How does the hacker get the user to end up on their proxy website? Do they send a phishing email so the user goes to the proxy site without realizing it? (Ie training users to always go directly to the site is a good defense against many types of attacks)