It wasn't a "normal person" it was a developer that put this into a README of his package

> But beyond the technical aspects, there's something more critical: trust and long-term maintenance. I have been active in open source for over a decade, and I'm committed to keeping Chalk maintained. Smaller packages might seem appealing now, but there's no guarantee they will be around for the long term, or that they won't become malicious over time.

I expect him to know better.

Does this mean you verify EVERY domain you use? How to even do that?

Shouldn’t this be solved some other ways?

I do it by reading domain name and comparing it to what I expect it to be. It's not hard and when in doubt I can easily check WHOIS info or search online for references.

This is also easily avaidable by using password manager which will not autofill credentials on a page with a wrong domain.

Edit: And yes, I do this for every link emailed to me that does anythig more high stakes than point me to a newsletter article.

I think it’s unreasonable to expect that people will do this. Most people have no idea what domain is, they won’t be able to check WHOIS records.

To state the obvious, one ends with "help" on with "com". It effectively is phishing awareness 101 that domains need to match.

You still don't know then of course. When in doubt you shouldn't do the action that is asked through clicking on links in the mail. Instead go to the domain you know to be legit and execute the action there.

Having said all that, even the most aware people are only human. So it is always possible to overlook a detail like that.

Corollary: dont click on any emails links. (Most use some dumb domain name that could be phishing)

There are many sites, which provide ONLY links, eg. with token in URL. What with those?

This is the problem. Those need to be very carefully clicked.

The whole web is a darn mess! I have no ideas for solutions.