> tricked into clicking links or downloading attachments
Is that "phishing"? Those actions should be secure to perform in a browser. The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
Of course, that security model sometimes has holes, but if for example clicking the link enables an XSS attack, I'd call it (primarily) an XSS attack. Same story if downloading an attachment did much more than just creating a file on disk.
"Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware."[0]
>Is that "phishing"? Those actions should be secure to perform in a browser. The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
You don't understand how hacking and planting of malware works. Hackers abuse zero day vulnerabilities in order to drive by download malware onto user's PC. They use exploit kits in order to manage and plant malware by abusing browser's or computer's zero day exploits. So when you visit a malicious website with vulnerable browser malware silently gets downloaded(drive by download) onto your PC.
On the other hand one of the most common email attachments is Microsoft Word document and again just like with browsers Microsoft Office and Microsoft Word have many zero day exploits or simply existing vulnerabilities(exploits) which user didn't patch so attacker abuses these kinds of exploits in order to drop malware when user opens Microsoft Word document and interacts with it.
Summa summarum: Hackers use zeroday or existing exploits to plant malware or they make lookalike websites or documents to trick you into giving your login credentials and/or payment information(credit card, bank account information etc.)
>The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
You do; websites use SSL certificates and computer files get digitally signed as well.
The cross site requests thing has thankfully been fixed. Modern browsers will soon (or already do?) stop sending another sites cookies when making a request from a different domain.
Apple makes phishing easier by always prompting the user their apple account password. Do anything including installing free apps and it requires the password.
This helps the user remember their password. Forgetting your apple id password makes all of your apple devices essentially bricks as you need it to unlink your account or factory reset.
It doesn't always prompt for a password or, more accurately, fingerprint scan on newish devices. In fact, standard applications that live in /Applications don't need it.
Nor do free apps downloaded via the App Store, as I just tried. Although this may be a setting somewhere.
But does it matter? You know what doesn't need a password? Accessing your photos. There's really very little you can do after authentication that you can't do otherwise. Maybe, after exfiltrating all the user data, you can also update macOS.
Sandboxing is really far more important than protecting sudo privileges, and I believe Apple is doing a fairly good job in that regard.
