And then what? You show them the original link and they click it again?

there's a million different things you can do. You can simply strip out all links. You can strip out links and only allow white-listed links, etc. Once the site has been vetted then it could be allowed to be clicked on. Or you can just have a big javascript alert box that said "Remember, you are clicking on a link that is unvetted and it could steal your credentials. Be careful." I don't know, be creative.

Anything that will wake people up and stop them from just blindly clicking on things. For a financial institution like Coinbase where a hacker could compromise the security of the entire company, it doesn't seem completely unreasonable.

Then the attacker could buy ads on a site they suspect you will visit.

As long as the employee need to be able to browse the internet any whitelisting of links seems like a waste of resources.

>Or you can just have a big javascript alert box that said "Remember, you are clicking on a link that is unvetted and it could steal your credentials. Be careful

That might work for the first day or so, but you'll eventually tune them out and blindly click pass the warning.