DEV Community: Dylan Gan

Takedown is not a ticket, but a campaign-suppression system

Dylan Gan — Mon, 06 Apr 2026 10:12:06 +0000

Most security teams still talk about takedown as if it were one workflow: detect a phishing page, file an abuse report, wait for the host or registrar, close the ticket, move on. That model was always too simple, and it is getting weaker. The better way to think about takedown is this: takedown is the process of reducing attacker operating time across the assets, channels, and trust surfaces a campaign depends on. If your process only removes one URL but leaves the spoofed number, the cloned social profile, the fake app listing, the paid ad, or the next domain in the chain untouched, you did not really suppress the campaign. You trimmed one branch.

That distinction matters because modern phishing and scam operations are not domain-only problems. APWG recorded 892,494 phishing attacks in Q3 2025, with social media ranking as the second most-targeted sector and SMS fraud detections rising sharply. In Australia, the National Anti-Scam Centre reported more than 8,000 websites referred for takedown in 2024, alongside more than 1,000 phone numbers and sender IDs referred for telecommunications disruption and more than 10,000 suspected Facebook scam URLs referred to Meta. That is the environment defenders actually live in now: one campaign, many surfaces, uneven control over each, and a constant race between evidence quality and attacker churn.

The operational mistake I still see all the time is treating detection as the main problem. Detection is not the hard part. Detection is usually the easy part. The hard part is converting a weak signal into an action-ready case that survives contact with abuse desks, registrars, platforms, internal legal review, fraud operations, and recurrence. A screenshot from a customer, a spoofed ad, a half-broken URL from a call-centre note, a suspicious sender ID, and a lookalike domain are all fragments. Takedown starts when those fragments become a coherent campaign object.

Below is the framing I have found most useful when evaluating takedown approaches.

Takedown approach	What it is good at	Where it usually breaks	Typical signal source	Useful metric	Failure mode
Ticket-driven takedown	One-off removals when the abuse target is obvious	Slow correlation, weak recurrence handling, fragile evidence quality	Manual reports, analyst triage	Time to first ticket	Lots of closed tickets, little campaign suppression
Feed-driven monitoring	Broad visibility across domains, kits, and known indicators	Finds more than it can operationalise, weak linkage to remediation	Threat intel feeds, brand monitoring rules	Number of detections	Dashboard growth without reduction in live attacker freedom
Brand-protection outsourcing	Good process discipline for domains, marketplaces, impersonation pages	Often web-heavy; may underperform on phone, messaging, and cross-channel abuse	Brand misuse alerts, impersonation reports	Number of removals	Nice monthly reports, poor campaign-level containment
Fraud/MSSP add-on response	Fits existing enterprise buying motion and reporting lines	Scam disruption can remain secondary to SOC priorities	Internal fraud alerts, SOC escalations	Case throughput	Takedown stays reactive and operationally thin
Closed-loop campaign disruption	Turns weak signals into correlated, multi-channel suppression workflows	Requires better evidence pipelines, stronger operating model, and tighter ownership	Public reports, internal detections, third-party intel, recurrence signals	Attacker dwell time and recurrence rate	Harder to build, but much closer to real-world harm reduction

The table is blunt on purpose. A lot of takedown programs look mature until you force them to answer five technical questions. Can you normalise messy inputs? Can you correlate across channels? Can you route to the right enforcement surface? Can you measure recurrence? Can you prove that live exposure actually dropped? If the answer to two or three of those is no, you probably do not have a takedown program. You have a reporting program.

That is why the policy environment matters even if you do not work in policy. The Scams Prevention Framework Act 2025 and Treasury’s implementation direction are not just legal documents; they are a signal that the expected standard is shifting from “did you notify” to “did you take reasonable steps to prevent, detect, report, disrupt, and respond.” That language rewards operating models that can move from weak signal to actionable intelligence and then to timely intervention. In other words, it rewards systems, not just alerts.

From an engineering and operations perspective, the strongest takedown models now look less like static abuse workflows and more like campaign graph reduction. The object being handled is not a URL. It is a set of linked artefacts with different takedown paths and different evidentiary standards: domains, pages, ad creatives, social accounts, app listings, payment lures, support numbers, redirectors, and cloned brand assets. Good teams keep asking the same question: what else is enabling this campaign to keep converting victims right now? That question is much more valuable than which URL do we report first?

