<...>
I believe the topoligical ideal there is to use Metamask, as seemingly required in your case, but using a set-up that uses the hardware wallet instead for key management.
There are often phising sites that use a very closely related name to the original site, and that are promoted through different social media channels, or simply come up high in search engine results (sometimes even as paid Ads, giving them a priority position in the search results).
Out of curiosity, take a look at the results from DNS Twister for Metamask:
https://dnstwister.report/search?ed=6d6574616d61736b2e696fYou’ll see that there are plenty of existing domains with a similar name, and any of them can, at a given point in time, be used for a phishing expedition (they are not all currently phishing sites – perhaps some- but they are at last latent potentials).