Is Disabling Clickable URL Links Enough?

Recently, we had a customer reach out to ask if disabling clickable uniform resource locator (URL) links in emails was enough protection by itself to potentially not need employee security awareness training and simulated phishing.

We can understand why this misperception might exist. Many anti-phishing educational lessons discuss the need for people to evaluate all URL links before clicking on them. One of KnowBe4’s main messages has always been “Think Before You Click!”

But no, disabling URL links alone is not enough. This article will discuss why.

Disabling all URL links in all emails by default is a good way to decrease cybersecurity risk. Essentially, what this control does is it removes the included “hyperlinking” property of the URL and renders the URL in plaintext so that it cannot be clicked on by a mouse or easily selected from the keyboard to automatically open in an Internet browser at the provided location address.

There are many organizations (including the U.S. Department of Defense) and cybersecurity guides that recommend rendering all URLs as plaintext. For that reason, Microsoft Outlook and many other email applications have had that option for well over two decades.

And, yes, disabling clickable URLs by default will decrease cybersecurity risk. It makes it harder for someone to see a link, quickly click on it, and launch the content associated with it. At the very least the user will have to manually copy the link and insert it into a browser address bar. Requiring manual action to launch a link is proven to decrease the percentage of people who will go to the URL. Phishers hate it.

Of course, plaintext links are a huge inconvenience to everyone who simply wants to click on a legitimate link and get taken immediately to the correct place. If most of the emails ending up in someone’s inbox are not malicious, then this means it’s a huge amount of inconvenience for most people in most scenarios. This makes it less likely that an organization will implement it. But for those who do, and suffer the inconvenient consequences, it does reduce cybersecurity risk from email social engineering.

But not all risk. 

People Will Just Copy The Links
People appropriately motivated will simply copy the links into their browser and go there anyway. Disabling hyperlinks does decrease the chance that someone will click on a particular link, but not everyone. We all know how to copy and paste something. It will slow the average user down by less than 10 seconds. 

You need to train your users in how to recognize rogue URLs. Here’s a 1-hour webinar on how to spot rogue URLs.

We even recently covered “clickjacking” in our blog, in which a hacker goes beyond merely convincing a victim to type in a URL but to run more complex commands or PowerShell scripting at the user’s command line. 

It Doesn’t Stop All Email-Based Social Engineering
Most email-based social engineering does include a URL link that the phisher is hoping the potential victim clicks on, but many don’t. Emails that include a Quick Response (QR) code instead of a link are on the rise. Callback phishing, which is a phishing email that induces potential victims to call a phone number, often doesn't include a URL link. Or the link is included as part of a graphic that the user has to re-type anyway. 

Email Isn’t The Only Phishing Medium
Social engineering and phishing can occur across any communication medium, including in person, phone, SMS message, social media, chat apps and channels, QR codes, and across the TV. If you stop anti-social engineering training, you’re increasing the risk that someone will be compromised on non-email channels.  

It Doesn’t Stop Users at Home
Many users are compromised at home, on their home devices, where URL blocking isn’t likely to be enabled. A personally-compromised employee (e.g., dealing with a phishing attack, stolen money, etc.) is a less productive employee. And many employees are compromised at home, with the attacker using the personal compromise as a starting off point to attack their employer. 

Good Security Awareness Training
Good Security Awareness Training shouldn’t just include education on email phishing and simulated email phishing campaigns. It should include training about all types of phishing and how they occur on all types of devices and mediums. You don’t want your employee being tricked by a phone call any more than an email attack. 

Your training and testing should include all sorts of things to improve human risk management, beyond simply phishing education and testing. For example, you should be including education on a variety of topics, including compliance topics, like password policy, following company policies, securing company devices when traveling or in your car, not leaving confidential information out in the open or discussing in public, etc. It should include videos, posters, games and in-person meetings. And all of that is improved and facilitated by security awareness training that is hosted in email. 

If you're doing it right, you're trying to change the organization's culture to be more cybersecurity-aware, and if you aren't training and doing simulated phishing exercises that mimic real world events, you aren't doing that as efficiently as you might otherwise be doing it.

So, go ahead and disable URL hyperlinks if that’s what you and management want to do. But don’t stop training and simulated email phishing. There’s a whole lot more involved in creating a great cybersecurity culture than just hyperlinks and email.