I wasn’t able to find anything about this online, and I wonder if anyone was already doing it. If not, maybe someone should.
Could the big players, e.g. Amazon and Apple, not provide the public with a fake email address and password (or a series of them) that we can feed in to phishing sites? When the crooks then use the same to enter Amazon, they could be reported with their IP address and caught. Is anyone doing this?
In other words: make fake accounts to fight fake emails.
It seems regular people like us can spot phishing long before the big sites and web hosts do, and this could act as a deterrent against this sort of criminal activity. Like a lot of things, we’d democratize scam-busting, instead of reporting them to the authorities.
Of course we can still report the phishing site to APWG, Spamcop et al, but it’ll take hosts some time before they shut down the site, by which time the crooks will have made off with a lot of usernames and passwords.
I imagine some of these people will have built in safeguards, e.g. they keep a record of the emails they send phishing messages out to, and if the one you provide doesn’t marry up, they’d know. But then, do all of us use the same email on these sites? If their aim is to cast their nets widely, then they would want those extra email addresses. I don’t necessarily use the same email address on all websites. Greed might trump the fear of getting caught, since the average scam nets the criminal US$4,500.
I know they’d also get suspicious if a whole bunch of us entered the same address and password, so these might need to be automatically generated regularly to bait the scammers. The oldest ones would be deleted.
Comments are welcome. It seems such a simple idea that it must already be out there after so many years, but maybe the pitfalls of generating so many would present difficulties, or maybe such an idea has already been tried and discarded.