Re: Links really clicked?
This is actually simple. Suppose you have a database of e-mail addresses. You hash each of them and include the hash in the link. For Bank Of America, the link could look like this:
(For the love of God, DO NOT click the link above if it gets automatically converted! I hope the fake protocol name doesn't get auto-corrected.)
Once you click the link, the perpetrator knows exactly who* clicked the link and which e-mail compelled the user to click.
When you log in, you give away your password to the perps, but it appears you have actually logged into your account. What they will now try to do is guide you towards entering a token code or a one-time code (what they are really doing is they have a pre-filled form just waiting for you to type the code so they can funnel money out promptly).
There are lots of ways to do it. My bank started warning me to check if the pasted data is correct (apparently there is malware that monitors the clipboard to see if there is an IBAN account number copied to clipboard and as soon as there is, it will be replaced with the pre-programmed account number).
I partly blame banks for this. I usually type the URL myself or follow online payments to my banking site to authorize a money transfer, but my bank has disabled the use of the password manager on their site because it's apparently safer.
Well, I have no idea how it can be safer if the password manager used to check if the site is legitimate, if the certificate matches, and so on, and disables the managed password if it fails the checks.