[prmoustache]

> The average non-technical user doesn't "see" "[municipality].[state].gov". They aren't familiar with the concept of a domain hierarchy at all. They just memorize "[municipality_website]" and move on with their day.

That mean they can easily be redirected to a phishing website.

[Mixtape]

Absolutely, and that's a risk that we carry, especially in the public sector. That being said though, I don't know if adopting a better-regulated domain is itself enough to alleviate that.

The very unfortunate reality is that many (most?) users evaluate phishing attempts with the null hypothesis that "this is trustworthy". They are looking for evidence that something is wrong and assuming all is well if they don't find it. To that sort of user, the thinking goes something like:

* Some trustworthy sites use .com.

* My municipality is trustworthy.

* My municipality uses .com.

If you draw out the venn diagram, there's a clear gap in that line of thinking. That doesn't matter to someone's Great Aunt Linda though. She just knows that .com is what goes after Amazon and Google, so it must be good.

With that in mind, could using .gov help to protect those folks? To a certain extent. I can see the argument for keeping the more discerning few from getting scammed. For the broader group though, it won't change anything.

Offhand, the alternative solution that I'd offer would be providing clear communication standards to the public. Specifically, defining when, how, and from whom municipal notifications go out. Think of it like the IRS only sending physical letters; archaic as it seems, it makes it pretty obvious that an email "from them" is bogus. The clearer someone's understanding of where to find us is, the more optimistic I am that they'll get where they need to be.

[xp84]

> They just memorize "[municipality_website]"

Nah, even worse, they type “municipality” or some butchered typo of it into their browser, triggering a Google search, and click the very first link they see (sponsored or no) - so they can wildly easily be tricked into phishing websites.

Arguably we’re all victims of the decade or so when Google was so good at serving up the right site, so most people just got used to not knowing any URLs. People Google “YouTube” or “cnn” rather than type even the .com after those words.

[Mixtape]

IMO, poor website UX plays a big part in this too. People are far less likely to Google "[city] public works" if "public works" is a top-level menu item on the city website. When you first need to click a hamburger menu, hover over the "departments" entry, select "other departments", and then pick "public works" from the site header though, Joe Public is just going to do a search.

[TRiG_Ireland]

People type full domain names, including the .com, into Google, because they have no idea that the address bar on their browser even exists.

[xp84]

Yes, what really makes people like us cry is watching someone type in just the word Google into the ubiquitous search/URL bar, hit enter, click Google’s first result for Google which is google.com, then type “cnn.com” into the search field, hit enter, and then click an ad or result for CNN.