Organisations Telling Users To ‘Avoid Clicking Bad Links’ Still Isn’t Working
By David C., Technical Director for Platforms Research and Principal Architect – UK National Cyber Security Centre
A New Approach To Cyber Threats
Why Organisations Should Avoid ‘Blame And Fear’, And Instead Use Technical Measures To Manage The Threat From Phishing Links.
Organisations: If It’s Broken, Let’s Fix It
Let’s start with a basic premise: several of the established tenets in security simply don’t work.
One example is advising users not to click on bad links. Users frequently need to click on links from unfamiliar domains to do their job, and being able to spot a phish is not their job. The NCSC carries out and reviews red team operations, and a common observation is that red teamers (and indeed criminals or hostile states) only need one person to fall for a ruse for an attacker to access a network.
We’re even aware of some cases where people have forwarded suspicious emails from their home accounts to their work accounts, assuming that the security measures in place in their organisations will protect them. And once a link in a phishing email is clicked and an attack launches, the stigma of clicking can prevent people reporting it, which then delays the incident response.
So, what if we assume that users will sometimes, completely unintentionally, click on bad links and that when they’re at work, it’s their organisations that are responsible for protecting them?
The Consequences Of ‘Bad Links’ In Organisations
Let’s first consider what happens when someone clicks on a ‘bad link’ in an email. One of two things generally happens:
- the user is persuaded to enter their log-in details into a fake page, so attackers can steal or exploit their credentials, or by using OAuth or consent phishing
- the user downloads a malicious file via a link or attachment, such as a document, executable or script
Note that although browser exploits may also be a consequence of clicking on a bad link, it’s less common and only in high-end attacks. (And if you’ve automated browser patching, only zero day exploits – which are outside the threat model for most organisations – should be a concern here.)
Mitigating Credential Theft For Organisational Services
Although attackers are very good at designing phishing pages to look genuine, your organisation can entirely mitigate the threat of credential theft by mandating strong authentication across its services, such as device-based passwordless authentication with a FIDO token. Or, if your organisation isn’t ready for passwordless authentication, you can make it much harder for actors to exploit credentials by setting up multi-factor authentication (MFA). You can then use single sign-on (SSO) for any third-party websites your organisation’s uses, which gives confidence that controls are widely applied.
For websites outside of your control, encouraging your users to use password managers and allowing autocompletion of passwords in browsers can help. A password manager in a browser shouldn’t provide a password for an incorrect site (although a user might still be persuaded to manually enter a password). Employees should also be encouraged to enable MFA on any services they use.
Organisations can also reduce the risk of credential abuse by making sure that only your organisation’s devices can access resources, or by denying OAuth/consent phishing to arbitrary sites at cloud tenancy levels (although note that this requires users to request that a site is enabled for OAuth integrations).
Mitigating Malicious Downloads Through Defence In Depth
In the other common attack method where a user downloads a malicious file through a link or attachment, files can be directly exploitable (like an executable), or they might be files that allow execution, such as Microsoft Office macros.
Attackers also use layers of different files to sneak past other controls, perhaps encrypting a zip file, or using a file users aren’t familiar with, like a .iso disk image.
It’s harder to prevent successful attacks from files like this, but it is possible. Organisations have the power to put in place technical measures that reduce the responsibility on a user. By implementing the enterprise-level actions below, it’s possible to greatly reduce the chance of successful attacks on your network.
Let’s break the measures down into three stages.