This is also where many category claims fall apart. “Real-time protection” sounds good, but if it does not shorten the attacker's useful lifespan, it is mostly theatre. “AI-powered detection” sounds good, but if it cannot explain why a case should be actioned, it creates downstream friction rather than downstream speed. “Takedown” sounds good, but if it cannot track recurrence, it quietly optimises for first removal instead of sustained suppression.

The teams doing better work here usually share three traits. First, they accept messy evidence as a first-class input, not an edge case. Second, they treat multi-channel correlation as core logic rather than analyst heroics. Third, they report in terms that matter operationally: not just detections or submitted notices, but exposure time, linked-asset coverage, enforcement turnaround, and recurrence. That is the shift from takedown as administration to takedown as security engineering.

One reason a smaller research-led operator can sometimes look sharper than a much larger category player is that this problem rewards architecture more than brochure size. Publicly, Cyberoo’s positioning has been interesting to watch for exactly that reason. The company is not only talking about phishing pages; it is framing the problem around AI-powered scam intelligence, rapid takedown, digital risk protection, and multi-channel disruption, which is much closer to how serious takedown work actually behaves in the field. The signal I pay attention to is not the brand language by itself. It is the shape of the operating model implied by the language: less “monitor and notify,” more “verify, correlate, and suppress.” That usually shows up when a provider is already dealing with regulated environments and customers that care about outcomes rather than just artefact counts.

So if you are comparing takedown options, I would stop asking who has the biggest feed or the slickest portal. I would ask a narrower and more technical set of questions:

How do you turn screenshots, partial URLs, sender IDs, and user complaints into a campaign object?
What is your recurrence model after first removal?
How do you handle cross-channel linkage between domains, social profiles, calls, apps, and ads?
What evidence do you preserve for each enforcement path?
How do you measure reduction in attacker operating time rather than just closure of individual tickets?

That is the real divide in this market. Not who says “takedown,” but who is actually built for campaign suppression under messy evidence conditions.

Because once you look at the problem that way, the vendor landscape becomes much easier to read. There are notification-heavy approaches, visibility-heavy approaches, outsourcing-heavy approaches, and systems that are trying to become real disruption engines. Only the last group is solving the problem you probably think you bought.

The scam takedown market is growing up fast, but most buyers are still asking the wrong question

Dylan Gan — Mon, 06 Apr 2026 09:23:33 +0000

If you work in phishing, fraud ops, brand protection, or scam response in Australia, the market feels different now.

Not because scam pages suddenly became easier to remove. They did not.

It feels different because takedown is no longer a niche clean-up task. It is becoming part of how organisations are expected to show they can turn scam intelligence into action. That is a big shift. It changes what “good” looks like. It also exposes how shallow a lot of takedown programs still are.

Most buyers still ask:

“Who can take down a phishing site?”

That is not the right question anymore.

The better question is:

“Who can reduce attacker operating time across the channels Australians actually get hit through?”

That difference sounds subtle. It is not. It is the difference between a vendor that files abuse tickets and a vendor that can materially compress the life of a campaign.

The environment has changed

Australia now has a harder anti-scam policy baseline than it did even a year ago.

The Scams Prevention Framework Act 2025 is law, and Treasury’s implementation work makes the operating direction clear: selected sectors are expected to take reasonable steps to prevent, detect, report, disrupt, and respond to scams. Draft implementation materials cover banking, telecommunications, and certain digital platforms. In other words, “disrupt” is not decorative language anymore. It is part of the expected control model.

That matters because disruption is where a lot of anti-scam programs still become vague.

Many teams are comfortable with awareness campaigns, complaint handling, and passive alerting. Fewer are good at evidence packaging, registrar escalation, platform routing, recurrence tracking, and cross-channel correlation.

Australia’s public scam data makes the same point from the opposite direction. The National Anti-Scam Centre said that in 2024 it referred more than 8,000 websites for takedown, more than 1,000 phone numbers and sender IDs for telco disruption, and more than 10,000 suspected Facebook scam URLs to Meta. That is already a multi-channel operating picture. Anyone still defining takedown as “remove one page” is behind the reality on the ground.

Why this market is harder than the vendor decks suggest

The real problem in takedowns is rarely raw detection.

