[ptoomey3]

I’m not even convinced “don’t click links” is the best guidance. That message has been pushed so hard that people immediately think their machine has been compromised once they have clicked a shady link. That is nearly never the case. Clicking links isn’t something that should cause fear. Nobody is burning a modern browser vuln in a spam email. I think the message should be more focused on not manually entering credentials into a site. Lean on your browser to validate domains and know which sites are associated with which credential. I say that somewhat aspirationaly , as I still think there is lots of room for how well browsers and password managers work for novice users.

[scarmig]

Agreed that clicking links is usually safe.

My point is, as a broad-based message, as soon as you start saying complicated words like "browser" and "validate domains" and "credential" and "password managers," nontechnical eyes immediately glaze over. I think your advice works for the most technically inclined 25% of users. It just confuses the rest.

"Don't click links," despite having more false positives when used as an individual's safety heuristic, resonates more and thus will result in many fewer false negatives when applied to the general public. The cost of a false positive is relatively low, while the cost of a false negative is high.

[timewarp256]

Clicking links can be a problem in corporate environments where automatic login has been enabled on Internet Explorer and outbound SMB not blocked.

The phishing site immediately gets their domain ntlm hash, which can often be cracked to gain a password.

This can also be a problem in PDF and Word docs without the need to employ a 0 day. https://resources.infosecinstitute.com/steal-windows-login-c...

Also to note that password managers can help mitigate phishing, as they will not offer to complete passwords if the domain does not match.