I was reading this book that took place well in the future, but the ?gonist (don't know yet if he's good or bad) called up a new employee, said he was from HR and told them that they hadn't finished their compliance training. They weren't going to be able to issue paychecks until the training was completed. Most likely it was a small thing - at the very end, there's a "submit" button that lot of people miss.
So while he on the phone with the employee, directed him to a website, had him sign in, click the "submit" button and then they were all good.
Except the website was fake and now our main character had this new employee's username and password.
Made me realize...
If you think someone might be performing social engineering against you, if you're directed to a site in a scenario like this, always enter your password wrong the first time. If the site accepts it, you've just prevented yourself from being hacked.
Conversely, if you build websites like this to hack people, always make it reject the first password attempt and make them try again. That will catch people who follow my earlier advice (and because people type their passwords wrong accidentally all the time), and for people who did type it right, now you have the correct password submitted twice and you can be much more assured that you have a good exploit.