Comment by dns_snek

The exact attack they described is less of an issue these days due to HSTS and preloading, but:

- make sure you're connected to the expected official domain (though many companies are desensitizing us to this threat by using distinct domains instead of subdomains for official business)

- make sure you're connected over HTTPS (this was most likely their issue)

- use a password manager which remembers official domains for you and won't offer to auto-fill on phishing sites

- use a 2FA method that's immune to phishing, like passkeys or security keys (if you do this, you get a lot of leniency to mistakes everywhere else)