But the scammers don't control your UI, the UI belongs to the browser.
The Brick Wall I was particularly thinking about is WebAuthn. There could (but shouldn't) be a UI where I can say Oops, silly site has used the wrong URL, lets provide my real site credentials anyway. I can give the scammers my real credentials, they can steal all my money everybody is happy. Oh except me, I guess I'm miserable - but only after I realise what happened. Instead there's a brick wall here, WebAuthn can't authenticate to the bad guys. I'm sat there until I either realise that it's a scam or I give up and maybe phone the bank about their apparently atrocious UI (and then maybe realise it's a scam).
>I'm sat there until I either realise that it's a scam or I give up
Well, there are ways to do this (for an easy example, just edit your hosts file). But the barrier of entry is high enough that a non technical person will give up even if they're completely oblivious.
The Brick Wall I was particularly thinking about is WebAuthn. There could (but shouldn't) be a UI where I can say Oops, silly site has used the wrong URL, lets provide my real site credentials anyway. I can give the scammers my real credentials, they can steal all my money everybody is happy. Oh except me, I guess I'm miserable - but only after I realise what happened. Instead there's a brick wall here, WebAuthn can't authenticate to the bad guys. I'm sat there until I either realise that it's a scam or I give up and maybe phone the bank about their apparently atrocious UI (and then maybe realise it's a scam).