Most companies would have a much easier time with phishing if they quit sending official correspondence that mimics phishing. Sure, phishing is always evolving to look legitimate, but C͟l͟i͟c͟k͟ h͟e͟r͟e͟!͟ in literally every official email when whatever it is you need to do _should_ be reachable via known links. All the "click here" 's and "please see attached" tricks would quit working if it wasn't normal.
I'm of the opinion that most (not all) email phishing can be solved if we all just collectively admitted that HTML email was a mistake, and go back to text based only and enforce that everywhere.
No more logos, no more masked links (you have to acutally copy and paste the text, giving you a chance to review the URL), no more QR code phishing, no more realistic looking but fake DocuSigns. Get rid of attachments while we are at it, there are other, better ways to share files within an office environment (because ultimately, if we enforce text only, then all phishing would then arrive via attachment in the form of a PDF or rich word doc with the fake logos and a clickable link).
At the very least it would stop the link manipulation that some email systems do (looking at you Exchange Online w/ "Link Protection") so now you get to see that it's some phishing site going to g00gle.co instead of Exchange's "protection.officelinks.com/asfgqwerty12345...." and so on for 150 characters.
Giving up HTML emails? Prepostorous. Users won't accept it now that they are this used to it. Retraining that is unrealistic. Someone of the metrics!
The only solution (which will solve the problem, as it is marketed as phising-resistant) is to remove passwords entirely and force everyone to use passkeys.
