I fell for a password phishing email once. The moment I clicked the login button I thought “Wow, I’m so trained to do this all you have to do is show me the button and I’ll click it.” I realised a split second later of course, and felt like an raging moron for not paying attention.
The thing is, why should you have to pay attention? Even if you’re not quite as dim as me, it still takes a little bit of mental effort to tell a well made fake email from the real thing, and it’s a lot harder if you’re not tech savvy enough (or too groggy from just waking up) to spot the warning signs. I think there’s a very simple addition to normal security measures that would make recognising fake emails and account pages universally effortless, while requiring no extra input from the average user.
When a new user signs up, they’re presented with a randomly chosen “security colour”. They can pick a different one if they prefer, and from then on the colour is displayed as a banner or badge on every official communication from the site.
The colour would be kept secret, like your password, so any potential phishers would have to guess at what colour to use. The actual way the colour is displayed could be styled a little to match the site, but as long as it’s used prominently and consistently enough to become part of the expected branding, an off-colour message would appear as obvious as one with the wrong logo or name.