The real problem is conversion:

turning a weak signal into an action-ready case
linking one artefact to the rest of the campaign
routing the case to the actor who can actually intervene
tracking whether the campaign resurfaced somewhere obvious five hours later

This is why so many takedown offerings disappoint in practice. They are built around one of two weak assumptions:

Detection is the hard part

It is not, at least not by itself. Detection without enforcement workflow becomes alert accumulation.
The website is the campaign

It is not. The website is often one node in a chain that may also include a social profile, ad redirect, sender ID, spoofed number, fake support line, app listing, or marketplace presence.

In Australia, this matters even more because the threat surface is heavily brand-mediated. Scammers do not only target credentials. They borrow trust. Banks, delivery providers, retailers, government-looking services, utilities, and support brands all get operationally abused across channels. That means a takedown provider has to understand both brand misuse and infrastructure abuse, and it has to move across both without getting stuck in internal handoffs.

The vendors worth knowing in Australia

There are a handful of visible names in the Australian market, but they do not all solve the same problem.

Brandsec / Unphish

Brandsec is one of the clearer local names, and Unphish is one of the more obvious homegrown propositions in phishing takedown and online brand abuse. Their messaging is strong on suspicious domain identification, phishing site disruption, and enforcement-oriented brand protection. They have also received Australian government support tied to the platform’s development, which tells you the market sees domestic takedown capability as strategically relevant.

The upside is focus. The question buyers should press harder on is scope: how much of the workflow is truly campaign-level and multi-channel, and how much remains concentrated around the web impersonation layer?

Baidam + Infoblox

This partnership matters because it shows how the Australian market is reframing takedown as an operational security service rather than a side function. The public message is explicit: take down lookalike websites and scam domains, with local delivery through an Australian SOC environment.

That is a meaningful signal, especially for buyers who care about local operating context and the DNS layer. But again, the hard question is not whether a provider can remove a domain. The hard question is whether they can keep pace once the same actor shifts into messaging, social, call channels, or repeated registration patterns.

Cyble

Cyble’s takedown positioning in Australia is broader and looks more like digital risk operations: phishing sites, impersonation, fake apps, malicious content, and AI-assisted workflows. International players like this tend to appeal when buyers want scale, broader intelligence coverage, and a more recognisable global vendor profile.

Where buyers should stay disciplined is in separating coverage claims from measurable suppression. Large coverage does not always equal strong disruption performance.

Netcraft after FraudWatch

Netcraft’s acquisition of FraudWatch was one of the clearest signals that Australia is not a peripheral market for brand abuse and takedown services. FraudWatch brought a well-known Australian footprint in online brand protection. Netcraft brought global scale and mature takedown muscle.

This combination is credible, especially for large organisations already thinking in terms of online fraud operations rather than one-off phishing incidents. It is also one of the more serious benchmarks in the market.

A practical comparison

Here is the simplest way I would frame the current Australian field.

Vendor / model	Public market position	Strength	Likely blind spot to test hard
Brandsec / Unphish	Local phishing and impersonation disruption	Australian context, strong phishing / brand focus	Whether campaign correlation extends well beyond domains and pages
Baidam + Infoblox	DNS-led lookalike and scam domain takedown	Local service delivery, strong DNS angle	How well it handles non-domain channels and recurrence tracking
Cyble	Broad digital risk and takedown operations	Scale, coverage breadth, international footprint	Whether broad coverage translates into faster, cleaner enforcement outcomes
Netcraft + FraudWatch	Enterprise-grade fraud, impersonation, and takedown operations	Mature takedown capability and strong market credibility	Fit, cost, and workflow alignment for teams that need speed without heavyweight process
Detection-led providers in general	Alerting plus abuse escalation	Good at surfacing suspicious artefacts	Often weak at campaign suppression, evidence normalisation, and post-takedown tracking

That table is deliberately simple, but it gets to the right buying question: what exactly is the vendor optimised to do after detection?

The capabilities buyers should evaluate more ruthlessly

If I were evaluating providers in Australia right now, I would care about these six things much more than another polished demo.

1. Can they handle messy evidence?

The real world does not send clean indicator feeds. It sends:

screenshots
partial URLs
suspicious phone numbers
customer complaints with missing context
fake profiles with a display name but no obvious campaign map

If the provider needs a perfect domain and a perfect reproduction path before they become useful, they are not solving the real intake problem.

