This is really just a case of well-branded spearphishing. You should already be protecting against that.
Spearphishing is distinguished from phishing more generally by having very narrow, specific target selection.
If we are going to look for a analogies to techniques of catching fish, this is more weir phishing than spearphishing.
Well really, it's somewhere between generic phishing and tightly targeted (spear) phishing.
But the thing you have to remember about "phishing", about "spear phishing", about "social engineering" and about the cons that con-artists have been pulling since before computers existed is you are never just protected from this since every social con is based on exploiting a reflexive, habitual response and the con-artist will always find those no matter how people are simply trained (indeed, the more robot-like you make people's reactions, the more reflexes the con-artist has to work with).
So basically, any serious organization has to keep on top of the new threats coming. Every organization has to warn it's people not to do what they already ought to know better than to do.
Eternal vigilance... Reminds me of something else.
This would take about three clicks from an end-user, and at no point do they knowingly disclose their passwords...