> banks and other institutions continue to send legitimate messages that look like phishing.
The Canada Revenue Agency (tax collectors) once called me up about something. They literally said "To verify your identity, please give me your social insurance number". It's hard to blame people when actual government agencies are training people to be phished.
I ranted about something similar when it came how the US Internal Revenue Service was implementing authentication for their free-filing service.
They're training taxpayers to put in large amounts of extremely sensitive personal information into a third-party domain called "id.me". Even if you trust the private company, I think it's insane they didn't at least whitelabel the process through a *.irs.gov domain!
(For those curious, the .me TLD is run by the country of Montenegro. Control over DNS has some security implications for phishing and man in the middle attacks.)
"Contact the suspicious person back through the official number or website" is always a good heuristic, especially since it works pretty well as advice for non-technical relatives.
The Canada Revenue Agency (tax collectors) once called me up about something. They literally said "To verify your identity, please give me your social insurance number". It's hard to blame people when actual government agencies are training people to be phished.