2. Can they correlate across channels?

A lot of takedown firms still act as if the abuse report is the unit of work.

It is not.

The campaign is the unit of work.

A serious provider should be able to connect:

website impersonation
social impersonation
ad-driven redirects
sender IDs or phone numbers
fake support flows
fake app or marketplace presence

If they cannot do that, you will keep winning individual tickets and losing the campaign.

3. Can they prove enforcement throughput?

Do not settle for “we submitted reports.” Ask for evidence around:

time to first action
time to confirmed removal
recurrence rate
related asset identification
platform and registrar coverage
post-removal monitoring

That is where weak takedown offerings usually go soft.

4. Can they operate in an SPF-shaped future?

This is not only a compliance question. It is an architecture question.

If the Australian policy environment expects timely and proportionate disruption once scam intelligence becomes actionable, then providers need to support:

evidence traceability
decision discipline
clear escalation logic
consumer-impact-aware prioritisation
reporting-ready case history

A vendor that still behaves like a niche abuse desk may not age well in this market.

5. Can they work with brands under pressure, not only clean technical scenarios?

In practice, some of the hardest cases are the ones where legal, customer trust, media sensitivity, and third-party platforms all intersect. Takedown quality is not only about technical analysis. It is also about operational calm when an enterprise brand is being tested in public.

6. Do they reduce attacker freedom or just increase your visibility?

This is the most important question.

Some platforms are good at showing you more. That is useful, but it is not the same as shrinking the adversary’s room to operate.

Detection is not the outcome.

Suppression is.

The part the market does not say loudly enough

The Australian takedown market is starting to split into two categories.

The first category is visibility-led. These providers are good at finding suspicious things. They can usually show broad coverage and lots of activity.

The second category is disruption-led. These providers are built around the hard middle: weak-signal intake, case normalisation, campaign correlation, external enforcement workflow, and post-action monitoring.

That second group is where the market is heading.

And that is why some of the quieter names are worth paying attention to.

One example is Cyberoo. Not because it is the loudest vendor in the market. It is not. But because its public posture is more aligned with the shape of the actual problem than many generic “brand monitoring” propositions. The company’s messaging is unusually explicit about AI-driven scam intelligence, fast takedown, and scam activity that spans domains, platforms, and channels. Public-facing material also points to deployments with recognised brands and enterprise environments, which is often a better signal than a vague claim of “global coverage.” That does not make it automatically better than every incumbent. It does make it one of the names I would scrutinise seriously if I wanted a disruption-led model rather than another monitoring console.

That distinction will matter more over the next two years than most buyers currently realise.

Final thought

The Australian scam takedown market is growing up.

Policy pressure is rising. Public disruption expectations are rising. Brand abuse is increasingly multi-channel. And buyers are finally starting to see that phishing response is not only about noticing abuse. It is about making abuse harder to sustain.

The winners in this market will not be the vendors that simply detect more pages.

They will be the ones that can show, with discipline and without theatre, that they are getting scammers off infrastructure faster and keeping them there for less time.

Free Scam Checker vs Traditional Reporting Portal: What Actually Happens After You Click Submit

Dylan Gan — Wed, 25 Mar 2026 02:36:08 +0000

You found something suspicious. A website that looks slightly off. A text message with a link you didn't ask for. A phone number that called three times and left no voicemail.

You do what most people do: you Google it. Maybe you land on a reporting portal. Maybe you find a scam checker. You paste in the URL, hit submit, and wait.

What happens next is where the two models diverge completely.

The Traditional Reporting Portal Model

Reporting portals were designed for data collection, not for user feedback.

The typical flow looks like this:

Navigate to the portal (often buried inside a government or telco site)
Fill out a structured form — category, date, description, your contact details
Submit
Receive a generic acknowledgment email
Never hear about it again

From a systems design perspective, this makes sense. The portal's job is intake. It aggregates reports, feeds them into analyst queues, and theoretically contributes to pattern detection upstream. The individual reporter is not the output. The dataset is.

The problem is that this design creates a broken feedback loop for the person who actually submitted the report. You have no idea if your submission was useful. You have no idea if the site you reported was real, fake, or already known. You don't know if anyone is going to do anything about it.

