[bigiain]

I think you are completely correct in your second sentence there - there's no way I'd use this if there was any chance of my colleagues actually disclosing real credentials to a third party.

(Suspicious me is wondering if you're evil - 'cause if evil-me was in your position, I'd be selectively showing your "you've been phished, ha ha!" landing page to most people, but mining LinkedIn/Rapportive/Google for key contacts at any domains that sign up, and displaying genuinely evil credential-collecting-login pages if I got a hit from senior sysadmins or a CTO/CIO/CSO...)

[ThrustVectoring]

The phishing page could be set up to have a fake form that sends no data, and says "you've been phished" when someone tries to submit information to it.

At that level, though, the pen-tester really ought to have control over the phishing landing page.