1. Preventing delivery of the phishing email:
-
- use email scanning and web proxies to help remove some threats before they arrive
- DMARC and SPF policies can significantly reduce delivery of spoofed emails to users
2. Preventing execution of initial code:
-
- put in place allow-listing to make sure that executables can’t run from any directory to which a user can write – this will prevent a significant number of attacks
- for anything not covered in allow-listing, use registry settings to ensure that dangerous scripting or file types are opened in Notepad and not executed – for PowerShell, you can minimise risk by using PowerShell constrained mode and script signing
- disable the mounting of .iso files on user endpoints
- make sure that macro settings are locked down (see the NCSC’s guidance on macro security) and that only users who absolutely need them – and are trained on the risks they present – can use them
- enable attack surface reduction rules
- ensure you update third-party software, such as PDF readers, or even better, use a browser to open such files
- keep up to date with current threats with wider reading about any new attack vectors emerging
3. Preventing further harm:
-
- allow-listing is again a powerful way to prevent further harm once a malicious file is opened
- DNS filtering tools, such as PDNS (for UK public sector and also the private sector) can block suspicious connections and prevent many early-stage attacks
- organisations can also carry out endpoint detection and response (EDR) and monitoring to look for suspicious behaviour on hosts
Does This Mean We Can Stop Training People To Recognise Suspicious Links?
Let’s be clear that if your organisation implements the measures above, and tests and maintains them, it’s likely there will be a significant drop in attackers exploiting your users to gain initial access. But it’s still worth training users to spot suspicious links. Why is this?
- Firstly, because one of the above controls may fail, and so defence in depth is always good.
- Secondly, a determined attacker who is very focused on finding a route into a particular company network may also target users’ personal accounts to get to their end objective. So it’s ideal if users can also spot suspicious emails in their personal accounts, where organisational protections aren’t in place. (This has the added benefit that it also helps protect them against phishing that seeks to steal money or otherwise extort them.)
- And finally, if users can spot suspicious emails and have the mechanisms to report them, it can be a really useful source of intelligence for organisations, throwing light on compromise attempts that otherwise might be missed. This is particularly true for organisations facing greater threats.
Building A Strong Reporting Culture
It’s time for organisations to move away from using blame and fear around clicking links, even if it’s usually unintentional. This means, for example, not running phishing exercises that chastise users for clicking on bad links.
Imagine a scenario where a user isn’t embarrassed to report when they’ve clicked on a malicious link, so they do so promptly, the security team thanks them for their swift action, and then works quickly to understand the resulting exposure. This is a much more constructive sequence of events, and with the added security benefit that an attack is identified early on.
We should also make it easy for users to report suspicious emails, such as using email add-ins widely.
Usability And Security Can Go Together
This article is a call to encourage organisations to think about the question from a different perspective. We know that telling users not to click on bad links just isn’t working, so let’s suspend belief for a second and think about it in a different way. What would we do differently if we were actually encouraging users to click links without fear?
We’re not of course, but the point here is that we don’t have to choose between usability and security. Bringing the two together can achieve the right level of security, while also allowing people to get on with their jobs, and without blaming them when things go wrong.
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment below!
More ScamsNOW.com Articles
-/ 30 /-
What do you think about this?
Please share your thoughts in a comment above!
