Exactly! In my example for myself, I really was expecting a package, and I was expecting to be paying some extra duties/fees, so the phishing site asking me to enter card details didn't strike me as odd. The website itself looked exactly like how the real one looks, there were no grammatical errors or anything else that would tip you off that you're not looking at a legitimate page. The URL, in hindsight was a bit sketchy, but honestly I've received official legitimate communiques from various large companies from very weird URLs before so even then I didn't question the URL too hard, as it wasn't typosquatting or using the Turkish l instead of the regular l or anything like that, just something like dhl-express.com (I can't remember exactly what the URL was). It even had a proper header navbar that they carefully copied from the real thing.

Literally the only thing that tipped me off that it was a scam was that it prefilled the tracking code for me, but the link I had received had no query param as I mentioned and I've never visited the page before (so the tracking code wouldn't be persisted in localStorage or a cookie). I can very, very easily imagine someone less technical falling for it, and hell depending on circumstances I probably would've fallen for it if I was tired after a long day of work or something like that.