Phishing Susceptibility and the (In-)Effectiveness of Common Anti-Phishing Interventions in a Large University Hospital

Phishing attacks via email remain a major entry point for security and privacy breaches in hospitals. In the European Union, faced with both regulatory pressure to act and limited resources for cybersecurity, hospitals may resort to minimal-effort, off-the-shelf anti-phishing interventions such as warning banners in enterprise email systems. However, their effectiveness remains uncertain, particularly given the highly diverse workforce comprising medical, nursing, functional, administrative, IT, and other staff groups. We conducted a large-scale phishing simulation at a German university hospital, targeting 7,044 email accounts, to analyze how phishing susceptibility varies across staff groups, how email characteristics---such as timing, tone, context, and persuasive framing---influence susceptibility, and how 11 common in-situ anti-phishing interventions affect risky staff behavior. We found that susceptibility but also intervention effectiveness differed markedly across staff groups. Even a small number of phishing emails posed a substantial risk that persisted for about three days. The most effective interventions involved robust technical detection, including spam filtering and in-email phishing warnings. Friction-based measures, such as disabling links and active warning pages, showed mixed but promising effects. In contrast, display name suppression and the widely used method of generic [EXTERNAL] email tagging had no or inconsistent effects. Surveys revealed that some staff reacted with fear, shame, guilt, and hostility, highlighting the ethical challenges of such simulations. Our findings provide actionable guidance for phishing resilience in healthcare and similarly complex organizations.