The available data suggests there are no groups of people who are good at not being phished.
The audience here is unlikely to send a check to the Nigerian prince looking to smuggle his money to America, but if you're arguing that we shouldn't trust yubikeys against APT backdoors, we're talking about a much higher quality of phishing.
I'll take my odds with yubikeys firmware rather than try to vet every site I enter a TOTP code into
You should be vetting those sites anyway, especially since you probably were also asked for a password. And it's not exactly hard - just glance up at the address bar.
A good phish relies on triggering instinctive behaviour, e.g. scaring the crap out of you and not following best practices because you're having an adrenaline rush. That's how careful people get hit. SwiftOnSecurity sometimes posts really well done phishing attempts: https://twitter.com/search/live?q=phish+from%3Aswiftonsecuri...
The audience here is unlikely to send a check to the Nigerian prince looking to smuggle his money to America, but if you're arguing that we shouldn't trust yubikeys against APT backdoors, we're talking about a much higher quality of phishing.
I'll take my odds with yubikeys firmware rather than try to vet every site I enter a TOTP code into