Spammers are getting smarter about this. I've now seen a a couple where the spammer seems to have used a tool like httrack to make a copy of the target login page. If you're not watching for the domain carefully, it would be pretty easy to get suckered. There are also starting to use TLS as well. In a way, we've set our users up for failure. For a long time, we've trained people to look for the "green lock", which most browsers use to denote that a site is encrypted. When certificates cost money to get, spammers wouldn't bother. With Let's Encrypt making that cost zero, and making it dead simple to use, spammers are exploiting that training. We're going to have to get better at training our users. And our users are going to have to get smarter about security.
X-Post from DW