't.
Step 2: Map the site's infrastructure
Ten minutes of lookup work determines where to send complaints. A WHOIS lookup on the domain reveals the registrar (where the domain is managed) and registration dates — recent registration is itself a fraud signal. A DNS/IP lookup reveals the hosting provider. Many scam sites hide behind Cloudflare, which masks the origin server; Cloudflare's abuse form forwards complaints to the actual host and can disclose the origin provider to rights holders.
Also identify the checkout: does the site take cards via Stripe, PayPal, or a regional processor? The payment logos in the footer, or a test walk to the payment page, usually tell you. This becomes your highest-leverage target in step 3.
Step 3: File on every layer in parallel
Don't file sequentially and wait — send all of these within the same day:
Hosting provider (DMCA). Your product photos and copy are copyrighted, so a DMCA notice to the host's abuse contact demands removal of the infringing content — which for a cloned store means effectively the whole site. Hosts typically act in 1–5 business days on clear complaints, and no trademark is required — grab our free host abuse complaint template for the exact wording.
Domain registrar. Report the domain for fraud and IP abuse via the registrar's abuse channel — see our registrar-by-registrar takedown guides. Registrars move slower (1–3 weeks) but a suspension kills the domain everywhere at once. If the domain contains your trademark, a UDRP dispute can transfer it to you permanently — slower and costlier, but decisive for repeat targets.
Payment processors. Often the fastest kill. Stripe, PayPal, and other processors terminate merchants selling counterfeits or committing fraud, frequently within days — and a store that can't take payment is dead even while it stays online. Our payment takedown guides cover each processor's complaint channel.
Traffic sources. If the site runs ads, report them: Google Ads' trademark complaint form and Meta's Brand Rights Protection for Facebook/Instagram ads. Ad enforcement is usually faster than infrastructure takedowns and immediately cuts the scam's customer flow. Then hit search and browsers: a DMCA request via Google's Legal Help deindexes the site, and reporting the domain to Google Safe Browsing puts a full-page deceptive-site warning in front of every Chrome visitor.
What to expect, honestly
A single-layer complaint against a clear-cut cloned store usually lands within a week. The parallel approach typically neutralizes a scam site — payments cut, ads down, search-flagged, then offline — in one to three weeks. Sophisticated operations relaunch on a new domain with the same assets; when that happens, your second takedown round is much faster because the evidence package already exists. That relaunch pattern is also the argument for monitoring: catching the new domain in day one instead of month two.
Preventing the next one
Fake stores rarely appear from nowhere — they're preceded by lookalike domain registrations and scraped assets. Watch for typosquats and homoglyph domains on your brand name (our domain squatting defense playbook covers the patterns), run reverse-image checks on your hero product photos, and monitor ad libraries for your brand terms.
IPzest automates this loop — daily domain monitoring with WHOIS tracking, typosquat detection, ad monitoring across Meta and Google, and reverse-image scanning across the web — and drafts the takedown paperwork when something surfaces, from $68/month with a 7-day free trial. However you run it, the strategic point is the same: fake sites are infrastructure-dependent, and the brand that files on all four layers in parallel wins in weeks, not months.
Frequently Asked Questions
How do I find out who is hosting a fake website?
Run a WHOIS lookup on the domain to identify the registrar, then a DNS/IP lookup to identify the hosting provider. If the site sits behind Cloudflare, submit Cloudflare's abuse form — they forward complaints and can disclose the origin host to rights holders.
How long does it take to shut down a fake website?
Hosting providers typically act on clear DMCA complaints in 1–5 business days. Registrar action on fraud can take 1–3 weeks. Payment processor termination (Stripe, PayPal) often lands within days and kills the site's ability to take orders even before it goes offline. Filing on all layers in parallel is the fastest path.
Can I take down a fake website without a trademark?
Often, yes. If the site uses your product photos, descriptions, or site design, DMCA copyright complaints to the host work without any trademark. A registered trademark adds stronger levers — UDRP domain disputes, registrar trademark complaints, and counterfeit reports to payment processors.
The fake site is running ads for my brand. What do I do?
Report the ads directly: Google Ads has a trademark complaint form and Meta's Brand Rights Protection covers Facebook and Instagram ads. Ad takedowns are often faster than website takedowns and cut off the scam's traffic source immediately.
Should I report a fake website to Google?
Yes, twice: file a DMCA removal request through Google's Legal Help to deindex stolen content from search results, and report the domain to Google Safe Browsing as a deceptive site. Safe Browsing flags show scary full-page warnings in Chrome, which effectively kills the site's conversion even while it stays online.