Stop Phishing: Disable HTML Links in Email

TL;DR

Phishing emails often use links to steal your information. The best way to prevent clicking malicious links is to disable the automatic rendering of HTML links in your email client. This turns them into plain text, making it much harder for attackers to trick you.

How to Prevent Phishing by Turning Off HTML Links

1. Understand the Risk: Phishing emails use deceptive links that look legitimate but lead to fake websites designed to steal your passwords, financial details, or install malware.
2. Disable HTML Rendering in Your Email Client: The exact steps vary depending on which email client you use. Here’s how to do it for some popular options:
   • Gmail (Web Browser):
     1. Click the Settings gear icon (top right).
     2. Select See all settings.
     3. Scroll down to the General tab.
     4. Under ‘HTML display’, choose Plain text mode.
     5. Scroll to the bottom and click Save Changes.
   • Outlook (Desktop):
     1. Go to File > Options > Mail.
     2. Under ‘Compose messages’, click the button next to ‘Use HTML format for new messages and replies’. This will open a dialog box.
     3. Select Rich Text or Plain Text (depending on your version). Choosing Plain Text disables HTML rendering.
     4. Click OK twice.
   • Thunderbird:
     1. Go to Tools > Options > General.
     2. Under ‘Configurable’, click Config Editor…
     3. Search for mail.html.send_plaintext.
     4. Double-click the preference to toggle it to true. This forces all outgoing messages to be sent as plain text, and often affects incoming display too.
     5. Restart Thunderbird.
   • Apple Mail:
     1. Go to Mail > Preferences > Composing.
     2. In the ‘Format’ dropdown menu, select Plain Text.
3. Check Your Email Security Settings: Most email providers have additional security features:
   • Gmail: Enable two-factor authentication (2FA) for extra protection. Check your spam filter settings regularly.
   • Outlook/Microsoft 365: Use Microsoft Defender for Office 365 to scan emails for phishing attempts. Enable 2FA.
4. Be Vigilant Even with HTML Disabled: While disabling HTML links significantly reduces risk, attackers can still use other tactics:
   • Look for Spelling and Grammar Errors: Phishing emails often contain mistakes.
   • Verify Sender Addresses: Check the full email address carefully – not just the display name. Hover over links (if enabled) to see where they actually lead before clicking.
   • Don’t Share Personal Information: Legitimate organizations will rarely ask for sensitive information via email.