A version of this post originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.

Why are people still such suckers for phishing? At a security event in New York this week, top law enforcement officials shared their concerns and, to my surprise, their biggest pre-occupation was plain old e-mail.

“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing,” Homeland Security Secretary Jeh Johnson told the crowd, referring to malicious emails that appear to come from a credible source.

He has a point. The debacle over leaked emails from Hillary Clinton’s campaign chairman began when the chairman, John Podesta, fell for a fake Gmail message. And those celeb-gate hacking victims likewise got tricked by phishing. So what can we do about it?

Education is one approach. Secretary Johnson says his agency sends emails to its own employees with suspicious links for goodies like “free Redskins tickets.” Those who click on the link receive instructions to show up to a spot to collect their tickets—where they instead receive a free lesson on cyber-hygiene.

And of course technology is another way to fight phishing. At the security event, Manhattan District Attorney Cyrus Vance announced that the non-profit Global Cyber Alliance had created a free tool to help organizations install DMARC software, which helps authenticate email messages.

“Phishing—mundane as it is—is the biggest threat we face and need to tackle,” said Vance, who added that, after terrorism, cyber-security is New York’s top priority.

Meanwhile, the phishing plague means security firms like Proofpoint PFPT are doing a roaring trade in helping companies navigate new twists such as “angler phishing” (yes, it’s named after Finding Nemo) in which criminals pose as brand representatives on social media platforms like Twitter, and then trick consumers into disclosing personal information. Other firms, like Area 1, offer tools to help rebuff cyber-phishing attacks before they reach employees’ in-box in the first place.

Johnson and Vance spoke at the Financial Crimes and Cybersecurity Symposium, an annual gathering of global security officials hosted by the Manhattan DA’s office.