This ^^^ is a big part of the problem right here --- legitimate messages from government authorities are so totally non-credible that it makes the scammers' jobs super easy.
Same is true of banks and such. A few months ago, I got a mortgage, and I was totally blown away by how much profoundly suspicious shit that was actually legit happened. Like, I'd get calls from totally random new people from the mortgage company, no warning by anyone who I actually knew that this new person was calling, often from their personal cellphones---and it would turn out that the call was totally legit, and I actually was supposed to send more sensitive financial documents to this random new person. Totally bonkers.
And we probably can't discount the role of direct-mail marketing in this, either - my bill from my ISP will arrive in a plain envelope (before I opted into paperless statements), but every random piece of upsell spam I get from my ISP is plastered with giant red letters saying "IMPORTANT INFO ABOUT YOUR ACCOUNT - TIME SENSITIVE" and often with a fake business card for some executive inside.
Even brands themselves are getting in on the game of trying to abuse people's attention with deceptive messaging.
I feel like some kind of PGP authentication system would be very useful for private government to citizen communications. It would require some training on users parts however.
The problem is that governments, banks etc. don't and can't credibly commit to doing the right thing. E.g. banks in my previous company are furious because just when they'd finally managed to convince most people to never open a link from a text message, the government sent out a text message with a link to a COVID-19 information page.
It still shocks me the number of very large companies, even Microsoft, still have marketing and other official communications that look like clear scam messages
It is like they are trying to make things easy for scammers
Same is true of banks and such. A few months ago, I got a mortgage, and I was totally blown away by how much profoundly suspicious shit that was actually legit happened. Like, I'd get calls from totally random new people from the mortgage company, no warning by anyone who I actually knew that this new person was calling, often from their personal cellphones---and it would turn out that the call was totally legit, and I actually was supposed to send more sensitive financial documents to this random new person. Totally bonkers.