Frequently Asked Questions

Find answers to common queries here, or email us at

What is phishing?

We define phishing as an attempt to impersonate a site operated by an organisation with which the victim of the phishing attempt has an existing relationship, in order to obtain passwords or other personal information for use in some type of fraud.

How can I report a phishing site on iOS?

When using Safari or other browsers, tap the 'share' icon, then tap the 'Report Phishing' option. Or, to report a phishing message in iMessage, long-press the message, tap 'Copy...', then tap the Netcraft icon.

How can I spot a phishing site?

There are many tricks that fraudsters use to make their sites seem genuine. Some things to watch out for are (but not limited to): subtle spelling or grammar mistakes, a sense of urgency, asking to reply with sensitive information, and a suspicious URL that does not resemble that of the impersonated company's website.

How can I report a phishing site on Android?

In the Netcraft app, simply tap the report (clipboard) icon in the home screen. Or, from a browser, find the 'share' option, and share the site with the Netcraft app.

You can also use to report malicious sites from any device.

What are web miners?

A web miner, or cryptojacker, is malicious JavaScript inserted by fraudsters into a website that lets them mine for cryptocurrency on your computer without your consent. Browsing a website with a web miner can often slow down your computer by consuming its resources. Netcraft finds and detects web miners on the Internet and blocks them on Android and in the Extension.

What are shopping site skimmers?

A shopping site skimmer is a malicious JavaScript program that steals your payment card information when you checkout on an online store, and sends it back to a fraudster to use later. Netcraft finds and detects shopping site skimmers on the Internet and blocks them on Android and in the Extension.

How much disk space do the Android and iOS apps need?

The size of the iOS app can vary based on your device, as the App Store dynamically adjusts the app download to match your device. In addition, the disk space used by the app can also vary based on the feeds you're subscribed to. Typically the size of the iOS app once installed and configured is 80–95MB.

The size of the Android app is significantly smaller than the iOS app, due to a simpler protection mechanism. This means savings can also be made by not needing to include instructional videos showing the user how to enable the app. Typically the size of the Android app is between 2–6MB.

Why don't the apps block all calls and SMS messages from fraudulent phone numbers?

Unfortunately caller IDs are relatively easy for a fraudster to fake. This makes blocking calls or messages by caller ID tricky, as it can become difficult to distinguish between a fraudster using a faked caller ID and an official company using a legitimate caller ID.

For example, if you received an SMS message from a fake 'Example Bank', it is difficult to block that caller ID without also blocking all calls and SMS messages from the legitimate 'Example Bank'.

What information does Netcraft collect about me?

To view what data the Netcraft app stores, view our privacy policy.

Who else uses your feed?

Our feed is licensed by major web browsers, leading anti-virus companies, web hosting providers and many others.

What is the browser extension?

The Netcraft anti-phishing browser extension provides comprehensive site information and phishing protection when browsing the web. Users can also use the extension to report URLs they believe to be malicious to Netcraft. More information can be found here.

Why are some Site Report dates in the future?

The 'First Seen' date corresponds to the first month in which the site appears in the Netcraft Web Server Survey. Thus, towards the end of a month, it may be possible to see some sites where the 'First Seen' date appears to be in the future.

Why is the Netcraft Extension warning about a safe website?

There are several reasons why you may receive a warning about a website you know to be harmless. The Extension has several built-in safety checks that will alert you if a URL contains suspicious characters, or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks. In these cases, if you are sure that the website poses no threat, you can ignore the warning by clicking 'Yes' to the warning dialog. If you believe that the Extension has incorrectly classified a safe site as a phishing attack, you can let us know by using the 'Report Incorrectly Blocked URL' link on the Extension menu. You can also access the form directly. The Extension will only ever warn you about suspicious websites by displaying a warning dialog; it will never cause the site to stop responding or display a 'file not found' page. Please be certain that the Extension is displaying such a warning before contacting us.

How does the Risk Rating work?

The Risk Rating displayed by the Netcraft Extension offers a further level of protection against new sites that are not yet in Netcraft's database. A lower risk rating is better as it indicates lower risk. Although some sites contain entirely benign content, the Netcraft Extension may assign a high Risk Rating because it could be hosted under a newly registered domain, the site may have never been seen in the Netcraft Web Server Survey before, or the network hosting the site may have hosted a number of fraud sites in the past. Many other factors are also taken into account. Hosting a web site on an unusual port number will also increase the Risk Rating, as will hosting a site from a raw IP address, as many phishing sites employ this tactic. The Risk Rating can be calculated fast enough to be performed for arbitrary sites as people visit them, and does not rely on manual categorization.

Will Netcraft know which pages I visit whilst using the extension?

No — Netcraft has no way of knowing which pages an individual user visits when using the Extension. We do, however, collect the hostnames of the websites visited by our users in order to provide website popularity ranking information. In order to protect the privacy of organizations' internal networks, the Netcraft Extension does not transmit information about sites on IANA private addresses. This feature, however, is only present in the Firefox version of the Extension.

Why does the Site report list companies unrelated to the site owner?

Many people and organisations do not host their own websites directly, but instead use a variety of third-parties to provide their website and associated services. One common technique for high-volume websites is to use a Content Delivery Network (CDN). Also, the site report may list companies such as hosting providers, domain registrars, the Internet Service Provider (ISP) that provides the IP address, and more. Most, if not all, of this information can be found in publicly available sources.

What does it mean when the Extension says 'New Site'?

'New Site' means the site you are currently visiting has not been seen before by the Netcraft Web Server Survey. This indicates that the site is very new and should be considered less trustworthy than other sites, since most phishing sites spring up overnight and disappear just as quickly.

