[OkayPhysicist]

Phishing is tricking someone into providing confidential information to a malicious party/site. "Don't click on suspicious links" is, IMO, an overreaction that fails to teach people the core lesson that is "Always confirm that you're providing sensitive information to the party you think you are".

Online, we've made it exceptionally easy to make those sorts of checks: a website, served over HTTPS, is coming from the url. Other systems are so, so much worse about this. Any system where unauthorized impersonation is possible is a technical failure, and the fault for abuse of that unauthorized impersonation is on the providers and designers of that system. Like phone calls. Or email.

People tend to be pretty good at differentiating between "this person can be trusted with sensitive information", and "I shouldn't trust this stranger". What they need are the tools to determine who they're talking to.