The solution is simple technically but complicated socially.
Simply, never send a customer a link for them to click. Instead, tell them to go to your site and to log in; then ensure anything important is easily found.
This would work if everyone did it, but one website doing it in isolation seems unlikely to have much impact. Even if you have a very clearly spelled out "We will never send links" policy, your customers interact with dozens of websites and are unlikely to specifically remember your policy when they read the email.
The point is, you could hopefully train users that a link in an email is an unusual and suspect behavior. And/or start disabling rendering of links in email.
Yes, I think you’re right. Despite the established potential threat, many people still don’t think twice about clicking on links. I think you’re on to something. It starts micro and hopefully becomes the norm at some point.
Simply, never send a customer a link for them to click. Instead, tell them to go to your site and to log in; then ensure anything important is easily found.