[coldfoundry]

Why does it seem like phishing is popular again? Maybe bad actors forgot how gullible humans were? I get phishing attempts nearly daily via email or sms and I honestly thought “Who would fall for this?” every time one came in.

The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.

[diggan]

> Why does it seem like phishing is popular again?

Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.

I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?

I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.

So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.

[kannanvijayan]

Pure speculation - but I'm wondering if one or a few of the black hat players has figured out a good way to leverage AI to phish more effectively at scale, and are taking a stab at all the venues that host code that's within a lot of dependency chains.

[entropie]

You might be on point:

https://www.anthropic.com/news/detecting-countering-misuse-a...

[khy]

A little thing that doesn't help the situation is when legitimate emails link you to domains that aren't obviously controlled by the company.

For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.

[EvanAnderson]

From my perspective, adjacent to front-line end user IT support in a lot of the work I do, phishing has never not been popular in the last couple decades.

It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).

[tracker1]

One of the worst, my SO approved "notifications" on some website.. and was getting viral alert notifications via that system. It looks like a typical tray notification in windows, and other than it's got a chrome header, it would be pretty easy to fall for. And this is why, before they passed, one of my Grandmothers was on Linux, and my other was on a Chromebook... no cleaning off random Windows malware twice a year.

[stravant]

People realized that past phishing attempts were quite badly constructed and a well constructed one is actually really easy to fall for.

[whatamidoingyo]

> People realized that past phishing attempts were quite badly constructed

I seem to recall that the typos and grammar errors were intentional. This gets rid of skeptical people, and you're left with those who are extremely gullible and likely to fall for it.

[ranger207]

This current spate of attacks might be _because_ of that, in fact. Enough people know that phishing attacks are obviously low quality, so when they see a well-constructed message they're less suspicious

[tempodox]

Or it’s because LLMs don’t make spelling mistakes.

[rkomorn]

First time I've heard this but it actually makes an awful lot of sense.

[diggan]

> and a well constructed one is actually really easy to fall for

It really shouldn't though, and something you need to be personally responsible for. If it's still possible in 2025 for you to fall for phishing attempts, you're missing something, something that starts with a p and ends with a assword manager.

[JW_00000]

You must be joking. When I try to log in on Outlook I get redirected to 'microsoftonline.com' (suspicious), when I log in on Wikipedia it sends me to something called 'wikimedia.org' (typo squatter?). How the hell am I supposed to know whether npmjs.help or rustfoundation.dev are _not_ the official domains of those projects?

[diggan]

> You must be joking.

You must be joking, are you still not using a password manager at all?

When you create the username+password combo you either do it yourself, then put in the password manager the domain, or you use whatever the password manager infers at the registration page, then that's basically it, for most sites. Then 1% of the websites insist to use signin.example.com for login and signup.example.com for signup, so you add both domains to your password manager, or example.com.

Now whenever you login, you either see a list of accounts (means you're on the right domain) or you don't (which means the domain isn't correct). And before people whine about "autofill doesn't always work", it doesn't matter, the list should (also) show up from the extension modal/popup, so even if autofill doesn't work for that website, you'd be protected, since the list of accounts are empty for wrong domains.

It's really easy, and migrating to a password manager just sucks the first couple of days, every day after that you'd be happy you finally did it.

[oguz-ismail]

Nah, I can manage my own ass words. I wouldn't trust a third party have access to all of them anyway

[autoexec]

Having a password manager that doesn't involve having to trust third parties is what keepass is for

[shit_game]

I can't imagine that the absurd number of greenhorns entering the industry due to their "vibecoding prowess", or the inevitable number of people in management that perpetuate this fantasy of nocoder devs has anything to do with it. Surely not.

[WesolyKubeczek]

When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them.

You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.

You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.

Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.

[tialaramex]

> Don’t worry, when they actually target you, you’ll be caught.

When they target me, which happens, it doesn't work because of WebAuthn.

Buy a Security Key. If you think you might lose it, buy at least two more. For critical sites like GitHub (which was targeted here) set up your Security Keys and get into the habit of relying on them. It's the same philosophy as Rust itself, machines are really good at diligently performing a simple task, so don't leave those tasks to human vigilance, that is a foolish misallocation of resources.

[immibis]

"Your WebAuthn key enrollment period has expired. Please log in to re-enroll a new key."

Something similar to this was in the recent npmjs thing.

[tialaramex]

I can't find any trace of such a thing, do you have links?

What would it even mean to "log in" if they reject my authenticator ? Logging in is what it's for.

[immibis]

You have to log in with your password, of course. And then re-enroll your authenticator.

[tialaramex]

So, firstly, this won't actually help them which is why they won't try it. GitHub is aware that passwords are crap and since I have a Security Key it will ask to see my Security Key, "But I know tialaramex's password" doesn't help you.

But also you presented no evidence they can somehow detect their problem and try to ask for the password even if it would help them.

[ziml77]

Again? Phishing is a constant threat. And it's easy to fall for them because you only need to drop your guard once to become a victim. Stress, tiredness, or intoxication can all contribute to even someone who thinks they're good at spotting phishing attempts suddenly falling for one.

[koakuma-chan]

Phishing attempts are usually low-effort and easily seen through, npmjs.help one was good though.

[stronglikedan]

> low-effort and easily seen through

To make up for that, they cast a wide net. It's a numbers game, like the guys that ask every single woman they meet for their phone number. It costs nothing or next to it, and all you need is one for a payoff.

[koakuma-chan]

I think that if you actually make a proper phishing website, get an actually plausible domain, and not make spelling mistakes, you can increase your conversion rate dramatically. Also why do they ask for a phone number if you can just ask her out right away.

[stusmall]

It never became unpopular. It's one of, if not the, leading cause of compromise.

[pmichaud]

I experience and wonder the same thing, but literally yesterday I had to help my grandmother recover from a phishing scam that actually (very nearly) worked on her. So there you go.

[Workaccount2]

The worst (or best, I suppose) thing about phishing is that it automatically filters in the fools for you.

[diggan]

Is that different from other types of scams? You could say the same about most of them, they automatically filter away people not falling for it?

[alexsmirnov]

Phishing is dumb and easy to detect by purpose. I's to filter victims who are an easy target.