While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss. Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page. That means a user can drag them anywhere, including over the address bar of the primary window.

BitB windows, by contrast, aren’t a separate browser instance at all. Instead, they’re illustratons rendered by custom HTML and CSS and contained in the primary window. That means the fake pages can’t be cover the address bar of the primary browser window.

Unfortunately, as mr.d0x pointed out, these checks might be difficult to teach “because now we move away from the ‘check the URL’” advice that’s standard. “You’re teaching users to do something they never do.”

All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right click on the popup page and choose "inspect." If the window is a BitB spawn, its URL will be hardcoded into the HTML.