How to stop spearfishing - if your CIO has the balls.
Simply remove email and Internet access from the majority of your employees. Far too many seem to assume it is a right to have a company email address and Internet access when the reality is very few employees actually need it for their jobs. Other messaging systems (such as Lync) can be limited to internal only conversations, removing the spearfishing threat and yet providing the same or better internal service than email. Then air-gap those few systems used for external email for those users whose role does require email from access to core networks.