"never click on links" is impossible advice to follow. Security people often forget that there is a tradeoff between security and functionality. You need to do cost/benefit analysis to decide whether to use a particular feature.
Never click on links until you are on the destination site is the advice I give to friends/family who aren't computer sophisticated. (Up there with Never Open attachments in your email and never install new programs on your computer)
Those two practices, typing in "www.wellsfargo.com" instead of clicking on a link that suggests it will be taking you there, and never, ever, opening any attachment, cuts down on 95% of the malware attacks that these people experience.
Most non-computer users aren't sophisticated enough to understand what links they can, and cannot click on, so they are safer just typing out URLs and navigating from there. It's great advice for those people. Bookmarks make the practice a little more efficient as well.
As much as we computer sophisticates despise the "Walled-Garden" aspects of the Apple Store (and soon, the Microsoft Store) - those should also significantly reduce the amount of malware people end up installing when they add new programs. It may not eliminate it (as we saw when Path uploaded people's Address Book information onto their servers without asking the user permission) - but, between application review + client-side checks on privacy - malware infestations have experienced a radical drop on stock iOS devices vs what a user's computing experience used to be in the Bad Old days of Windows 95/XP in which even _I_ got nailed by a trojan or two.
I think it is also important to remember that iOS (and similar devices) have a much stronger security model from a technical standpoint (low-level, near complete sandboxing with white-listed permisions). As apposed to most desktop computers where almost every program runs with full user permisions, and in the case of windows 95 (and maybe also XP), that normal user tended to be an administrator.
I don't really think most computer sophisticates have a problem with a walled garden, but rather a problem with a locked down garden. In linux, for example, the standard means of installing software is through a central repository maintained by whoever maintains the OS, and all of the software in that repository is reviewed before being added. The difference is that if the user wants to, they can install software not offered through the repository, and/or add 3rd party repositories.
Sites that involve credit cards or banking are in a whole different category. For those I think the best advice is to only use https bookmarks.
In that vein, here's an idea for a browser feature. When someone enters something into a form that looks like a credit card number, bank account number, or bank routing number, black out the entire browser (including the url bar) and require them to type in the domain they think they're submitting to. If they get it wrong they can't submit the form (at least for a few minutes).
Only for sites that you don't already have an account on, and which don't use a paypal-like service. Although since there are consumer protections on credit cards, it might make sense just to warn on bank account and routing numbers.
Couldn't phishers just start having their fake forms send the current form content via ajax every time a new character is typed, rather than only on submit?
