The four steps:
* No HTML email. HTML email opens all sorts of possibilities for hiding things. Train your users to expect short and simple messages.
* No links in email. Always refer to the bookmark you encourage users to create from their paper statements.
* All your websites must belong to you, and show up under your domain. Do not acclimatize users to treat other URLs as yours. If you get your users used to sites with names like "cb.pharmphr33.supersecure.com," then you shouldn't be surprised that they don't get worried when they are phished there.
* Fire people who violate these rules. Give a substantial finders fee to the first person who reports the violation. Give the money to both employees/whistleblowers and customers.
From Adam Shostack, who is learning how to talk to marketers.