Security is a trade off between usefulness and protection. To maximize security you could not use email. In today’s world that’s not practical for most businesses, but they would be protected from direct email attack. I could allow only text based emails, which allows email usageabd prevents a lot of attacks.

As it pertains to phishing, it’s mostly a non-technical attack. The goal is simply to gain information from a target through trickery. Ever fill out a card to win a free “insert thing”? Just have to give all your contact info. Phishing is more targeted at credentials, but it’s the same idea. Why hack my way through a next-gen firewall and ips when I can just send an email to to a secretary in HR saying there password is about to expire? This is why human training, imo, is more important than technological solutions.

because it’s simply impossible to filter out the legit emails and the illegitimate emails. there’s no automated way to do that currently.

because we don’t care lol. we get paid to create shit rather than clear out people’s brain toilets by teaching them to not type in their password into a site with a url of facebook.xx734JCMAN3NncjakkFNNE.com.

if people need anything, it’s education on the HTTP protocol that they rely on so much. Subdomains are meaningless. Anything after the single “/” is meaningless. It all goes to a server which you have to trust. i could make a socket server on port 80 which returns a scary screamer for a .png url in like a quarter of a minute; it’s your browsers job to not accept a .html file when you request a .png.

By doing what?

Removing all links from emails is a great start. Let’s say IT does this. This policy makes it so that the email people get from Facebook and Twitter don’t work as intended. Do people say “Well, phishing is bad so I’m willing to give up on my dog sweater Facebook group email”? Nope! They call IT and the next thing you know the policy has been removed.

IT can’t help people because people don’t want to be helped. Whatever policy exception you make, that will be what the next generation of phishing looks like.

Even simple policies like DMARC are unpopular because some senders someplace don’t have things configured correctly. When people find out they aren’t getting some message, they want the protections turned off.

They have. For example, many organizations prohibit links in emails that are sent by non-authenticated users, or they create lists of link URLs and block them from being accessed from the corporate network, or add them to the malicious email list.

Ultimately though it’s a cat and mouse game IF you want to be able to send and receive emails, and you want to allow people to link to things in said email. The vector here is always going to have a Person-layer since a sender of email is presumed neutral (or neutral with caution) until proven safe or unsafe, otherwise you take the knees out of the utility of email communication entirely.

In fact they have. Some email clients can tag things that look overly suspicious so that people don’t blindly trust them. But there’s no cure for stupidity. It’s like preventing someone from physically telling someone their password. The best you can do is just tell them not to

Because phishing is not a matter of technological vulnerability, it’s a matter of people being stupid and not reading what they’re clicking.