[supriyo-biswas]

At one point of time when I had to deal with people submitting phishing links to a web service I owned, I learned some of the tricks that phishers use to get around reports, such as using IP geolocation or the accept-language and accept-encoding header to determine if the phishing page should be served.

With tricks like this, it's not a surprise to see why the companies operating blocklists are hesitant to make this process easy; after all, what's to prevent the phishers from temporarily stating that the issue has been resolved to get out of the denylist, and then restarting their campaign again?

[Seattle3503]

If the process required you to verify ID, e.g. a passport + video selfie, some accountability might be possible. But that might be too invasive for many folks.

[bragr]

This doesn't work because there's a nearly unlimited supply of people willing (out of desperation, drug addiction, or just plain poor decision making) to let bad actors use their IDs.

[lazide]

Also, all that info has been leaked a billion times now, and there are tools to allow real-time filter/overlays of faces to make it even easier.

[Seattle3503]

It's what banks are using now.

[lazide]

These two things are concerning, not reassuring.

Still, an improvement over what they were previously using I guess?