I have been added to this crypto phishing project

I agree about not clicking links, however I think this issue goes a bit deeper. I'm a professional software developer and am well-versed in phishing attempts. However, my inbox this morning was literally:

- Legitimate support request response email

- Jira invitation

- Legitimate support request response email

- Legitimate support request response email

I did second guess the Jira invitation a couple of times, but I looked over the sender information as well as the URL of the link a couple of times before determining it was a legitimate email from Jira (a conclusion which was accurate on my part).

I then, not having a Jira account already in my personal name, signed up. Now here is where I don't quite remember what happened. I am fairly certain that without further confirmation I was added to the project. I definitely didn't have a chance to review what the project was before confirming my attachment to it.

So it seems to me that if I already had a Jira account attached to my personal email, I would have been added as a collaborator to this project whether I wanted to be part of it or not, just by clicking that link.

Imagine a flow where someone gets 50 Jira notifications a day (I have worked at companies where this is the case). Why should this particular Jira email warrant any further study? It is reasonable to assume a Jira user would simply click through on the email based on an overall trust of Jira and Atlassian. This is basically a scammer piggy-backing off of your trust, as this sort of email will not be detected as spam or a phishing attempt easily, given that it is a legitimate email from Atlassian.

So then through a click, you have suddenly attached your entire profile to a scammer's project (as I assume most people are using real names and emails and photos with their Jira account). Now that scammer already has a pretty large leak of information about you, even if you are not dumb enough to click through any of their "Claim your bitcoin here before you account is terminated!" links they have placed into tasks.

There is no way to escape being part of their project now, nor is there any way to immediately report the project without coming here. New accounts that are likely on free-tier should probably be on very thin ice where there is a clear "report violation" button for all collaborators that immediately suspends their account pending human review. If they are running a real project, then their friends and coworkers they invite won't click it.

The problem here is that as someone who knows how phishing works, doesn't randomly click email links as a habit, and otherwise understands good security practices, I still got tricked, because I placed too much trust in Atlassian (after confirming the email was indeed Atlassian) and had a justifiable reason to believe that a Jira invite would have ended up in my inbox (I was in the midst of an active support discussion with a third party). Many people have justifiable reasons to expect (multiple) Jira emails on a daily basis and this email would have been just one of many that would have not gotten any more scrutiny.

There is no reason that out of respect to some brand new free-tier project's need for internal consistency, I shouldn't be allowed to immediately back out of a mis-clicked invite and easily report the project in such a way that the benefit of the doubt is given to the collaborator who would not have been invited just to tank the project if the project was in any way legitimate.