Years ago phishing and 2fa breaches werent as pervasive. Since we can’t all go to pass key right now, nobody’s doing a damn thing about the phishing campaigns. Secops current method of protection is to pay companies that scan the dark web by the lists and offer up if your password’s been owned for a fee.
That’s a pretty s***** tactic to try to protect your users.