Traveling to the wrong webpage pwning you is a piece of hacklore so outdated they replaced it with the updated QR code version. Clicking a link has not been a dangerous activity for years. When the rare browser exploit is discovered, it's patched immediately.
I must be misunderstanding you because phishing happens weekly with huge consequences. It's not browser exploits, it's an email that looks legit enough with an incorrect URL or a page that's so convincingly identical to PayPal you feed it the information. Just this week:
Phishing is tricking someone into providing confidential information to a malicious party/site. "Don't click on suspicious links" is, IMO, an overreaction that fails to teach people the core lesson that is "Always confirm that you're providing sensitive information to the party you think you are".
Online, we've made it exceptionally easy to make those sorts of checks: a website, served over HTTPS, is coming from the url. Other systems are so, so much worse about this. Any system where unauthorized impersonation is possible is a technical failure, and the fault for abuse of that unauthorized impersonation is on the providers and designers of that system. Like phone calls. Or email.
People tend to be pretty good at differentiating between "this person can be trusted with sensitive information", and "I shouldn't trust this stranger". What they need are the tools to determine who they're talking to.
If leadership won’t bring the same rigour of safety culture - which is mandated by legislation - to security? Don’t bother, just move on.
SitusAMC https://www.situsamc.com/databreach
Harvard University https://www.bleepingcomputer.com/news/security/harvard-unive...
Iberia Airline https://www.bleepingcomputer.com/news/security/iberia-disclo...
Salesforce via gainsight https://status.salesforce.com/generalmessages/20000233
Online, we've made it exceptionally easy to make those sorts of checks: a website, served over HTTPS, is coming from the url. Other systems are so, so much worse about this. Any system where unauthorized impersonation is possible is a technical failure, and the fault for abuse of that unauthorized impersonation is on the providers and designers of that system. Like phone calls. Or email.
People tend to be pretty good at differentiating between "this person can be trusted with sensitive information", and "I shouldn't trust this stranger". What they need are the tools to determine who they're talking to.