Report a form for abuse

Trust & Safety · Reviewed by a human within one business day

Orbit Forms is a hosted form-builder used by many businesses to collect information from their customers. Like every public-facing platform, we're occasionally targeted by bad actors who try to misuse our service for phishing, impersonation, scams, or other abuse. We rely on visitors, customers, and trust-and-safety partners to help us find and remove this kind of content quickly.

Use the form below to report any page hosted on orbitforms.ai (or on a custom domain pointing to Orbit) that you believe violates our Terms of Service. Reports are reviewed by a human within one business day. Reporters may remain anonymous; an email address simply lets us follow up if we need additional context.

Types of abuse we take action on

The following behaviours are explicitly prohibited under our Acceptable Use Policy. Each one can result in immediate removal of the affected form, suspension or permanent termination of the account behind it, and — where appropriate — referral to law enforcement, anti-phishing partners (APWG, Google Safe Browsing, Microsoft SmartScreen, Bitdefender), or the impersonated brand.

  1. Phishing and credential theft. Forms (or pages, redirects, or workflows) that solicit passwords, PINs, one-time codes, payment card numbers, bank account details, government-issued identifiers, cryptocurrency wallet seed or recovery phrases, or any other sensitive credential for the purpose of unauthorized access or theft.
  2. Impersonation. Pretending to be another person, company, financial institution, government agency, charity, or other entity — including by using their name, logo, branding, trade dress, or a named employee’s contact details — in a manner likely to deceive a recipient about who sent the message or who operates the form.
  3. "Secure document" / "secure message" framing. Pages framed as a secure PDF, encrypted message, document share, voicemail notification, or similar pretext that exists primarily to direct visitors to enter credentials or click through to a credential-capture page hosted elsewhere.
  4. Acting as a redirector to a credential-capture site. Using an Orbit-hosted form as the first step of a multi-stage phishing flow, including redirecting visitors after submission to throwaway hosts (Cloudflare Workers, Cloudflare Pages, Replit, Glitch, Vercel/Netlify subdomains, etc.) crafted to mimic a brand login page.
  5. Malware, exploits, or harmful code. Distributing viruses, trojans, worms, ransomware, cryptominers, browser exploits, malicious scripts, or any other harmful code through forms, file uploads, redirects, integrations, or any other aspect of the Service.
  6. Spam and unsolicited messaging. Sending unsolicited bulk messages, "blast" outreach to scraped contact lists, or unwanted communications through Orbit’s sequences, email, SMS, or notification features. Lists must be opt-in.
  7. Fraud, scams, and deceptive offers. Forms that collect information under false pretences — fake job postings, fake loan or grant applications, fake giveaways, fake government benefits, romance scams, advance-fee fraud, investment scams, and similar.
  8. Illegal content. Content that violates applicable local, state, national, or international law or regulation. This includes content that promotes or facilitates terrorism, human trafficking, child sexual abuse material, illegal weapons, illegal drugs, or hate-motivated violence.
  9. Sexual or sexually exploitative content. Forms that distribute sexually explicit material, drive traffic to pornography, or solicit sexual content. We have a zero-tolerance policy for any content that exploits or endangers a minor; any such report is escalated immediately and reported to the National Center for Missing & Exploited Children (NCMEC).
  10. Harassment, threats, doxxing. Forms used to harass, abuse, threaten, defame, dox, or stalk any third party. This includes forms designed to collect or aggregate personal information about a specific individual without their consent.
  11. Trademark, copyright, or other IP infringement. Forms that reproduce a brand’s trademarks, logos, or copyrighted material without authorization, or that solicit content the form-creator does not have the right to use. We follow the Digital Millennium Copyright Act (DMCA) notice-and-takedown process for copyright complaints.
  12. Unauthorized data collection. Collecting personal data of natural persons without a lawful basis, without disclosure, or in violation of GDPR, CCPA, HIPAA, COPPA, or other applicable data protection law. Unauthorized scraping or extraction of data from any other party.
  13. Circumventing platform protections. Disabling, bypassing, evading, or interfering with Orbit’s abuse detection, denylist, heuristic scoring, rate limits, reCAPTCHA, or any other security or trust-and-safety feature — including by using Unicode lookalike characters, typo evasion, intentional misspellings, or steganographic encoding to defeat keyword filters.
  14. Reselling, sublicensing, or shared-account abuse. Sharing, reselling, or sublicensing access to your account; using a single account to host content on behalf of unrelated third parties; or operating template farms designed to mass-produce throwaway forms.
  15. Disrupting the Service. Attempts to overload, disrupt, or degrade the Service or its underlying infrastructure, including denial-of-service attacks, intentionally malformed payloads, or excessive automated requests.
  16. Reverse engineering and unauthorized scraping. Reverse engineering, decompiling, or disassembling the Service. Using scrapers, crawlers, or automated tooling to extract data beyond what our official API permits.

What happens after you report

  • We acknowledge receipt automatically and immediately enter the report into an internal review queue.
  • A human reviewer (typically within one business day, often within hours for clear phishing reports) checks the form, the team behind it, and the context of the report.
  • If the report is confirmed, the offending form is taken down, the responsible account is suspended, and any captured submission data is redacted from our database.
  • For clear phishing or impersonation cases we share IOCs with anti-phishing partners so the rest of the ecosystem (browsers, mail filters, AV vendors) can update their blocklists.
  • We don't comment publicly on individual cases. Reporters who provided an email address get a follow-up note when we've actioned the report.

If you already submitted sensitive information

If you entered a password, login credentials, payment information, government IDs, or other sensitive information into a form you now suspect is malicious, take these steps right away:

  1. Change the affected password immediately, and change it on every other account where you reuse the same password.
  2. Turn on two-factor authentication on the affected account if it isn't on already.
  3. Review recent sign-in activity on the affected account for unfamiliar locations or devices.
  4. If financial information was involved, contact your bank or card issuer to flag the card and watch for unauthorized transactions.
  5. Forward the original email or message you received to the Anti-Phishing Working Group at reportphishing@apwg.org so other security vendors can flag the campaign.
  6. If you're in the United States, file a report with the FBI Internet Crime Complaint Center at ic3.gov. If you're in the EU, file with your national cybercrime unit (most are listed at europol.europa.eu/report-a-crime).

Other ways to reach us

If you can't use the form above, you can also email support@orbitforms.ai with the URL of the page you're reporting and a short description of the problem. Please include the word “abuse” in the subject line so it gets routed correctly.

For DMCA copyright complaints, send a notice that meets the requirements of 17 U.S.C. § 512(c)(3) to the same address; we respond to valid takedown notices within the statutory window.