Here’s a screenshot of a PayPal spoof that looks like its been defaced by a vigilante or sysadmin. Most defacers will warn users and disable the phishing site so it can’t hurt anyone. In this case, the defacer just posted a warning (at the top, and also gives a phone number to call in case anyone wants to help catch the phisher) but then he/she leaves the site intact, so it can still swipe user credentials. That’s like finding a hole in road that someone could fall into and only putting up a warning sign – fill in the hole with dirt too!
So here’s defacing-a-phishing-site law #1: when defacing a phishing site, make sure you break it so no one can get hurt.