Even the best of us can fall for phish.
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
That should not happen, but it does because:
- All tech nowadays is so unreliable that when the password manager fails to auto-fill, it's not a strong enough signal that something is really wrong. It's just another day and another piece of tech which does not work reliably so we just get conditioned to work around it.
- Designers rule the game, and they want clean interfaces over anything that might look cluttered even if that means hiding one of the few reliable signals. We spent years and millions to implement SPF, DKIM and DMARC only for the App designers to go "naah the sending domain doesn't look good on my canva, let's just show the user-provided name that has zero validation instead as the canonical From".
- We are all humans, humans make mistakes and we make more mistakes when tired, stressed or otherwise not able to fully focus on something.
So, do we just give up? Sadly that is not a option.
So I think we need to
1 and 2. Demand better tech. The EU product (inc software) liability directive is far from perfect and might end up just enriching lawyers, but at least it's an attempt to make software makers liable for when their software causes harm.
- Accept that everyone will do mistakes and design for it. In this case Mailchimp should have done another 2FA or email validation prompt for rare but "high impact" stuff like exporting the mailing list.
Also #Passkeys
Thanks @troyhunt for being open and transparent about this. I'll add it to my list of examples showing experts getting phished that I like to refer to every time someone says "the user should have known better".