This story from Robert Heaton resonated with me as I, too, have nearly fallen into a similar trap.
A while back, I received what appeared to be an automated cPanel email alerting me that one of my web servers was nearly full. I first saw the email on my phone and it looked perfect, but I was not prepared to administer cPanel while grocery shopping.
When I checked it out on my computer later, the button’s link was hidden behind a URL shortener. That seemed odd. I decided to log into my server using a known good address and I was relieved for two reasons: first, the server was nowhere near full; second, I did not become the victim of a clever phishing scam.
The hoax Heaton nearly fell for was a banking one, but it is broadly similar in its attention to detail. There feel like two main categories of scam. One attempts to con only the most vulnerable people by using tactics that feel obviously fake to the vast majority of us, in the hope that we will self-select ourselves out of becoming scammed. The other is far more clever and really does feel legitimate. The criminals have done enough work to understand their specific target. That is pretty scary.
One of the things that would have saved me from the cPanel phishing attempt, had I clicked on the button, is that my username and password would not have autofilled from iCloud Keychain because the domain was different. That likely would have tipped me off that something was not right. I know it is trite advice, but use a good password manager — not only for the more obvious reasons, but also because it will give you a moment to think when it does not work as expected.