"Admins: give your users plaintext email.
Or filter out all links that don't point at local intranet, eg. your sharepoint etc or other whitelisted stuff."
Is a great suggestion and would solve the problem. However the first time a (legitimate) customer sends a link to an urgent order they want to place that is not on a whitelist (their Sharepoint or Google drive for example) and you as the one person who can send it through happens to be off for the day then the stuff really will hit the fan..
Security and useability are always going to be at opposing ends of the see-saw. The trick is getting the blooming thing to balance..