IBM emphasizes that ““this could happen to us” so employers should  provide training on “how to avoid becoming a victim, use a variety of approaches—video, webinars, in-person instruction—and require training at intervals to make the risk clear.”  IBM issued “The perils of phishing” report in December 2015 which included these main points about education:

Most companies, banks and agencies never request personal information via email. Don’t fall prey to this most common type of phishing.

If you suspect an email might be a spear phishing campaign within your company, report it.

Immediately suspect emails with generic greetings like “Dear Customer” or spelling and grammatical errors.

Don’t trust email attachments, even if they come from a trusted source. Unless you’re expecting an email with a document attached, call the sender and confirm they sent it. Their computer might have been compromised and is sending emails without their knowledge, or their email address could have been spoofed.

Never reveal personal or financial information in response to an email request, no matter who appears to have sent it.

Of course detecting phishing not so easy and IBM also points out these 5 phishing methods:

  1. Link manipulation
  2. Filter evasion
  3. Website forgery
  4. Covert redirect
  5. Evil Twins

Companies cannot do enough educating since phishing continues to get more sophisticated every day.