Help monitor the bad guys by sending an email generated during the /etc/profile.d/ time. Send a date/timestamp email to an external site, just as an audit trail.
As a result, you have already sent the audit trail email before the login shell even shows its first prompt.