I've seen family members almost scammed by fake UPS text messages over the Christmas break & it always seems a bit of a rabbit hole to explain to people who aren't very technically savvy — I'm resorting to "If you haven't instigated the contact, don't click on any links & validate through other channels. If you don't know, send me a screenshot", but want to provide better pointers to help people help themselves.
So far, the closest thing I've found is phishingquiz.withgoogle.com, but dislike the fact that:
* It doesn't actually explain _why_ something is a phishing attempt. E.g. the third question has a link to https://drive.google.com.download-photo.sytez.net/AONh1e0hVP. If you say that it looks legitimate, the explainer says "It looks like you missed the fishy look-alike URL. The real domain is 'sytez.net', but it is designed to look like Google Drive. Remember to be especially cautious if you aren't sure you know the sender." But completely skips over the fact of how you should recognise that it points to "sytez.net" to begin with.
* It has an example that uses AMP redirects — google.com/amp/tinyurl.com/y7u8ewlr — which completely muddies the waters, because Google have the terrible practice of allowing unrestricted redirects to any URL from their domain, they're telling users that these links are "insecure" even though they're coming from a website they trust.
Think I need something a few steps back from the above phishing example, to tell them how to spot what main domain they are connected to — i.e. to be able to tell apart that they're on sytez.net not google.com in the above.
Thinking of building a browser plug-in to do it, as trying to explain it feels very open to confusion — between things like TLDs and second-level (like ".co.uk") and URL schemes which may or may not be hidden by the browser.