I received a very official email this morning from Tslainsuranceservices.com.
It said my cancellation request was pending and I needed to click the link to verify cancellation.
Of course I did not click the link. The ploy is to get your Tesla logon and pass so they can steal the car.
Use a password manager that verifies domains before filling in details to help thwart these types of attempts. Adding a hardware 2fa device like a yubikey will go even further.
… and check the sender’s email-address yourself.
That doesn’t always work because you can get really creative with unicode characters in domains that look almost exactly like the real domain [1]. Not to mention the growing common practice of companies using a different domain for their email sending. Not to mention that sometimes humans just make mistakes? Long story short - your super confident I know everything approach is going to get you burned and you should try to build in actual solutions like domain verification instead of relying on your “huge brain.”
[1] https://www.thesslstore.com/blog/unicode-domain-phishing/