An individual security best practice that we don’t talk about enough:
You should be using a special email address for your username and contact for your most sensitive sites like password managers & banking.
This email should be:
- weirdly named, hard to guess.
- known ONLY to you.
I use Fastmail and have an alias and special rules exactly for this purpose. BUT you don’t have to be that fancy. If you are using gmail trying adding yournormalemail+specialcode [at] gmail.com
This practice reduces the information that a threat actor can guess and can help you more readily identify phishing emails.