Microsoft is really bad with this. Login might be live.com or microsoftonline.com or maybe onmicrosoft.com. I went to report a vulnerability to their security portal this week and it redirected me to b2clogin.com.

OneDrive email attachments link to, I kid you not, 1drv.ms, or maybe it was 1drv.com…

Not to mention, they use .ms as if it’s their personal TLD, but obviously anyone can register a .ms domain. It’s like they want people to get phished.

> senior citizens and tried to explain how to parse the domain

Why would you want end users, senior citizens or not, to mentally parse URLs?

The rule is: If the bank, or paypal, or your landlord, or anyone else really emails you that you have to complete some information to your account or pay the latest bill or whatever, you GO TO THEIR WEBSITE and login normally. If it is important they will have the same information there.

The same rule also applied to unsolicited phonecalls, but it might be harder to follow: If your bank, or the police, or some other important person calls you and asks for information or for you to do something that feels the least bit off or hurried, you take their contact information, you look up whatever it is they want you to do and you CALL THEM BACK at the official telephone number of the bank or the police. You probably already have the number and if you don't it's on their web site. Do not call back on any other number.

People working the phone generally have much worse protocols than people working over email, so they may be less prepared for you to do this, but I have never heard of anything important that was emailed that wasn't also easily available when logged in to the website.

The only time it is appropriate to click a link in an email is when you are verifying your email address with them. Not for any other reason.

It is unfortunately normal for companies to impersonate scammers.

We can teach people as much as we want about security against phishing. It won't matter because people have to break these rules constantly. Companies actively train people to fall for phishing by doing everything in their power to be indistinguishable from phishing themselves.

> getsupport.apple.com.phish.xyz

I notice that a lot of scam texts use domains that start with a TLD followed by a hyphen, like:

  https://wa.gov-phish.fit/dol
  https://seattle.gov-phish.cc/dmv

In some ways, it's a more convincing fake URL, since even if you're used to reading the domain right-to-left, your brain wants to start from the hyphen since it's a different character following a familiar TLD. But that type of domain also seems a lot easier for spam detection rules to catch.

> The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:

Yep, and there's even things like irs.gov which tells you how to know a site is official (https, and .gov), and then links you to id.me to login. (not sure what was wrong with login.gov, which SSA lets you use)

Or the insanity of IRS services that use the "id.me" domain for a vendor with a Montenegro TLD.

Privacy issues aside, white-labeling the service and infrastructure behind *.irs.gov should be a mandatory requirement.

Bluesky's moderation email is [email protected] which 100% looks like a phishing address.

https://bsky.app/profile/safety.bsky.app/post/3ljp6zi7tp227

> I work with senior citizens and tried to explain how to parse the domain in the URL by looking for the first forward "/" after the "https://" and then scan backwards but they find that mental algorithm confusing and those instructions don't stick.

Have you tried some analogy which will be personal to them? Like describing the URL as a family tree: “com is the oldest ancestor, like you Mr Johnson. Then apple is your son Bill, and getsupport is your grandchild Cody. If you saw ml instead of getsupport, that would be a different grandchild, but still in your family. However, when you see phish and xyz before apple and com you can think ‘I don’t know those people, they aren’t my father and grandfather’”.

The idea is imperfect but I literally just thought of it. We could certainly come up with something better that might eventually work.

Thank you for working to keep vulnerable people safe from phishing.

1Password has really been bugging me recently, all the emails they send have giant link buttons they want you to click without verifying where you're actually going

hp’s email sender always look malicious and makes me double take

I recall receiving an email from company X, warning me to not trust emails that said they were from X but didn't come from X.com. But the warning email itself did not come from X.com! They broke their own rules in the warning email.

It's been a while, so I cannot name and shame X...