Study: [EXTERNAL] tags do not protect against phishing

Common anti-phishing measures such as the [EXTERNAL] labeling of emails offer hospital employees hardly any protection against fraud attempts. This is shown by an extensive study by security researchers, including Luigi Lo Iacono from Justus Liebig University Giessen (JLU). It was presented in October at the renowned ACM Conference on Computer and Communications Security and is now available publicly available.

In a large-scale phishing simulation with 7,044 email accounts at a German university hospital, security researchers investigated which protective measures actually work, with a sobering result: approximately a quarter of employees would have been willing to reveal their login credentials.

Employees proved to be particularly susceptible to emails sent in the morning: the probability of interaction increased by 5.6 percentage points and by as much as 13.5 percentage points for medical personnel. The design of the emails also played a role, as plain text format instead of HTML increased susceptibility by 4.9 percentage points. Emails with fear of loss, such as "Your account is expiring," increased it by 6.7 percentage points.

The investigation concludes that explicit warning banners and spam filters can reduce risky behavior by up to 94 percent. Disabling links and browser warnings showed at least a limited protective effect. The widespread [EXTERNAL] labeling of emails, on the other hand, proved to be largely ineffective – a finding that complements previous findings on the insufficient effectiveness of phishing training.

Emotional burden from simulations

The study also documented the psychological effects: a considerable proportion of employees reacted to the phishing simulation with fear, shame, and guilt. The researchers emphasize that the emotional costs of such simulations must be weighed against the security benefits.

Accordingly, Study leader Luigi Lo Iacono from JLU Giessen calls for increased technical protective measures: "It is essential that technical protective measures are strengthened to increase resilience against cybercrime. Especially in the healthcare sector, which is increasingly targeted by cyberattacks, there is an urgent need for action."

The findings underscore the urgency of the Federal Office for Information Security's current efforts, which wants to hold webmail providers more accountable. In the Year of Email Security, the BSI also calls for enhanced technical security measures such as automatic spam filters and phishing warnings that work without user intervention. The Giessen study now provides empirical evidence that precisely such technical solutions are significantly more effective than behavior-based approaches.

(fo)