Report the incident immediately. Notify the Anti-Phishing Work Group, as well as local, federal, and state law authorities immediately. Quick notification can help shut down the source of the phisher’s attacks and limit the damage. Additionally, reporting the incident to major search engines enables them to attempt to locate the offending servers and add them to their toolbars that are designed to block phishing attacks.
There is some good news though - Hundreds Collared For Global Net Scams
I would be interested in hearing from readers who have done crisis communications in this sort of situation.