Defense layers: security awareness training, phishing simulations, clear verification procedures, culture of healthy skepticism, technical controls (email filtering, DMARC), MFA (defeats credential theft).
Security culture is the most powerful defense — employees who feel comfortable reporting suspicious activity are more valuable than any technical control. "Verify before you trust" should be a default mindset. Make it easy to report and never punish reporters.