No defense against willful ignorance.
We get about a user a month ends up having their account closed because it suddenly starts sending a few thousand emails a second. Every time they show up in the office with this "What's going on here?" face on and say something like "But you told me you needed my password so you could validate my mailbox!"
We make everyone read the "how to spot a phishing email" thing when they sign up for an account.
We send out stock reminders 3 times a year.
We send out specific reminders every time someone falls for a phish.
The trouble is that the vast majority of our users don't _care_ about computers, don't _care_ about email and don't _care_ about security - at least until the day they end up getting their account locked and a stern talking to by one of the IT security team.
If people are going to type their passwords into random websites because an email in broken English from a random Albanian email address told them to, there's not a great deal we can do to stop them.
could we have an automatic detection of when the sender and the Reply To names/domains are different and instantly class that as Criminally Suspect ? With a popup when clicking on such a message that reads something like "The address of the sender and that of the reply to are not the same. This is generally a sign that the message is spam or may originate from a criminal source. Are you sure you want to open this mail ?"
Only problem is that that happens all the time.
The last thing we need is something popping up and spooking the users when they get an email from it-announce@[nameofbusiness].uk with a reply to of it-support@[nameofbusiness].uk
It's a feature that would just immediately get turned off by 99% of sysadmins in response to user complaints.