Honestly, I think less attackers go this route than a simple clone of the target website and logging of credentials people enter. Much easier phishing than trying to interact with the real website. Saw this for a bank recently and sent an abuse email to the phishing domain’s registrar. Maybe 4 hours later and the registrar had killed it.
Yes, but more smart people that visit a clear phishing website later on understand their mistake and change their password. If you could perform actual actions on a letsencrypt certificate website that perhaps has a slightly different url, you’d most probably would be less sceptic.
