The technology solution here is not allowing Karen from HR to have a password at all and instead using something like Yubikey + FIDO, which can't be phished.
Which is great until someone who might or might not really be "Karen from HR" says they lost their Yubikey and needs a new one. This workflow must exist, but it is generally easy for an attacker to get authenticated by that system.