When I have the time, I like to script an attack on phishing sites by posting false data. The idea is to fill their databases with trash, and make it more difficult for the criminals to weed out real data entered by victims.
I almost did this the other day when I got a fake Docusign phishing email. Unfortunately, I found that the webpage it led to was sending collected credentials to an apparently innocent but hacked third-party wordpress site, which I assume forwarded the info elsewhere. I didn't want to waste the third party's bandwidth so I used their contact form to explain the situation. Didn't expect a response, but I just checked and they fixed it!