We received a report today from an EDU that received hundreds of undeliverable notices from other EDU domains.  Their "helpdesk" email box had been used as the spoofed from address in a simple "ask for the user's password to avoid account closure" attempt to gather email account passwords from unsuspecting college students.  But instead of going to a website, user is just supposed to send the account details to an email address at the bottom of the page.  Turns out that a couple of them replied with their account details to the EDU, instead of the attacker.  It is somewhat of a catch-22 for the attacker - use a more official "from" address and user is more likely to reply; but the same user is likely not to follow the directions at the bottom of the message stating send your reply to xyz@attacker.com. 

The story reminds me of "stupid criminal" stories.  But on the Internet, there is less chance of getting caught and more likelihood that someone will fall for the attack.