Basic Internet security means “Don’t click links that resemble legitimate sites”. Yet lazy companies persist in sending e-mails that invite you to “View your statement” or “Enjoy our discount offer” that go to e.g. click.global.expediamail.com instead of expedia.com (that one doesn’t even use the httpS (ecure) protocol!). Even PayPal does it, sending me “⌚ 👜 Get a Credit decision in Seconds” which asks me to click https://epl.paypal-communication.com/blahblah, which is counter to their own security advice about suspicious activity! Companies engage in this stupidity because the people in marketing enter into agreements with third parties to deliver e-mail and track customer responses without involving the web site or security team, and the quick hack to make it work is to register a separate site.
Maybe it’s impossible for scammers to register http://LegitimateBigCo-myscamsite.com , but who can tell the subtlety of that distinction with the definitely fake http://myscamsite-LegitimateBigCo.com ?! I’m a web engineer and I don’t grok that level of detail in domain registration.