Why are people still such suckers for phishing? At a security event in New York this week, top law enforcement officials shared their concerns and, to my surprise, their biggest pre-occupation was plain old e-mail.

“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing,” Homeland Security Secretary Jeh Johnson told the crowd, referring to malicious emails that appear to come from a credible source.

He has a point. The John Podesta email debacle began when the politico fell for a fake Gmail message, and those celeb-gate hacking victims likewise got tricked by phishing. So what can we do about it?

Education is one approach. Johnson says his agency sends emails to its own employees with suspicious links for goodies like “free Redskins tickets.” Those who click on the link receive instructions to show up to a spot to collect their tickets—where they instead receive a free lesson on cyber-hygiene.

And of course technology is another way to fight phishing. At the security event, Manhattan District Attorney Cyrus Vance announced that the non-profit Global Cyber Alliance had created a free tool to help organizations install DMARC software to detect fraudulent and spoofed messages.

“Phishing—mundane as it is—is the biggest threat we face and need to tackle,” said Vance, who added that, after terrorism, cyber-security is New York’s top priority.

Meanwhile, the phishing plague means security firms like Proofpoint are doing a roaring trade in helping companies navigate new twists such as “angler phishing” (yes, it’s named after Finding Nemo) that rely on contaminated social media links.

So readers, be careful what you click—though do click on some of the good stuff we have below to get up to date on the latest cyber news. (We’re light on fin-tech items this week but, in light of the Coinbase-IRS news, you bitcoin buyers are probably too busy fretting about an audit).

Jeff Roberts

@jeffjohnroberts

jeff.roberts@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. You may reach Fortune reporter Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.