Defense layers: security awareness training, phishing simulations, clear verification procedures, culture of healthy skepticism, technical controls (email filtering, DMARC), MFA (defeats credential theft even if stolen).
Culture is the most powerful defense — employees who verify unexpected requests through separate channels stop most social engineering. Never punish employees for reporting suspected social engineering — even if it turns out to be legitimate.