By doing what?

Removing all links from emails is a great start. Let’s say IT does this. This policy makes it so that the email people get from Facebook and Twitter don’t work as intended. Do people say “Well, phishing is bad so I’m willing to give up on my dog sweater Facebook group email”? Nope! They call IT and the next thing you know the policy has been removed.

IT can’t help people because people don’t want to be helped. Whatever policy exception you make, that will be what the next generation of phishing looks like.

Even simple policies like DMARC are unpopular because some senders someplace don’t have things configured correctly. When people find out they aren’t getting some message, they want the protections turned off.