Cybersecurity · Technical

Phishing Prevention That Actually Works — Beyond Awareness Training

The reason your users still get phished isn't that they're careless — it's that 95% of the fight was supposed to happen before the email hit the inbox. This is how to close that gap.

11 min read Updated July 2026

The four layers — in the order attackers meet them

  1. Email authentication stops spoofed mail before it's delivered.
  2. Identity & MFA stops stolen passwords from being useful.
  3. Endpoint & browser stops the click from executing anything harmful.
  4. Human layer catches the residual — and reports it fast.

Skipping any one layer forces the next to work harder than it can. Awareness training compensating for missing DMARC is like asking the goalkeeper to also defend, midfield and strike.

Email authentication — the free 20 minutes of work most SA businesses haven't done

  • SPF — lists the servers allowed to send mail as your domain. Publish it, keep it under 10 DNS lookups, end with -all.
  • DKIM — cryptographically signs mail from your legitimate senders. Enable it for Microsoft 365, Google Workspace, and every marketing platform (Mailchimp, HubSpot, SendGrid).
  • DMARC — tells receivers what to do when SPF or DKIM fails. Start at p=none for 30 days of monitoring, move to p=quarantine, then land at p=reject. Add rua and ruf reporting addresses.
  • MTA-STS + TLS-RPT — force encrypted delivery. Trivial to enable, blocks downgrade attacks.
  • BIMI — displays your verified logo in Gmail once DMARC is at reject. Marketing bonus after the security work is done.

If DMARC is missing or at p=none, any attacker in the world can send email as your CEO to your own finance team. It has happened to more SA businesses this year than we can list.

Identity — MFA is not enough, but phishing-resistant MFA is

  • Enforce MFA on every account, including service accounts and shared mailboxes.
  • Move from SMS/voice OTP to app-based MFA with number matching — free config change in Entra ID that stops MFA-fatigue attacks.
  • Enable Conditional Access: block legacy protocols (POP/IMAP/SMTP basic auth), require compliant devices, block sign-ins from anonymous VPNs and impossible-travel patterns.
  • Deploy FIDO2 security keys or passkeys for the top 20 accounts (execs, finance, admins). Adversary-in-the-middle phishing kits cannot bypass FIDO2.
  • Enable Continuous Access Evaluation so a compromised token can be revoked in seconds, not hours.

Endpoint & browser — assume the click will happen

  • Safe Links + Safe Attachments (Defender for Office 365) — rewrites URLs, detonates attachments in a sandbox.
  • Managed browser — Edge or Chrome with SmartScreen / Enhanced Safe Browsing enabled by policy.
  • DNS filtering — Cisco Umbrella, DNSFilter or Cloudflare Gateway blocks known-bad domains at the network layer, on and off VPN.
  • EDR — Defender for Business or SentinelOne on every endpoint; monitored, not just installed.
  • Application whitelisting — the highest-return control few SMEs deploy. Even AppLocker or WDAC in audit mode gives you visibility.

Human layer — training that actually sticks

  • Monthly, targeted, blame-free simulations. KnowBe4, Hoxhunt or Microsoft Attack Simulator. Track click rate as a team metric, not a personal one.
  • Micro-training — 3-minute videos after a click. Long courses don't get watched; 3 minutes at the moment of failure does.
  • The Report Phish button in Outlook — one click sends the mail to security, thanks the user, and removes it from every mailbox that received it.
  • Positive reinforcement — publicly celebrate the first reporter each month. You are building culture, not fear.

Business email compromise — the SA epidemic

BEC now costs SA businesses more than ransomware. The attack: a real supplier's mailbox is compromised, the attacker watches the invoice thread for weeks, then replies (from the real address) with "updated banking details, please use these for all future payments". The victim pays a legitimate-looking invoice into an attacker-controlled account.

  • Callback policy in writing. Any change to supplier banking details is verified by phone to a known-good number — never one from the email.
  • Dual authorisation for any payment above a threshold, and for any first-time or changed beneficiary.
  • External-sender warning banner on every mail from outside your tenant.
  • Impersonation protection (Defender for Office 365 anti-phishing policy) covering execs, finance staff and top 20 suppliers.
  • Mailbox rules audit monthly — attackers create auto-forward rules to hide their tracks. Alert on every new rule.

Frequently asked questions

Is awareness training enough to stop phishing?

No. Training alone reduces click rates from ~30% to ~5% at best. The remaining 5% still costs you the business. Real prevention layers technical controls (DMARC, safe links, MFA, conditional access) with training — not one or the other.

What is DMARC and do we need it?

DMARC tells receiving mail servers what to do with mail that fails SPF/DKIM checks on your domain. Without DMARC at 'reject', attackers can spoof your domain to your own customers. Every SA business with a domain needs DMARC at 'p=reject' — it's free and non-negotiable.

Does MFA stop phishing?

Traditional MFA stops most credential theft but not adversary-in-the-middle attacks (Evilginx, EvilProxy). Phishing-resistant MFA (FIDO2 keys, passkeys, Windows Hello, Microsoft Authenticator with number matching) does. Move to number matching at minimum — it's a free config change.

What is the biggest phishing risk in South Africa right now?

Business email compromise (BEC): attackers hijack a real supplier's mailbox and insert fake banking details into a genuine invoice thread. The single most effective defence is a callback policy — verify every banking change via a known phone number, not the email.

Should we run phishing simulations?

Yes, monthly, targeted, and blame-free. The goal is not to catch people — it's to measure the click rate over time and coach the repeat clickers. Public shaming destroys the security culture you're trying to build.

Want to know how exposed you actually are?

1ICT will run a free DMARC + tenant baseline check in under 2 hours. Most SA businesses discover at least three missing controls.