Why are some Site Report values 'unknown'?

The Domain Registrar, Organisation, and Nameserver Organisation fields in the Site Report are only maintained for websites with a Site Rank higher than 1 million. Sites not in the top 1 million may display a value of 'unknown' if we do not have up-to-date information available.

I have a problem with the Netcraft Extension

Before reporting any bugs, please ensure that you are using the latest version of the Netcraft Extension. In Firefox users can check for updates by selecting Tools > Extensions from the Firefox menu and right clicking on the Netcraft Extension. In Google Chrome and Opera the same can be done by navigating to the extensions page and clicking on 'Update extensions now'. In Microsoft Edge open up the 'Windows Store' from the Start menu, click the top-right options button and select 'Downloads and updates'; from there you can click 'Get updates' to ensure everything is up to date. If the bug persists please report it.

How does the Extension cope with DNS poisoning?

The Extension displays the location of a site's IP address based on the information provided by your computer. If your local DNS cache was 'poisoned' such that the a web site pointed to an IP address located in Russia, then the Extension would report the site as being located in Russia.

Will the Extension work if I am using a transparent proxy?

The Netcraft Extension functions correctly with ordinary web proxies. A small number of Internet Service Providers (ISPs) use transparent proxies to route your web page requests. This could cause the Extension to report a web site as belonging to your ISP, however, this is quite a rare occurrence.

How do we find out the Most Visited Web Sites?

Domains visited by the anti-phishing community are collected anonymously and used to produce a list of the top 100 most visited websites. These rankings depict an accurate view of the most popular web sites viewed by users of the Netcraft Extension.

Which browsers support the Netcraft Extension?

The Netcraft Extension is available for Mozilla Firefox, Google Chrome, Opera and Microsoft Edge; no other web browsers are supported at this time.

What do I do if the Firefox version of Netcraft Extension is 'offline'?

If your Extension is appearing as 'offline', please try the following solution:

  • Type 'about:config' into the address bar and press return.
  • Type 'browser.offline' into the 'Filter:' field.
  • Right-click on the 'browser.offline' item in the list, and click on 'Toggle' to set this value to 'false'.
  • Close the tab.

The Extension should now work as intended.

What is SSLv3?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both designed to provide security to web connections. TLS is the successor protocol to SSL, though both are often referred to as 'SSL'. The last version of SSL was SSL version 3 (SSLv3), which is no longer deemed to be secure due to a vulnerability dubbed POODLE. Similarly, TLS version 1.0 is also no longer considered to be secure, as some implementations are vulnerable to POODLE, and cryptographic vulnerabilities have been found in the underlying RC4 cipher. All versions of SSL, and TLS 1.0 have been superseded by TLS 1.1 and 1.2, the latter of which is the current recommendation.

When visiting a secure web page, the browser and web server negotiate to use the most secure version of SSL/TLS supported by both parties. In practice, this means that SSLv3 is rarely used to provide security. However, certain browser behaviour allows a man-in-the-middle to downgrade the negotiated protocol to SSLv3 or TLS 1.0, after which they can perform an attack. The Extension indicates whether the web server supports SSLv3, which could mean that a downgrade attack is possible.

What is Heartbleed?

Heartbleed is the name of a vulnerability in the OpenSSL cryptographic library which at the time of disclosure affected around 17% of SSL web servers using certificates issued by trusted certificate authorities. The vulnerability has the potential to allow attackers to retrieve private keys and ultimately decrypt the server's encrypted traffic or even impersonate the server. The cause was a missing bounds check in the handling of the TLS heartbeat Extension which can allow remote attackers to view up to 64 kilobytes of memory on an affected server.

When you visit a web site which uses SSL, the Netcraft Extension will detect if the site offered the heartbeat TLS Extension prior to the Heartbleed disclosure using data from the Netcraft SSL Survey. If this is the case the Extension will also check to see if the SSL certificate has been reissued, if it has not then the site is unsafe as the certificate's private key may have been compromised prior to the fix. Even if the certificate has been reissued it does not guarantee the site cannot be impersonated using the old certificate unless it has been revoked. The Extension will indicate when a site is unsafe by displaying a bleeding heart icon, which on mouseover displays an explanatory tooltip. Additionally, if the server is affected by Heartbleed or does not support PFS, a warning triangle will be displayed on top of the Netcraft icon.

What is Perfect Forward Secrecy (PFS)?

PFS is a property of an SSL connection which ensures that previously recorded encrypted traffic cannot be easily decrypted if the SSL private key later becomes available - for example, as a result of a court order, social engineering, an attack against the website or cryptanalysis.

When you visit a web site which uses SSL, the Extension will detect if it is likely that your web browser has negotiated an SSL cipher suite which supports PFS. It will display a green tick if so, and a red cross if not. Additionally, if the connection does not support PFS or is affected by Heartbleed, a warning triangle will be displayed on top of the Netcraft icon.

How do I opt out of automatically reporting sites loading malicious scripts to Netcraft?

Go to the options page of the extension (usually located in your browser's Extensions Manager) and disable blocking for shopping site skimmers, web miners, and other malicious scripts. Note that this also disables protection against these scripts.

  • The Firefox Extensions Manager can be found at Firefox Menu > 'Add-ons' > 'Extensions'.
  • The Chrome Extensions Manager can be found at Google Chrome Menu > 'More tools' > 'Extensions'.
  • The Opera Extensions Manager can be found at Opera Menu > 'Extensions' > 'Manage Extensions'.
  • The Edge Extensions Manager can be found at Options Menu > 'Extensions' > 'Netcraft Extension' > 'Remove'.