Same with PayPal. I've received perfectly valid emails direct from PayPal that include random sketchy links from third parties that are obvious phishing expeditions. I reported it to PayPal, but the ability still exists.
That's inherent to features that allow user generated content, which is obviously mandatory in the context of PayPals invoicing feature.
The only reason why companies don't care about it in the context of mail is because there is no equivalent to safe browsing for mails, so Domains aren't penalized by Google for sending fraudulent messages at small scale.
If this was to change, they'd all pivot to using secondary domains for these mails, like GitHub does for GitHub pages.
It would also be a pretty pointless feature as you'd probably complain anyway, as the email would still come from a Paypal owned domain.
On the same topic: if you've got a Gmail address you're also able to send from @googlemail.com
How about disallowing urls or even just vetting urls in the messages sent from your own service? One of the ones I received was a link to a fake PayPal login that was something along the of lines of (making this up) http://login.PayPal.com.somethingsketchy.biz/login.php and was a replica of the PayPal login screen. It was pretty blatant. Seems like they should figure out a way to avoid that is all, because I know my mother would have put in her PayPal credentials to that site and I'd be hard pressed to fault her for it. We train users to check if it's a valid/real email before clicking on links and this was a perfectly real email sent from PayPal with a malicious link. This seems like PayPal's responsibility to me. I'm shocked they don't care about this.
Vetting is impossible, the scammers can just change the content of the page after the PayPal bot requested the website. Human vetting is even more impossible, invoices will always require unique links for each mail.
Nor does it matter wherever it's a clickable link or text in this context. The only way to "solve" your issue is by removing user generated content, which makes the invoicing feature inherently impossible.
If you're seriously shocked that PayPal isn't decommissioning a highly profitable feature because a random carebear worries about their family... Then you're honestly out of touch with reality.
Most people nowadays know that emails are untrustworthy, and if your family doesn't... Then you should tell them that, as they're bound to get scammed eventually if they click on any links from their inbox.
The only reason why companies don't care about it in the context of mail is because there is no equivalent to safe browsing for mails, so Domains aren't penalized by Google for sending fraudulent messages at small scale. If this was to change, they'd all pivot to using secondary domains for these mails, like GitHub does for GitHub pages.
It would also be a pretty pointless feature as you'd probably complain anyway, as the email would still come from a Paypal owned domain.
On the same topic: if you've got a Gmail address you're also able to send from @googlemail.com
Is this another security issue in your opinion?