AMEX fraud support group called me. A real live agent.

Capital One texts codes during live calls and requests the customer read the code to them.

A health care provider sends emails with links to 3rd party domain to provide encrypted email, because a) regular email isn’t supposedly not HIPAA compliant and b) apparently the health care provider’s web and app infrastructure which provides secure messaging is not secure enough for certain messages. It’s indistinguishable from a phishing attack.

Hospital direct invoicing by email, also includes 3rd party links, which takes the user to a site asking for personal information including SSN. It’s certainly phishing. Right? Nope, it’s legit, and no option to get a mailed bill once volunteering an email address.

I think half of mobile device users don’t know or can’t handle a best practices workflow.

The reality is the tech industry sucks, it’s bad at its job, gives shitty advice to everyone then goes and violates all of it leading to loss of trust.

regular email isn’t supposedly not HIPAA compliant

It isn't.

I work in healthcare, and if anyone in the company sends an email with PHI or PII in it, we're supposed to alert the Security department, or lose our jobs.