One thing I haven't seen mentioned is that there is a name for these kinds of advanced phishing attempts, which is "spear-phishing". Normal phishing is broadly targeted and fairly generic - "You just won a cruise", online parking ticket due, etc. It's usually easy to spot once you're aware of it.
Spear-phishing, in contrast, targets a specific audience with a message that includes specific details that make it more convincing - your boss's name, company, job title, bank account number, mortgage loan start date, health provider name, etc. The more specific, the better. These can be very hard to detect. If I've just been to the doctor, I'm expecting to get an email about a hospital bill, and I'm pretty confident that the hospital's online payment site will look like it hasn't been updated from the 90s. TBH, half the time I'm paying a medical bill online, I'm crossing my fingers that it's actually going to the right place...
Spear-phishing, in contrast, targets a specific audience with a message that includes specific details that make it more convincing - your boss's name, company, job title, bank account number, mortgage loan start date, health provider name, etc. The more specific, the better. These can be very hard to detect. If I've just been to the doctor, I'm expecting to get an email about a hospital bill, and I'm pretty confident that the hospital's online payment site will look like it hasn't been updated from the 90s. TBH, half the time I'm paying a medical bill online, I'm crossing my fingers that it's actually going to the right place...