Comment Not really surprising, and not users' fault (Score 4, Informative) 81
As a security consultant, I've run phishing campaigns for quite a few clients, usually as part of a pen test where we'd use any captured credentials as a foothold for further testing. Typically, I expect about a 1-5% of recipients to click on the link and enter their credentials, with a convincing email and website combination.
Ten years ago, I might have placed most of the blame on users, for not observing obvious warning signs in the email and after clicking on the link, but these days I put the majority of the blame on the engineers and developers building the legitimate systems that those employees use.
10-20 years ago, one could be pretty sure that any credentials for a given company (let's call them "TransferLicious") would be entered somewhere in the website whose name was the one domain associated with that company ("transferlicious.com"). Over time, devs and engineers embraced vanity/novelty domains for a variety of purposes, and now the same company might legitimately have login forms on "transferlici.os", "xfrlcs.io", "transferliciousbanking.com", and so on. Those URLs might be further masked by link-shortening services.
How many enterprise/social-media single-sign-on services involve redirections to other domains? Now the problem is multiplied, because their employer uses "BlueSkies SSO", and their devs and engineers do the same thing. Am I getting sent to a login page from "blueski.es" now instead of "online.blueskies.com" because it's a phishing attack, or because a BlueSkies dev thought it would be "sick" to use a vanity domain instead?
Browser vendors have made hiding technical information from users a priority, and a huge number of users are on mobile devices that don't support things like hovering the cursor over links anyway, so there's another "how to spot a malicious link" technique down the drain.
Users shouldn't have to care about details like that in the first place, but the people building the systems and browsers have done such a terrible job that there aren't even any consistent rules that users can keep in mind. This makes it easy for me to phish people during pen tests, which is great, but it's sad from just about every other perspective.