I’m very careful with privacy and security so I was surprised I got an obvious phishing email from “American Express”. I reported the email and moved on only to get another one today. I checked haveibeenpwned and it came back clear. I have never gotten a phishing email before the other day. As for the senders, they all came from generic IT sounding email addresses. They obviously weren’t American Express.
True. A more reliable way to achieve this is to buy a domain and use addresses in the form websitename@your.domain.
Yeah that also usually comes up in these types of discussions. Even for technical people, that approach can be a pain to manage.