I had a security course at uni which was rather good and many things have stuck with me over the years. One of them is the importance of strict adherence to protocols. If you regularly enter a secure facility you follow protocol and show your credentials every single time. It doesn't matter if the security guard is a mate you've known since school. It doesn't matter how silly it seems. No exceptions. Ever.
I feel like this is exactly the kind of situation this is trying to avoid. Security should not involve thinking because thinking can go wrong. Security has to be blind adherence to stupid protocols.
The question then, is how to apply this principle to the case at hand. My suggestions:
1. Do not have clickable links in your email reader at all. Reject any email software that doesn't support falling back to plain text email or at the very least not downloading remote content and having clickable links. What mail readers work here?
2. Use the same protocol for accessing any privileged resource. For example, use a password manager outside of the browser, like KeePass, and start by clicking the URL you saved there. Never deviate from this protocol. You don't just "end up" at a password screen.
I feel like this is exactly the kind of situation this is trying to avoid. Security should not involve thinking because thinking can go wrong. Security has to be blind adherence to stupid protocols.
The question then, is how to apply this principle to the case at hand. My suggestions:
1. Do not have clickable links in your email reader at all. Reject any email software that doesn't support falling back to plain text email or at the very least not downloading remote content and having clickable links. What mail readers work here?
2. Use the same protocol for accessing any privileged resource. For example, use a password manager outside of the browser, like KeePass, and start by clicking the URL you saved there. Never deviate from this protocol. You don't just "end up" at a password screen.