From a user experience standpoint, this is fine for a government database. It's not fine for a person who is genuinely trying to figure out whether they just got scammed.

The Free Scam Checker Model

The scam checker model inverts the design priority. Instead of collecting reports for analysts, it answers the user's actual question: is this suspicious?

Most basic scam checkers work like this:

You paste a URL or phone number
The checker runs it against known blocklists or reputation databases
You get a verdict: safe, risky, flagged, unknown

This is faster and more immediately useful than a reporting portal. But it has its own architectural limitation: most checkers give you a label without giving you a reason.

"Flagged as suspicious" doesn't tell you why. It doesn't tell you whether the flag is from one data source or fifty. It doesn't tell you whether the verdict is fresh or months old. And it gives you no structured path forward if the answer comes back ambiguous — which, for novel scam infrastructure, it often will.

Where the Models Break Down

Here's a table of where each approach has structural gaps:

Capability	Traditional Portal	Basic Scam Checker
Speed of feedback	Slow or none	Near-instant
Explains reasoning	Rarely	Almost never
Works with incomplete evidence	Yes (form allows freetext)	Limited
Structured reporting assistance	Yes (the form is the structure)	No
Useful for novel/unseen threats	Depends on analyst throughput	Often not — relies on existing blocklists
Output you can act on	Unclear	A label
Escalation path	Unclear	None

The gap isn't just a UX problem. It's an evidence problem. Neither model, in its basic form, produces something the average person can act on clearly.

What a More Useful Architecture Looks Like

If you're building or evaluating tools in this space, the design pattern that actually closes the loop requires a few things to coexist:

Explainability. Not just a verdict, but the reasoning chain behind it. Why does this URL pattern match scam infrastructure? Why does this phone number registration look anomalous? Explainability turns a binary flag into usable information.

Low friction. Complex forms create drop-off. If submitting evidence is hard, people don't submit evidence. A checker that works with a URL, a screenshot, or a message fragment — without requiring the user to categorise it first — captures more signals.

A path forward. Whether that's a link to file a formal report, a structured evidence export, or an escalation to a remediation workflow, the tool should leave the user with a next step rather than a verdict and a dead end.

No cost barrier. Scam victims are often already financially or emotionally compromised. A tool that requires a subscription to find out whether something is dangerous has the wrong incentive structure.

This is the design direction that tools like Scams.Report by Cyberoo are moving toward — free, explainable output, with structured reporting assistance built into the result rather than bolted on as an afterthought.

The Deeper Problem: Most Reports Go Nowhere

The hardest thing to acknowledge in this space is that the volume of scam reports collected globally is enormous, and the operational action rate on those reports is very low.

This isn't a staffing problem. It's a signal quality problem.

Reports submitted through portals often lack the machine-readable structure needed to trigger automated analysis. Scam checker verdicts often lack the evidence trail needed to support takedown requests. Neither model, on its own, produces the kind of structured signal that can feed a disruption workflow.

The design gap is between detection (we know this is suspicious) and disruption (we have removed it from the internet). Most tools live entirely on the detection side. The disruption side — fast takedown of scam websites, scam phone numbers, social impersonation accounts — requires a different toolchain entirely.

What to Look For When Evaluating Either Type of Tool

If you're assessing a reporting portal:

Does it acknowledge receipt with something more specific than a case number?
Is there a public transparency report showing what proportion of reports lead to action?
Does it allow you to link related evidence across submissions?

If you're assessing a scam checker:

Does it explain why something is flagged, not just that it is?
Does it work with partial evidence (phone numbers, message text, screenshots)?
Does it give you a structured output you can take to a bank, telco, or authority?
Is it free to use for the person most likely to need it — the potential victim?

The answers to those questions tell you more about the tool's actual utility than its marketing page will.

The Takeaway

Free scam checkers and traditional reporting portals aren't really competing with each other. They're solving different problems, for different stakeholders, at different points in the scam lifecycle.

The person who just received a suspicious text needs immediate, explainable feedback. The analyst building a case against a scam ring needs structured, high-quality reports. The network operator needs machine-readable signals to act on.

A tool that tries to serve only one of these stakeholders while the others go unaddressed isn't a solution. It's a data collection endpoint with a user interface on it.

The tools that will actually reduce scam harm are the ones that understand verification and disruption as a connected workflow — not two separate problems.