Phishing campaigns are still going strong as a method to gain access to systems and networks. Specially crafted emails can be sent to unsuspecting users rendering defenses useless at the click of a mouse. While there are many different controls to help combat the diverse attacks brought on by phishing, end user education is a necessary piece of this puzzle.
Anti-Phishing campaigns are primed with materials before and after the education of the end user. Berkeley offers some free tools that help with the process found at the links below. End user education is often followed by testing through targeted attacks by the cybersecurity department from external emails. Those not passing the tests are then required to go through the training again.
The reason phishing is effective is typically because of Social Engineering according to a SANS paper from 2004. The reason phishing is still effective today is probably because of Social Engineering. While technology has changed in the last 15 years, people are still susceptable to the confidence building hoaxes that perpetrate these hacks.
The training process is just one part of an entire campaign. It should be done in conjunction with adding headers to external emails, filtering file types from inbound emails, and eliminating HTML from the email altogether. There are also services and hardware that can be purchased, among other controls that can be found to be effective.
Dealing with this type of an attack can be devastating to small and medium sized businesses. Further controls to mitigate losses include changes in how the business operates when dealing with wire transfers. Finding the equilibrium to balance the way you do business can take time and guidance.