I’ve been working in cybersecurity for over a decade, and I can tell you that few phrases raise my blood pressure faster than “click here” Early in my career, I didn’t give it much thought. It seemed like harmless web copy. That changed after I helped a mid-sized company recover from a ransomware attack that began with a single email containing those two words. Since then, I’ve adjusted how I teach, design, and audit digital communications, because vague links are rarely innocent.
In my day-to-day work as a security consultant, I review phishing incidents, conduct employee training, and help organizations tighten internal policies. One of the most common threads in breaches I investigate is a poorly labeled link. A few years ago, a finance employee at a client firm received what looked like a routine vendor invoice. The message was polished and professional. In the middle of it was a blue hyperlink that simply said “click here.” She did. Within minutes, malicious software began spreading across their internal systems. They ended up spending several thousand dollars on emergency remediation and lost nearly a week of productivity. All from a vague call to action.
The problem with “click here” is that it hides context. Users have no idea where they’re being directed. In controlled security tests I’ve run during corporate workshops, I deliberately include two types of links: one labeled clearly with a recognizable company domain, and another labeled “click here.” The second one almost always gets more clicks. It’s a behavioral reflex. People are trained to follow instructions, especially when urgency is implied.
I remember running a training session last fall for a regional logistics company. During a simulated phishing exercise, one employee hesitated before clicking a suspicious link. He told me afterward that what made him pause wasn’t the email content—it was the generic . He hovered over it and saw a strange web address that had nothing to do with the supposed sender. That small moment of caution likely saved him from handing over his credentials. Experiences like that are why I insist on descriptive links in every communication I review.
Another mistake I often see is internal teams assuming that vague links are fine because the message is “only going to staff.” That’s a dangerous assumption. Internal accounts get compromised all the time. Once an attacker gains access to one inbox, they often send convincing emails from inside the organization. If your company culture normalizes “click here” links, employees are less likely to question them. I’ve seen attackers exploit exactly that trust.
As someone who has spent years responding to breaches, I strongly recommend replacing generic links with descriptive text. Instead of say “Download the April Financial Report” or “Access Your Payroll Portal.” Clear language doesn’t just improve security; it builds user confidence. In one nonprofit organization I advised, we revamped their email newsletters to remove every instance of “click here.” Not only did phishing risk decrease, but engagement improved because recipients knew exactly what they were selecting.
There’s also an accessibility angle that often gets overlooked. Screen readers used by visually impaired users frequently pull links out of context. If all the user hears is, ,” the experience becomes confusing and frustrating. I’ve worked with web development teams to correct this issue, and it’s eye-opening how something so small can affect both security and usability.
After years of investigating incidents, I no longer see ” as lazy writing. I see it as unnecessary exposure. Most cyberattacks don’t rely on sophisticated hacking techniques; they rely on human habits. Vague links encourage blind trust. Clear, specific links encourage informed decisions.
Security isn’t always about complex firewalls or expensive software. Sometimes it starts with simple wording. In my experience, changing those two words can prevent hours of cleanup, thousands in losses, and a great deal of stress. That’s a small adjustment with a very real impact.