How average folks don't stand a chance against phishing, example #78,821,042: Github
• Email from GitHub <no-reply@github.com> with officialegal subject demanding personal information with urgency else undesirable consequences.
• Multiple text links in HTML email including literal "click here to" do not go to known domain, but MSP redirects.
• Visiting https://github.com and looking around shows no sign of this important and urgent change before or after login.
• A web version of the notice can be found on github.blog, but who registered that and when?* whois/Internic doesn't know.
While you and I know how to dig deep enough to validate this kind of thing [or do we just think so?], this is just another in a never-ending stream of emails from companies we trust with our personal information, money, services, etc. training us to fall for phishing far more effectively than any anti-phishing effort can.
As sad as it is to expect this from the usual suspects such as the finance industry (especially mortgage companies), it's sadder to see @github fail this hard.
See also @troyhunt's "Scam" blog posts: https://www.troyhunt.com/tag/scam/
*[Created 2018-05-17, registered to Organization "GitHub, Inc" by the same registrar with which github.com was registered for Organization who-knows-because-privacy (but actually GitHub, Inc. if you ask the registrar), hosted by Knock Knock WHOIS There, LLC, which is the only reason I mention this.]
