I'm not sure I understand.

edit: That is, your phishing approach would work regardless, in my opinion. If your main site is `mycompany.com` then don't be surprised to see phishers sending `my-company.com` etc.

Also, you can host our content on a separate domain while still having users visit the same domain.