Catching phishing with link protection best practices

How to rewrite, scan, and detonate links to stop phishing without slowing users down.

Rewrite smartly

Rewrite links on delivery, not at send time, so you can retroactively block emerging threats. Preserve original URLs in headers for auditing.

• Exclude trusted domains that you validate via allowlists.
• Sign rewritten URLs to prevent tampering.
• Expire old rewrite tokens to reduce risk.

Check at click time

Use reputation, sandboxing, and computer vision on landing pages. Phishing kits rotate domains fast; click-time checks catch what static lists miss.

• Scan for brand impersonation and MFA prompts.
• Block lookalike domains using fuzzy matches and WHOIS age.
• Return clear block pages with user education, not cryptic errors.

Measure and tune

Track click-through and block rates per department. Adjust sensitivity where finance and HR face higher-risk invoices and payroll changes.

• Send weekly reports to security champions.
• A/B test banners to reduce false positives.
• Feed confirmed threats back to the blocklist automatically.