How to prevent phishing: a layered defense guide for organizations

Why layered phishing protection wins

There is no silver bullet for phishing. Mail filtering misses novel lures, technical controls do not stop a convincing phone call, and even well-trained people occasionally click. The answer is defense in depth: overlap independent layers so that when one fails, another contains the damage. If you are new to the threat, our explainers on what phishing is and how to recognize phishing set the foundation this guide builds on.

A practical model has four layers working together: prevent what you can with email authentication and filtering, harden identity so stolen credentials are useless, prepare people to spot and resist what slips through, and detect and respond fast through a strong reporting habit. Each layer reduces risk on its own; together they turn a single human mistake from a breach into a non-event.

Technical controls: email authentication and filtering

The first layer of phishing protection is stopping spoofed and malicious mail before a human ever sees it. Start with email authentication, which makes it far harder for attackers to impersonate your domain or trusted brands.

SPF, DKIM and DMARC

• SPF authorizes which mail servers may send for your domain, so spoofed senders fail the check.
• DKIM cryptographically signs messages so recipients can verify they were not altered in transit.
• DMARC ties SPF and DKIM to the visible From domain, sets a policy (none, quarantine, or reject), and sends you reports. Moving to an enforced reject policy is one of the highest-impact anti-phishing steps you can take.
• Modern secure email gateways and the filtering built into Microsoft 365 and Google Workspace add link rewriting, attachment sandboxing, and impersonation detection on top.

Combine these with sensible inbound rules: flag external senders, strip risky attachments, and warn on look-alike domains. Remember that adversary-in-the-middle and QR-code (quishing) attacks are designed to slip past filters, so technical controls reduce volume but never reach zero.

Identity hardening: MFA and phishing-resistant passkeys

Stolen credentials are among the most common ways attackers get in, so the goal of this layer is simple: make a phished password worthless. Multi-factor authentication (MFA) is the baseline and should be enforced everywhere, especially on email, VPN, and admin accounts.

But not all MFA is equal. Attackers defeat weaker factors with techniques you should plan for:

• MFA fatigue (push bombing): flooding a user with approval prompts until one is accepted out of annoyance.
• Adversary-in-the-middle (AiTM): a proxy that relays the login in real time to capture both the password and the session token, bypassing one-time codes and push approvals.
• OAuth consent phishing: tricking a user into granting a malicious app token-based access without ever stealing a password.

The strongest answer is phishing-resistant authentication. Passkeys and FIDO2/WebAuthn use public-key cryptography bound to the legitimate website's origin, so credentials simply cannot be replayed on a spoofed site. Roll these out for high-risk roles first, restrict OAuth app consent, and apply conditional-access rules that limit logins to managed devices and expected locations.

The human layer: awareness training and realistic simulations

Employees are not the weakest link; they are the layer that catches what technology misses. The aim is to give them the knowledge and the confidence to pause on a suspicious message. A single annual slideshow does not change behavior. Short, frequent, relevant training does.

Pair continuous awareness training with realistic, localized phishing simulations that mirror the lures your people actually see, such as a fake Microsoft 365 login, a parcel-delivery (postal or courier) smishing text, or an invoice request aimed at finance. The most effective programs deliver in-the-moment micro-training the instant someone clicks, turning a mistake into a memorable, low-stakes lesson rather than a reprimand. Platforms such as PhishGun combine localized simulations with this just-in-time coaching to build measurable resilience over time. Cover targeted threats too, since spear phishing and BEC bypass mass-mail defenses and rely entirely on human judgment.

Build a fast reporting culture

Detection speed decides outcomes. A phishing email reported in minutes can be pulled from every inbox before more people click; the same email noticed days later may already be a breach. The single most useful tool here is a one-click report button in the mail client that routes suspect messages straight to your security team.

• Give everyone an obvious, frictionless way to report, ideally a built-in report button rather than a forwarding address.
• Acknowledge every report, even false alarms, so people stay motivated to use it.
• Automate triage so reported messages can be clustered, analyzed, and removed from other inboxes quickly.
• Close the loop: tell reporters when they helped stop a real attack.

A healthy reporting culture also feeds your metrics. Every report is a signal that training is working and that your people are actively defending the organization, not passively hoping filters catch everything.

Measuring progress: the metrics that matter

Phishing prevention only improves what you measure. Move beyond a single click rate and track behavior over time so you can show leadership and auditors that risk is genuinely falling.

• Click rate: the share of recipients who click a simulated lure, trended over time and broken down by department.
• Report rate: how many people report the simulation, and how quickly. A rising report rate is often a better sign of maturity than a falling click rate alone.
• Time to report: the median time from delivery to first report, since speed limits real-world damage.
• Repeat-clicker risk: who clicks repeatedly, so coaching can be targeted where it helps most.
• Coverage and completion: which teams have current training, mapped to your risk and compliance scope.

Compliance: NIS2, ISO 27001 and DORA

For many European organizations, anti-phishing training is no longer optional. Several frameworks now expect demonstrable awareness activity and risk management, including responsibility at management level.

• NIS2 (Directive (EU) 2022/2555) requires basic cyber-hygiene practices and cybersecurity training for all staff, covering phishing and social engineering, and makes management bodies responsible for overseeing measures and undergoing training themselves. Slovakia transposed it via Act No. 366/2024 (in force 1 January 2025); Czechia via Act No. 264/2025 (in force 1 November 2025).
• ISO 27001 expects documented security awareness as part of an information security management system, with evidence of ongoing competence.
• DORA (Regulation (EU) 2022/2554), applicable since 17 January 2025 for financial entities, mandates ICT security awareness programmes and resilience training, including for senior management.
• GDPR remains relevant: a phishing-driven personal-data breach must be notified to the supervisory authority without undue delay, where feasible within 72 hours of becoming aware.

The practical takeaway is to keep audit-ready evidence. Training records, simulation results, and reporting metrics show that your phishing protection is a managed, measured control, not a one-off, which is precisely what assessors want to see.