Getting users to understand phishing

How do you keep your users from opening dubious emails, and worse, clicking on links or even entering their credentials? I'm looking for ways to make the risks tangible, and to identify some easy criteria for deciding whether an email is valid or not.

One way is to use real-world analogies. Look at employees in retail establishments that accept cash. Accepting a counterfeit bill is a real risk. Some phony money just looks fake. A kid running currency through a color copier isn't hard to catch (assuming the copier will even process the bill: ). Some fake money just looks fake right away. Some of it requires additional inspection - look at the details that tell you the bill is genuine. Are they blurred? Missing. Some counterfeits are good enough to baffle the Secret Service ( ).

Same with phishing. Someone is trying to scam you by convincing you a fake item is genuine. Usually, if you pay any attentions to the item (from-address, format, content, etc.) it is obvious it is fake. Sometime it requires more attention (is the reply-to address different from the sending address? Do the links point to the expected Website or somewhere else?). Some fakes are just really good - you'd have to look closely to the mail headers and the message's underlying HTML to see everything is in order EXCEPT the link asking you to download a PDF.