I had a thought this evening:
What if eBay, Paypal, or [insert your financial institution] were to hire an outside email marketing company to construct an email to the entire user base of said transaction company, break all the rules that these companies set for "phishing email scams" to test how many of their account holders users actually fall for scams; thereby learning from each one to prevent scams.
I know, I know ...
Paypal and eBay say they will never send you such an email ... well ... technically they aren't - the email marketing compny they hired is.
I say, that only by getting into the mind of those that are gullible is the way to truly understand security. This is how email marketers have done it for years. They have taken the "best" [read as most fallen for] results and honed phishing to a science. I say that financial institutions or transaction based websites [read as any website that allows the transfer of money] would be able to better understand security.
Think about it. There are several real world examples. First, the police often conducts "mock raids" on small time crooks just to get practice in sting operations. Police also do prostitution stings by posing as prostitutes.
Who better to conduct an investigation than by the company that wants to prosecute the crime? This is what the police do - why shouldn't Paypal or eBay?