You have to create a culture where everyone is expected to verify information before acting, even when it’s coming from the CEO or Managing Partner.
What are you doing to create an environment where your people feel free to take the time necessary to evaluate the difference between a scam and legitimate communication and the ability to question authority in order to get more information?
There is something to this. How many times has someone fallen victim to phishing or drive-by downloads and wondered why the IT department didn’t build better protection? (I’ve seen it!)