We use KnowBe4.com's user training. That's really the only way you can fight this, since its a human problem, not a technical one. These guys provide fully automated, AI based (well, who knows what that means) simulated phishing attacks, largely to give users
real-world practical experience detecting and fending off attacks. You get a report card on each users to, so you know where the weaknesses are in your staff knowledge. Their training regimen includes some pretty good self-guided instructional videos.
DMARC, SPF, digitally-signed emails, encryption, none of that matters if a user can be tricked into letting the crooks in the front door.
-mel
From: NANOG <nanog-bounces+mel=beckman.org@nanog.org> on behalf of Michael Thomas <mike@mtcc.com>
Sent: Monday, November 13, 2023 11:40 AM
To: nanog@nanog.org <nanog@nanog.org>
Subject: Appropriate venue to find out about the state of art of spear phishing defense?
I know this is only tangentially relevant to nanog, but I'm curious if
anybody knows where I can ask what orgs do to combat spear phishing?
Spear phishing doesn't require that you deploy DMARC since you can know
your own policy even if you aren't comfortable publishing it to the world.
tia, Mike