Techies who repudiate #domain name validation as a cornerstone of users avoiding malicious sites are offering security advice that is fundamentally broken.
If you think users are too dense to check the spelling of a domain before they click a link (from an email, doc, etc) then they're not going to navigate your much more complex and vague behavioral advice about what is/isn't proper in #email, either.
If you insist on user ignorance of URLs then your users have lost the Internet; you have ceded the foundation of #Internet security that was carefully designed in the 1990s to be effective and easy to use.
Sadly, I think this means most of you #infosec types. And if your email app or other doc/pdf apps don't show you the domain (as in tooltips) before opening a link, then the app authors are in the same sorry company, too.
