Most of these phishing attacks aren’t exactly clicks, they are website URLs that get spammed to users through messages in small token transfers. Users then view their transaction history and see these links, which then have to be manually copied and pasted into a browser by hand, since most explorers won’t let those links be clickable. These websites then claim to offer things and ask users to either paste your private key into the website or typically login with Scatter.
I haven’t ever seen one for Anchor, but I haven’t looked in probably at least 6 months. The reason is because Anchor actually blocks you from performing any transaction that includes an action to change the keys of an account. Instead of a request you’d approve, it’ll show a red warning message and block the request any time these types of transactions are detected (even if intentional).
Users have to manually opt-out of these warnings through the settings to even be able to sign a key change from an external application. Even opt’d out, there’s red warnings on the screen during the process to create a warning that this isn’t a normal transaction.
The phishing attack specifically in this instance, “free resources from block.one”, was actually masquerading as a “free voice token claim” with a link in the transfer memo. This was one we researched previously and the options they offered was either to paste a key on the website or login w/ Scatter.
This was a thread I found from a while ago where it was discussed:
https://forums.eoscommunity.org/t/wallet-hacked-looking-for-hope/350
As for your final comment:
We don’t “run the wallet” - you do. When using any non-custodial wallet… you are downloading free, open source software, that exists on a best-effort basis under the MIT license. It’s ultimately your responsibility to secure your computer, applications, and private keys.
For what it’s worth - I know this is a shitty situation and I wish there was something I could offer, unfortunately there is not. I’ve been scammed myself years ago, and have interacted with dozens of people (if not more) who have fallen into this trap. It sucks, both having it happen to you and having to explain to people what happened.