SCARS LINKS: AgainstScams.org RomanceScamsNOW.com ContraEstafas.org ScammerPhotos.com Anyscam.com ScamsNOW.com
reporting.AgainstScams.org support.AgainstScams.org membership.AgainstScams.org donate.AgainstScams.org shop.AgainstScams.org
youtube.AgainstScams.org linkedin.AgainstScams.org facebook.AgainstScams.org
ARTICLE RATING
TABLE OF CONTENTS
CATEGORIES
MOST POPULAR COMMENTED ARTICLES
POPULAR ARTICLES
U.S. & Canada Suicide Lifeline 988
![NavyLogo@4x-81[1]](https://scamsnow.com/wp-content/uploads/2025/04/NavyLogo@4x-811.png)
ARTICLE META
WHAT PEOPLE ARE TALKING ABOUT LATEST SITE COMMENTS
See Comments for this Article at the Bottom of the Page
on Scam Victims’ Responsibilities – 2021 [Updated 2025]: “Thank you for this article. As I continue my journey, I focus on the here and now and let the…” Jun 21, 16:26
on Scam Victims Avoid Or Escape The Aftermath Of Scams – How Denial And Distraction Avoid Confronting Reality – 2024: “In the earliest days after my crime I felt powerless, helpless and weak. I had been through so much in…” Jun 21, 14:46
on Problems and Opportunities – Thoughts on Psychological Reframing – 2025: “An article that really helped me look at the problems in my life from a different point of view and…” Jun 21, 14:42
on Scam Victims Avoid Or Escape The Aftermath Of Scams – How Denial And Distraction Avoid Confronting Reality – 2024: “Thank you for another great article! This discussion of avoidance and other tactics some can use to deny the existence…” Jun 17, 12:20
on Helping Scam Victims Understand The Social Isolation Risks After A Relationship Scam – 2024: “This article very informatively shows the risk of social isolation especially after a scam. Although I can acknowledge the list…” Jun 17, 11:31
on Do Scam Victims Become Cynics After Their Scam Experience? 2023: “I have long held the belief that I am more a realist than a cynic. I believe that together we…” Jun 17, 11:11
on Magical Thinking – How Biased & Delusional Thinking Enslaves Scam Victims: “I fell for the allure of having a friendship with the celebrity that was impersonated in my crime. I didn’t…” Jun 17, 10:14
on Rebuilding Trust: The Scam Victim’s Journey from Victimhood to Empowerment – 2024: “Trusting is still very much a work in progress for me, both in myself and my judgment of others who…” Jun 12, 23:30
on Words & Text Manipulation – The Secret Manipulation Technique Even Scammers Don’t Know About But Use – 2025: “This was triggering for me. It completely explains how my scam played out, with each step, including the final message.…” Jun 9, 23:18
on Toxic Self-Narratives That Feeds Depression in Scam Victims 2023: “Very informative article on negative self talk. I ran into this subject back in February. I had called the company…” Jun 9, 19:29
on Learning And The Challenges That A Scam Victim Faces From Trauma And Related Cognitive Effects – 2024: “For months after the scam ended I couldn’t process and/or retain much of anything I read. When I first joined…” Jun 9, 16:20
on Maitri – Loving Kindness in Buddhist Philosophy Applied to Scam Victims – 2025: “I loved this article. I will take any and all suggestions on how to be kinder to myself so I…” Jun 9, 15:36
on Scam Victim Remorse – 2025: “This is a very complicated issue. I haven’t arrived at the place of self-trust yet. I’m learning more every day…” Jun 8, 23:44
on The Butterfly Effect And Scam Victims – 2024: “As a victim who doesn’t have a lot of recovery and healing time under their belt (8 months), I hadn’t…” Jun 6, 21:19
on Faith And Why It Matters In Scam Victim Recovery – 2024: “This article validates all that I felt in the first few months after the scam ended. I had zero faith…” Jun 6, 20:31
on Reclaiming Your Worth: A Scam Survivor’s Guide to Navigating Your Worthiness After a Scam – 2023: “I feel that I’m in the place of rediscovering my worthiness these last few days. I have days when I’m…” Jun 4, 21:20
on Motivation & Scam Victims – 2024: “This article further drives home that although the initial mistake was mine (answering a dm from a stranger), the entirety…” Jun 4, 21:02
on Scam Victims Editing Their Stories To Promote Recovery From Scams 2024: “Throughout my studies in this survivor school I’ve learned that I owned and used the courage to break contact with…” Jun 4, 16:37
on Depression: People Often Cannot Recognize That They Have It – 2024: “I experience some symptoms of depression, this article thoughtfully points out that there could be symptoms I’m missing. I am…” Jun 4, 15:58
Important Information for New Scam Victims
Please visit www.ScamVictimsSupport.org – a SCARS Website for New Scam Victims & Sextortion Victims
SCARS Institute now offers a free recovery program at www.SCARSeducation.org
Please visit www.ScamPsychology.org – to more fully understand the psychological concepts involved in scams and scam victim recovery
If you are looking for local trauma counselors, please visit counseling.AgainstScams.org
If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines
Statement About Victim Blaming
Some of our articles discuss various aspects of victims. This is both about better understanding victims (the science of victimology) and their behaviors and psychology. This helps us to educate victims/survivors about why these crimes happened and not to blame themselves, better develop recovery programs, and help victims avoid scams in the future. At times, this may sound like blaming the victim, but it does not blame scam victims; we are simply explaining the hows and whys of the experience victims have.
