Preventing phishing attacks in an organization requires layered defenses: technical controls that block fraudulent emails before they reach inboxes, training that teaches employees to recognize and report the ones that slip through, and incident response plans that limit damage when someone does click. No single tool eliminates phishing risk, but combining these layers dramatically reduces the odds of a successful attack.
Authenticate Your Domain to Block Spoofed Emails
Most phishing emails impersonate a trusted sender, often your own organization’s domain. Three email authentication protocols work together to stop this: SPF, DKIM, and DMARC. All three are DNS records you configure for your domain, and together they tell receiving mail servers how to verify that an email claiming to come from your organization actually did.
SPF (Sender Policy Framework) is a DNS record that lists the IP addresses and mail servers authorized to send email on behalf of your domain. When a receiving server gets a message from your domain, it checks that list. If the sending server isn’t on it, the message fails the SPF check.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. You generate a key pair, publish the public key in your DNS, and your mail server signs messages with the private key. The receiving server uses the public key to verify both the sender’s identity and that the message content hasn’t been altered in transit.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together by telling receiving servers what to do when a message fails those checks. You set a policy: “none” (just monitor and report), “quarantine” (send failures to spam), or “reject” (block them entirely). Start with “none” so you can review reports and identify any legitimate senders you missed in your SPF record. Once you’re confident your authorized senders are properly configured, move to “quarantine” and eventually “reject.” This gradual approach prevents you from accidentally blocking legitimate business emails while you tighten the policy.
Deploy Phishing-Resistant Multi-Factor Authentication
Standard multi-factor authentication (MFA), where you enter a code from a text message or authenticator app, stops attackers who steal passwords. But it does not stop adversary-in-the-middle attacks, where a phishing page sits between you and the real login screen, relaying your password and your MFA code to the real site in real time. SMS codes and app-based one-time codes are always vulnerable to this technique.
FIDO2 security keys and passkeys solve this problem. When you log in with a FIDO2 credential (a physical USB/NFC key or a device-based passkey), the authentication process cryptographically binds your credential to the specific website domain. If an attacker sets up a fake login page at a lookalike URL, the key simply won’t respond because the domain doesn’t match. According to the UK’s National Cyber Security Centre, FIDO2 credentials are “never vulnerable” to adversary-in-the-middle phishing, while traditional MFA is “always vulnerable.”
Prioritize FIDO2 rollout for your highest-risk accounts first: IT administrators, finance staff, executives, and anyone with access to sensitive systems or payment authority. Most major identity providers and cloud platforms now support FIDO2 keys and passkeys natively, so the infrastructure is likely already in place.
Run Phishing Simulations That Change Behavior
Technical controls catch a lot, but some phishing messages will always reach inboxes. Your employees are the last line of defense, and simulation programs are the most effective way to build that instinct. The goal isn’t to trick people into failing. It’s to give them low-stakes practice recognizing phishing so they develop the reflex to pause and report.
Frequency and Targeting
Monthly simulations work well as a baseline for most employees. For high-exposure roles like finance, IT, and executive support, increase frequency to every one to four weeks using short micro-drills rather than elaborate scenarios. New hires should receive an initial benchmark simulation shortly after onboarding, then follow-up tests at 30, 60, and 90 days. Be careful not to over-test to the point where employees become desensitized or cynical about the program.
Coaching Over Punishment
How you handle employees who click matters more than the simulation itself. Organizations that punish failures create a culture where people hide mistakes instead of reporting them, which is exactly the opposite of what you need during a real attack. Reward the behavior you want: when someone reports a suspicious email, give them instant positive feedback. When someone clicks a simulated phishing link, pair the miss with a short micro-lesson explaining what they missed and why.
For repeat clickers, coach individually rather than escalating to disciplinary action. Tailor the coaching to their specific role and the types of lures they fall for. Some people click out of curiosity rather than negligence. Those employees can actually become peer champions if you channel that curiosity constructively, for instance by giving them a safe sandbox to explore suspicious messages. Only escalate to manager check-ins if a pattern persists after sustained coaching. Keep HR involved as a culture partner, not an enforcer.
Layer Technical Filters Beyond Email Authentication
Email authentication stops domain spoofing, but attackers also use lookalike domains, compromised legitimate accounts, and non-email vectors like text messages and collaboration platforms. Additional technical layers help catch what authentication alone cannot.
A secure email gateway or built-in cloud email security scans inbound messages for malicious links and attachments before delivery. URL rewriting and time-of-click scanning check links not just when the email arrives, but also when the recipient actually clicks, catching delayed attacks where a link is weaponized after delivery. Attachment sandboxing opens files in an isolated environment to detect malware before it reaches the endpoint.
DNS filtering blocks connections to known phishing domains across your entire network, so even if someone clicks a malicious link, the connection fails. Endpoint detection and response (EDR) tools on workstations provide a final safety net, flagging suspicious processes that might indicate malware execution from a phishing payload. Each layer compensates for gaps in the others.
Limit the Blast Radius With Access Controls
Even the best defenses occasionally fail, so structure your environment to limit how much damage a single compromised account can cause. Apply the principle of least privilege: every employee should have access only to the systems and data their role requires. When an attacker compromises a marketing coordinator’s account, they shouldn’t be able to reach financial systems or customer databases.
Segment your network so that a compromised workstation in one department can’t freely communicate with servers in another. Disable legacy protocols that don’t support modern authentication. And require re-authentication for sensitive actions like wire transfers, payroll changes, or admin-level system modifications, even for users who are already logged in.
Build an Incident Response Playbook
When someone reports a phishing email or clicks a suspicious link, your team needs a clear, rehearsed sequence of actions. CISA recommends the following containment steps after a confirmed phishing compromise:
- Re-provision compromised accounts. Reset passwords and revoke active sessions immediately to cut off attacker access.
- Audit account access. Review login logs, email forwarding rules, and connected applications to confirm the attacker no longer has a foothold in the account.
- Isolate affected workstations. Disconnect compromised machines from the network to prevent malware from spreading laterally to other systems.
- Analyze the malware. Have a specialized team (internal or external) examine what was delivered to understand its capabilities and scope.
- Eradicate the malware. Remove it from the network entirely so no other workstations can be affected.
- Restore and verify. Bring systems back to normal operations, confirm remediation was successful, rebuild anything that was compromised, and correct any misconfigurations discovered during the investigation.
Document this playbook and run tabletop exercises at least twice a year. The middle of an actual incident is not the time to figure out who does what. Assign clear roles: who isolates the machine, who resets the credentials, who communicates with affected staff, and who escalates to leadership. The faster your team moves through these steps, the less time an attacker has to move laterally through your environment.
Make Reporting Easy and Expected
Your entire defense strategy depends on employees actually telling you when something looks wrong. If reporting is cumbersome or carries social stigma, people won’t do it. Add a one-click “Report Phishing” button to your email client so flagging a suspicious message takes seconds. Acknowledge every report, even false positives, with a quick thank-you. This reinforces that reporting is valued, not a waste of IT’s time.
Track reporting rates alongside click rates in your simulation program. A rising report rate is a stronger indicator of a healthy security culture than a falling click rate alone. When employees report real phishing attempts quickly, your security team can pull the message from every inbox in the organization before more people see it, turning one alert employee into protection for the entire company.