Now that we've got X Corp.'s employee data, let's go phishing!

Can you complete the message to an inexperienced X Corp. employee?

That's it! We've directed the employee to enter old and new passwords on our look-alike website. Trickster!

Shouldn't we use a fake link or something to try and get the old and new passwords?