Attackers use phishing, business email compromise (BEC), and other social engineering tactics to steal credentials, spread malware, and commit fraud. Advances in malicious email protection can recognize and stop obvious phishing attempts, but enterprises without sufficient competence and confidence in their technical controls, security awareness efforts, and incident response capabilities remain vulnerable to this common attack vector. Security and risk (S&R) pros can use this report to implement best practices to thwart phishing and BEC attacks and keep employees from interacting with malicious emails that make it into the inbox.