That's it! We've directed the employee to enter old and new passwords on our look-alike website. Trickster!
Shouldn't we use a fake link or something to try and get the old and new passwords?