[citrin_ru]

Even if a higher price is the only EV difference (which not exactly the case) it would be enough make sites with EV certs much less likely to be used in phishing - threat actors want to keep their cost down because they frequently register a lot of domains (much more than most legit companies). And even company names are not unique good luck with registering PayPal Inc or Bank of America Corporation to get an EV cert for your phishing site.

[josephg]

I don’t understand. Why would phishing attacks bother getting EV certificates? Users can’t tell the difference in modern browsers.

[citrin_ru]

Depends on who user is. I hope a typical HN user can find a way to view certificate information even in a modern browser.

The problem is - in modern internet it is very hard to find out who is behind a particular domain: NS/A often point to a CDN or a cloud, info in whois is hidden and all you can see is 'Private'. OV/EV cert is often the only way to know that a domain like acmecorp-invoices.com is used by the same company as acmecorp.com and not phishing (registering a domain similar to the main company's domain is a bad but not uncommon practice).

One of a reasons to get OV/EV cert is to avoid you domain being listed as phishing - if would give a security expect no hints that your suspiciously looking domain is a legit one and not impersonation there is a risk that it would be blocked.

Phisher practically never use OV/EV certs on other hand (probably because they know there are little to no changes they'll get a cert with the target company's name in organizationName).