Last week, I wrote about what brand owners should do about phishing. You may recall me saying that owners should have a mailbox where they can receive copies of phishing spam forwarded to them by consumers and (ahem) security researchers. I also said that owners could run spamtraps to pick up phishing attacks as they happen.
One aspect of this that I didn't mention, but perhaps it's not obvious -- the mailboxes used should not be spam filtered. A surprising number of banks and other brand owners get this detail wrong (cough Barclays cough). This causes them to ignore complaints and under-estimate the scale of the problem.