I'm a software dev. When I get phising mails I often click the links to check out what the scam is. I open in a separate browser I don't usually use, so there isn't anything in it for the phising site to gobble up. And yeah I trust that the browser sandbox I good enough, that no one is going to waste a zero day exploit on me in order to break it - hackers also have economic constraints. If I was working on something super sensitive, then I should use a vm, but I'm not so I don't.
I also did this at work, and yeah it was a fake phising mail sent by a security company, and I had to do a quick 20 min online course on email security best practices. Yay. Me and like 3 other dudes, who clearly all also understood it was phising and were just curious about the scam.
When they introduced the weird fake phishing mails at my last work place I checked the email headers and just filed it into a separate folder. My coworkers were happy to get rid of the spam as well.
I also did this at work, and yeah it was a fake phising mail sent by a security company, and I had to do a quick 20 min online course on email security best practices. Yay. Me and like 3 other dudes, who clearly all also understood it was phising and were just curious about the scam.