These articles, about the Psychology of Scams or Victim Psychology – meaning that all humans have psychological or cognitive characteristics in common that can either be exploited or work against us – help us all to understand the unique challenges victims face before, during, and after scams, fraud, or cybercrimes. These sometimes talk about some of the vulnerabilities the scammers exploit. Victims rarely have control of them or are even aware of them, until something like a scam happens, and then they can learn how their mind works and how to overcome these mechanisms.
Articles like these help victims and others understand these processes and how to help prevent them from being exploited again or to help them recover more easily by understanding their post-scam behaviors. Learn more about the Psychology of Scams at www.ScamPsychology.org
SCARS INSTITUTE RESOURCES:
If You Have Been Victimized By A Scam Or Cybercrime
♦ If you are a victim of scams, go to www.ScamVictimsSupport.org for real knowledge and help
♦ Enroll in SCARS Scam Survivor’s School now at www.SCARSeducation.org
♦ To report criminals, visit https://reporting.AgainstScams.org – we will NEVER give your data to money recovery companies like some do!
♦ Follow us and find our podcasts, webinars, and helpful videos on YouTube: https://www.youtube.com/@RomancescamsNowcom
♦ Learn about the Psychology of Scams at www.ScamPsychology.org
♦ Dig deeper into the reality of scams, fraud, and cybercrime at www.ScamsNOW.com and www.RomanceScamsNOW.com
♦ Scam Survivor’s Stories: www.ScamSurvivorStories.org
♦ For Scam Victim Advocates visit www.ScamVictimsAdvocates.org
♦ See more scammer photos on www.ScammerPhotos.com
You can also find the SCARS Institute on Facebook, Instagram, X, LinkedIn, and TruthSocial
Psychology Disclaimer:
All articles about psychology and the human brain on this website are for information & education only
The information provided in this and other SCARS articles are intended for educational and self-help purposes only and should not be construed as a substitute for professional therapy or counseling.
Note about Mindfulness: Mindfulness practices have the potential to create psychological distress for some individuals. Please consult a mental health professional or experienced meditation instructor for guidance should you encounter difficulties.
While any self-help techniques outlined herein may be beneficial for scam victims seeking to recover from their experience and move towards recovery, it is important to consult with a qualified mental health professional before initiating any course of action. Each individual’s experience and needs are unique, and what works for one person may not be suitable for another.
Additionally, any approach may not be appropriate for individuals with certain pre-existing mental health conditions or trauma histories. It is advisable to seek guidance from a licensed therapist or counselor who can provide personalized support, guidance, and treatment tailored to your specific needs.
If you are experiencing significant distress or emotional difficulties related to a scam or other traumatic event, please consult your doctor or mental health provider for appropriate care and support.
Also read our SCARS Institute Statement about Professional Care for Scam Victims – click here
If you are in crisis, feeling desperate, or in despair, please call 988 or your local crisis hotline.
More ScamsNOW.com Articles
A Question of Trust
At the SCARS Institute, we invite you to do your own research on the topics we speak about and publish. Our team investigates the subject being discussed, especially when it comes to understanding the scam victims-survivors’ experience. You can do Google searches, but in many cases, you will have to wade through scientific papers and studies. However, remember that biases and perspectives matter and influence the outcome. Regardless, we encourage you to explore these topics as thoroughly as you can for your own awareness.