Phishing Susceptibility and the (In-)Effectiveness of Common Anti-Phishing Interventions in a Large University Hospital
- Phishing attacks via email remain a major entry point for security and privacy breaches in hospitals. In the European Union, faced with both regulatory pressure to act and limited resources for cybersecurity, hospitals may resort to minimal-effort, off-the-shelf anti-phishing interventions such as warning banners in enterprise email systems. However, their effectiveness remains uncertain, particularly given the highly diverse workforce comprising medical, nursing, functional, administrative, IT, and other staff groups. We conducted a large-scale phishing simulation at a German university hospital, targeting 7,044 email accounts, to analyze how phishing susceptibility varies across staff groups, how email characteristics---such as timing, tone, context, and persuasive framing---influence susceptibility, and how 11 common in-situ anti-phishing interventions affect risky staff behavior. We found that susceptibility but also intervention effectiveness differed markedly across staff groups. Even a small number of phishing emails posed a substantial risk that persisted for about three days. The most effective interventions involved robust technical detection, including spam filtering and in-email phishing warnings. Friction-based measures, such as disabling links and active warning pages, showed mixed but promising effects. In contrast, display name suppression and the widely used method of generic [EXTERNAL] email tagging had no or inconsistent effects. Surveys revealed that some staff reacted with fear, shame, guilt, and hostility, highlighting the ethical challenges of such simulations. Our findings provide actionable guidance for phishing resilience in healthcare and similarly complex organizations.
Download full text files
CC BY 4.0
Additional Services
Statistics
| Document Type: | Conference Object |
|---|---|
| Language: | English |
| Author: | Jan Tolsdorf, David Langer, Luigi Lo Iacono |
| Parent Title (English): | Huang, Chen et al. (Eds.): Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, CCS '25, Taipei, Taiwan, October 13-17, 2025 |
| Number of pages: | 15 |
| First Page: | 4334 |
| Last Page: | 4348 |
| ISBN: | 979-8-4007-1525-9 |
| URN: | urn:nbn:de:hbz:1044-opus-93493 |
| DOI: | https://doi.org/10.1145/3719027.3765164 |
| Publisher: | Association for Computing Machinery |
| Place of publication: | New York, NY, United States |
| Publishing Institution: | Hochschule Bonn-Rhein-Sieg |
| Date of first publication: | 2025/11/22 |
| Copyright: | © 2025 Copyright held by the owner/author(s). This work is licensed under a Creative Commons Attribution 4.0 International License. |
| Funding: | This research was supported by the German Federal Ministry of Health with grant number ZMI1-2521FSB801. |
| Tag: | Hospitals; Interventions; Phishing; Resilience; Susceptibility |
| Departments, institutes and facilities: | Fachbereich Informatik |
| Institut für Cyber Security & Privacy (ICSP) | |
| Projects: | MedISA Medical Centre Employee Centered Information Security Awareness (ZMI1-2521FSB801) |
| Dewey Decimal Classification (DDC): | 0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 005 Computerprogrammierung, Programme, Daten |
| Entry in this database: | 2025/12/03 |
| Licence (German): |  Creative Commons - CC BY - Namensnennung 4.0 International |
