Here we go again…
- Protect the email domain being used so it isn’t spoofable and can’t be impersonated. There are NO SPF or DMARC records in place for @yahoodatabreachsettlement.com so it is wide open to being convincingly and almost undetectably spoofed by anyone.
- Try and make the domain you have registered hard to imitate for hosting fake versions of the settlement websites. Incidentally having a long domain name is easier to spoof, this one is 25 characters long which makes impersonation using homoglyphs (see https://en.wikipedia.org/wiki/Homoglyph ) quite easy e.g yahoodátabreachsettlement.com but also no one has thought to simply register the .net, .org. of this domain to protect it.