The Weakest Embedded Link
One of the most difficult vulnerabilities to overcome is human error. You cannot simply program your employees to only open specific emails or attachments and there is no guarantee that training will be effective. When it comes to phishing, you are only as strong as the weakest link at your organization and anyone with access to personal information is a potential vulnerability that could be exploited.
How It Works
Emails will regularly have embedded links to provide quick access to files, emails, or websites. Where malicious actors take advantage is that they embed links that appear legitimate but go to a false site where viruses or means to collect information, such as passwords and account info, are instead.
In the simplest form, imagine an email from your bank asking you to login and verify some questionable transactions. It seems reasonable and you go through the link, entering your information in what you think is a legitimate site. What really happens is that you just provided all your bank account login information to an unknown group.
How to Stop It
In many cases, businesses provide training to their employees, encouraging good behavior around email usage. Of course, we know that this is not a perfect solution because phishing attacks still occur and work.
In order to prevent employees from clicking false links, you want to have persistent messaging through awareness campaigns and similar tools. Posters or flyers that bring awareness to the issue in elevators, break areas, or other commonly used spaces will help to keep phishing and embedded links front of mind for employees. Additionally, policies to remind them never to click on a link they have not inspecting via mousing over are encouraged.
Essentially, you need to make it second nature for your employees to question links embedded in their emails.