First, I assume the author knows the email came from github, as the screenshot does not show this very clearly. If that's the case:

Red flag #1: email links to a variation of real domain. If you don't have information on who github-scanner.com is, it is pretty safe to assume it's a scam , just because it sounds like a real website.

GIANT Enormous Huge Red Flag #2: captcha asks you to types command in shell. I have no comment on how naive one must be to do this.

Nobody is perfect. The more features of credibility, most likely there will be a higher percentage of conversions. But not everybody has excellent vision, is not time-pressured, and is not tired/exhausted.

There are lots of conditions that make otherwise difficult fraud targets more easy to trick.

And if it can be done at large scale / automated, then small conversion rates turn into many successful frauds (compromised accounts).

I got a real letter from the IRS two days before I got the scam message on my answering machine. The timing was uncanny and I might easily have fallen for it, had I not already dealt with it.

It’s the same for the Chinese language calls, if you speak Chinese it really resonates.

There was a scam in the 90s where you’d call a number and they’d give you sports betting advice. They’d do it for free as a promotion trying to sell their service when you won. They’d tell half the callers bet team A and the other half team B. The numbers made it work.

“Splitting games 50-50 like that—known in the biz as "double-siding"—is the oldest trick in the handicapper's very thick book. That way he knows he has at least some happy customers coming back. “

https://vault.si.com/vault/1991/11/18/1-900-ripoffs-the-ads-...

I've since changed the address bar back to the top…

In the end I didn't loose anything but it was a good wakeup call for sure.

It's not much different from setting up your ssh key - something that you have to do; and new users also go through this workflow by copy pasting commands that GitHub sends them.

Since Microsoft embracing and extending it, GitHub has become one of the worst offenders.

I wouldn’t have fallen for such an obvious ploy, but the original asker seemed like they weren’t particularly technical, judging by the sparse GitHub history and quality of the question. I could see them perhaps falling for that if they were uncritical and too eager to try anything.

In GitHub's case, they already have githubusercontent.com to avoid serving untrusted stuff from their own github.com domain.

Sending marketing or security scanner (potentially very spammy) notification emails from separate domains can help with reputation too, to avoid your main domain getting marked as spam.

These are all legit; Amex having 20 different of domains, half of which smell like phishing, and still sending emails from other domains is just incompetence. Something like marketing people or someone dealing with strategy deciding to do stuff in a certain way, with nobody technical in the room to tell them why that would be a problem. As an example, a friend of mine's organisation wanted to do a SaaS website for their niche, and a separate website to advertise the SaaS (separate domain, visual identity, everything).

Last month I was in conference where the keynote was from CEO of cyber security company. The whole point of the speech was that we need more money because in some cases more than 80% users still fall into email scams. My very serious question to the speaker was - if after many millions and almost 25 years more than 80% users still click on wrong links, then maybe we do something really wrong?

Try to get a company built around Word to use another tech that doesn't requires running unsigned macros from emails...

You literally can't, they lough at you for saying things like "don't use Microsoft"

Ultimately he's a businessman seeking for more money. Doesn't mean he can be trusted.

Fortunately, my work email supports IMAP, so I can use a script to scan my inbox for fake phishing emails and delete them.

All our actions are defensive.

Look at our physical security. Basically nothing is reasonably protected. 99% of stuff (buildings, locks) can be broken into with tools available in any home depot.

The key reason why it doesn't happen that much is because it's possible to find the attacker.

Why can any scammed just create a website without any traceability? It wouldn't be foolproof, but it would raise a bar.

because jurisdictional challenges.

Not to mention that this very same traceability would be abused by some other authoritarian gov't to track down dissidents for example.

There's no real way to systematically have good security, if the human element is the weakest link tbh. Securing windows is not a technical problem, but a social and educational one.

Does the domain/server implements required level? No? Block connection. Dtto email with automatic response.

Is your IP in a botnet? Cut it off.

Edit: I already get blocked connection (on target site) because EU regulation is too onerous. I get reminded on basically every Google search I am being censored (Some results may have been removed under data protection law in Europe).

Completely doable.

More like "we want to track every single user coming to our website without giving them the option to not be tracked".

I have been part of se several GDPR compliance projects and it's the other stuff that's the problem.

Data protection officer (recurring cost, even though it is only a part of a job, not full time position) , user data deletion and user data take-out. Compliance is not free. If system wasn't designed from the beginning, it's really expensive to add it.

Restore from backup after disaster recovery - make sure you anonymize/delete people who were deleted after backup was made.

BTW, IP address is PII, so...

Honestly, it would be cheaper to buy everyone in EU VPN.

Why? While I get that, if tracking is part of someone's business model, they want to track as many people as possible, I doubt it would be illegal to give also people that aren't in the EU the option to not be tracked. If it really would be so expensive to be compliant while also differentiating between users connecting from the EU and users connecting from outside the EU, why not just give everyone the option to choose if they want tracking as a measure to cut compliance cost?

Add IP rules at cables inside and out of let's say EU and block it there.

Same way we deal with any non-compliance thing. You can't import it.

Your server/domain doesn't satisfy requirments. Either the originator complies or not (e.g. through trusted third party).

So far, we are building walls and replacing mortar with a new one, while attackers bombard us with complete impunity. This is never going to work.

This would of course need new extensions /protocols (even simplest would require authentication envelope around encrypted traffic).

Not a single response had anything to do with either problem ITA or my comment.

I am not sure if you are troll, 10 y/o or gpt1, but have a nice day.

I guess critical thinking of devs and wannabee devs has been softened by all the `curl