There is no one answer to this, a number of things can help, spam filters will help, but A.They won't catch everything and B. They might filter legit email (especially if you have it set to be very aggressive.) It is really a trade off.
When explaining to users the best thing is general user education.
Explain the risks, explain what to look out for and include them in the process by giving them stakeholdership over the issue, it is their problem as much as it is the organisation's problem. Explain to them that everyone has a role to play when it comes to security.
I have dealt with many diverse user groups over the last few years and have had to relay a number of IT change projects to them and making them feel part of the process has consistently been key to getting them to do is needed/wanted. The standard advice would be as follows;
Check the domain in the email address is correct. For example if you
get an email from someone claiming to be from the Acme Bank make sure the
domain part is consistent with other emails you have from them; i.e
manager@acmebonk.com is the sender address but Acme Banks email is @acmebank.com.
If you haven't had any other mail from them, then why are you getting
email now? Do you even have a service with them, if not then
something may be wrong.
Check the URL's in the mail are legit, visit the website in a browser
and confirm the domain is the same as the links.
Any attachments can be risky, it doesn't matter what they are, there
is a risk and an attack vector in anything that can be attached to an
email.
