I have to assume that people here can be successfully phished
Over on Mastodon, I said some things in a conversation:
@cks: Given what mobile browsers are doing to the visibility of web page URLs plus how many 'you must authenticate' web services we have, I basically assume that a lot of our users can be phished by anyone who tries hard enough.
(Some spammers are starting to work that hard, but they're not doing phish spam, they're doing the 'please can you do me a favour' manual spam.)
@cks: Our latest finphishing cloned someone's signature block, too, which shows some reasonably decent advance scouting. I was a bit alarmed by that; with some more work they could have made it very hard to tell in typical mail clients.
(I'm only including my remarks for obscure reasons; see Mastodon for the full conversation.)
An increasing number of people read email and use the web from smartphones and tablets, where mail clients and browsers are making the details of where URLs go and what website you're on harder and harder to see casually. This combines badly with the sort of environment we have, where there is a broad assortment of web services that require you to authenticate with your password (because we can't ask people to remember multiple passwords). The odds that people on a smartphone could tell a well done fake phish website from one of our real websites is relatively low. It wouldn't even necessarily have to try to duplicate one of our existing sites; an attacker could put together something that looks like a convincing internal administrative service, then send targeted email to staff, professors, or grad students. People are are already used to new services they have to use being introduced periodically.
There are various organizational things that could be done to try to reduce this, but it's a hard problem in general as long as we use passwords alone. And introducing any sort of two factor authentication would have its own significant challenges that are well beyond the scope of this entry.
But even that's not the whole story, as my second toot is sort of about. The modern sort of finphishing attacks aren't after your password, they're directly after your money by persuading you that your boss or other important person urgently needs you to buy some gift cards (and then pass them on to the spammer, whether or not you realize that that's what you're doing). These attacks are also made easier by how modern smartphone and tablet mail clients typically present email; if you can make the message body, signature, and subject line look authentic enough, that's almost all of what people will see and what they'll make judgments based on. And people are trusting.
I don't really have any answers here. Mostly I'm glad that we seem to be targeted relatively infrequently and don't have more problems than we do.
(Alternately, perhaps plenty of our users have been compromised but the spammers are just keeping things quiet enough that we don't notice.)