> The other problem with that advice is people can't "whitelist" the legitimate domains to look for because they don't know ahead-of-time what they are. E.g.:

Yep, and there's even things like irs.gov which tells you how to know a site is official (https, and .gov), and then links you to id.me to login. (not sure what was wrong with login.gov, which SSA lets you use)