No, we don't, or shouldn't ask people to check the URL itself, because of homonym attacks are a thing. Goal is to make sure that your credentials can't be compromised by surfing the wrong website (e.g. by using Passkeys instead of passwords).
IDK about how you scan them, but when I scan one with my camera, I see the top domain part (e.g. it would show 'ycombinator.com' for a link to this page) and have to tap that to open the link. So, that not only satisfies the "can look at" part, but also neutralizes some of the deceptive URL tricks like the ol' `google.com-secure-signin.php-sfd7sdfj.xyz/login.html`.
Oh wait, never mind. I guess I won't be signing up for electricity, then?
Also, the vast majority of people don't know that google.com and loginto-google.com aren't the same website, or that google.com.securesigning.net isn't real Google.
If your device gets busted by opening a URL, without any further confirmation or user interaction, your browser/camera app/third party app is broken.
The user doesn't need to know the exact URL to confirm an interaction they've just started.
The point of the confirmation is 10% account creation and 90% confirming that the user knows their own email address and can type it in correctly. That's actually more challenging to the wider audience than you might think.
> Oh wait, never mind. I guess I won't be signing up for electricity, then?
You ~~will~~ should be picking up your phone and calling the electrical company to confirm and to tell them their links are nonsense. Couldn't bother with AI agent on phone, or 60 min waiting queue to a human? Fuck it, don't pay the bill, figure it out later.
This advice sounds like nonsense. CS has neither knowledge of what layers of enterpriseware has wrapped their links, nor the domains that software uses, nor any control over those decisions by software engineering or marketing (or perhaps even more removed, some third-party electricity account management platform that they buy as a service).
You certainly could operate on policies like this, but I think most people prefer to spend their time differently instead of arguing with strangers who don't have any way to solve your problem.
Their customer support people don't know what I mean and they especially don't have any power to change this.
The problem isn't paying the bills (I can't recall the last time I ever needed to do that manually), the problem is that pretty much every service uses trackers and shorteners. The only way to opt out is to opt out of society.
Maybe I should, but this "read the link before you click" advice isn't just geared towards hardcore privacy advocates. It hasn't worked in ages. It also doesn't help that companies like Outlook rewrite links to make them redirect through their malware scanners as well.