Just use a TOTP app, at the moment. Note that because there are no U2F alternatives means that you shouldn't use U2F - not that you should settle for an insecure device.
There are U2F alternatives, several of which are mentioned in this thread. Also, U2F is immune to phishing while TOTP isn't. Your advice is actively harmful.
The available data suggests there are no groups of people who are good at not being phished.
The audience here is unlikely to send a check to the Nigerian prince looking to smuggle his money to America, but if you're arguing that we shouldn't trust yubikeys against APT backdoors, we're talking about a much higher quality of phishing.
I'll take my odds with yubikeys firmware rather than try to vet every site I enter a TOTP code into
You should be vetting those sites anyway, especially since you probably were also asked for a password. And it's not exactly hard - just glance up at the address bar.
A good phish relies on triggering instinctive behaviour, e.g. scaring the crap out of you and not following best practices because you're having an adrenaline rush. That's how careful people get hit. SwiftOnSecurity sometimes posts really well done phishing attempts: https://twitter.com/search/live?q=phish+from%3Aswiftonsecuri...
