This is really just a case of well-branded spearphishing. You should already be protecting against that.
Well really, it's somewhere between generic phishing and tightly targeted (spear) phishing.
But the thing you have to remember about "phishing", about "spear phishing", about "social engineering" and about the cons that con-artists have been pulling since before computers existed is you are never just protected from this since every social con is based on exploiting a reflexive, habitual response and the con-artist will always find those no matter how people are simply trained (indeed, the more robot-like you make people's reactions, the more reflexes the con-artist has to work with).
So basically, any serious organization has to keep on top of the new threats coming. Every organization has to warn it's people not to do what they already ought to know better than to do.
Eternal vigilance... Reminds me of something else.