Why does it seem like phishing is popular again? Maybe bad actors forgot how gullible humans were? I get phishing attempts nearly daily via email or sms and I honestly thought “Who would fall for this?” every time one came in.

The only phishing I can see that would be extremely hard to detect are browser extension injections (either in extension window or page replacement) so the domain is legitimate.

> Why does it seem like phishing is popular again?

Was it ever not popular? Looking at my spam box, I receive countless of phishing attempts per week, and doing some quick queries of the total count over time, it seems to more or less been the same for the last 2-3 years at the very least.

I'm not sure why it's such big news all of a sudden, probably because it recently succeeded against a developer of some popular npm packages?

I think most people either have the phishing emails flagged, so they never see them. The ones that get seen, get ignored as obvious phishing. And for the ones that click the link, their password manager would stop them from entering their detail. And then you have the final 0.0001% who never protected themselves, and were tired/stressed at that very moment, and fell for it.

So I guess ultimately it's bound to become news every now and then, until everyone finally got the memo to get a proper password manager that don't show accounts that don't belong to the domain.

Pure speculation - but I'm wondering if one or a few of the black hat players has figured out a good way to leverage AI to phish more effectively at scale, and are taking a stab at all the venues that host code that's within a lot of dependency chains.

A little thing that doesn't help the situation is when legitimate emails link you to domains that aren't obviously controlled by the company.

For example, yesterday at work I got an onboarding email from Lattice (lattice.com) with a link to latticehq.com, which triggered my phishing instincts before I remembered that was their old domain.

From my perspective, adjacent to front-line end user IT support in a lot of the work I do, phishing has never not been popular in the last couple decades.

It feels like it has become significantly more prevalent in the last couple years (tracking the rise of "business email compromise" being a term-of-art).

One of the worst, my SO approved "notifications" on some website.. and was getting viral alert notifications via that system. It looks like a typical tray notification in windows, and other than it's got a chrome header, it would be pretty easy to fall for. And this is why, before they passed, one of my Grandmothers was on Linux, and my other was on a Chromebook... no cleaning off random Windows malware twice a year.

People realized that past phishing attempts were quite badly constructed and a well constructed one is actually really easy to fall for.

I can't imagine that the absurd number of greenhorns entering the industry due to their "vibecoding prowess", or the inevitable number of people in management that perpetuate this fantasy of nocoder devs has anything to do with it. Surely not.

Again? Phishing is a constant threat. And it's easy to fall for them because you only need to drop your guard once to become a victim. Stress, tiredness, or intoxication can all contribute to even someone who thinks they're good at spotting phishing attempts suddenly falling for one.

Phishing attempts are usually low-effort and easily seen through, npmjs.help one was good though.

It never became unpopular. It's one of, if not the, leading cause of compromise.

I experience and wonder the same thing, but literally yesterday I had to help my grandmother recover from a phishing scam that actually (very nearly) worked on her. So there you go.

The worst (or best, I suppose) thing about phishing is that it automatically filters in the fools for you.

When you grab a domain which is plausibly very similar to the legit domain the organization you work with is using, you can forge emails that will make your email client show all sorts of “verification passed” badges next to them.

You can further appeal to developers’ geeky hearts by not making language mistakes and actually using verbiage present in real emails as sent by them.

You can exploit recent supply chain attacks and the sense of urgency and panic that developer blogs have created by pressing for even more urgency.

Seems like this does work. Don’t worry, when they actually target you, you’ll be caught.

Phishing is dumb and easy to detect by purpose. I's to filter victims who are an easy target.