I’ve been doing a series of user susceptibility testing and, following the usual pattern of legitimate looking sites I just got the view I was trying to hard.
There is an underlying premise in user testing that users will, in general, only click malicious links they are not able to determine that link is malicious. That is probably true amongst certain groups.
In many places, I would reject that notion. This website exists to demonstrate, even very clearly calling out what’s on offer will present a minimal change to the risk.
So far it’s been disturbingly effective.