The sophisticated tactics used by phishers means companies need to ratchet up employee education to reduce the number fooled by slick conmen.
Social-Engineer advocates a "culture change" in which employees are encouraged to think before clicking on attachments or links within every email they receive.
They should also be trained to look closely at the URLs in email and senders' addresses.
"Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety)," Fincher said.
Also, education has to be relevant and consistent and not comprise sessions in which bored attendees are fulfilling a requirement.
"The training has to be something that makes sense," Fincher said. "It has to be all the time and it has to make people think about what they do in a different way."