Clicking a link can be more than enough to “get hacked”; you don’t always need to enter credentials. So yes, unfortunately the correct answer is either to have the whitelist of domains in your head (BUT this is also very risky due to homograph attacks [1]), or simply never click links in mails.
The secure thing to do is: Read mail that tells you to click link to whatever online tool you work with. Then instead of clicking link in mail you open a browser and manually visit the site the link was pointing to. If there is a message, notification, or something else that the emails wants you to look at, then it will also be there when you login “directly”.
How can clicking a link get you hacked? 20 years ago with insecure browsers, yes, but how does that happen today? homograph doesn't matter if you don't even look at the domain name.
If those employees are supposed to do you recommendation and never click links in emails, why don't their employers strip URLs from emails for them? Some of them are a already inserting warning messages for external emails. I think they're supposed to do the white-list-in-head thing which seems awful.
Is there a good way (right now) to defend against this? I'm willing to live with a browser that only accepts ASCII in the address bar, and disables Unicode in email (replaced with �?)
No browser or browser extension that I know of, but it may exist.
I always circumvent it by just never clicking links sent to me (mail, sms, WhatsApp, etc). If I get a mail from, for example, Netflix that says there is a problem with my billing or whatever. I open a browser myself, go to Netflix’s site and login. If there really is a billing issue then I can see it after logging in. The links are actually never needed if you think about it.
Other than that use MFA (multi factor) everywhere you can. It doesn’t defeat phishing attack completely, but it is good protection. (Hackers can buy tools that provides them with a UI to build and execute phishing campaigns, even ones that include handling MFA)
The secure thing to do is: Read mail that tells you to click link to whatever online tool you work with. Then instead of clicking link in mail you open a browser and manually visit the site the link was pointing to. If there is a message, notification, or something else that the emails wants you to look at, then it will also be there when you login “directly”.
1: https://en.wikipedia.org/wiki/IDN_homograph_attack