MedISA
Medical Centre Employee Centered Information Security Awareness
Evidence-Based Anti-Phishing Nudges
"This section of the intervention catalog summarizes the results of a quantitative study on the effectiveness of various anti-phishing interventions. The analysis is based on the measured reduction of login rates to phishing websites, depending on different message formats, visual presentations, and technical measures.
The effectiveness of each intervention was evaluated across professional groups. The results show that visual warnings such as HTML banners, technical barriers like disabled links or SPAM filters, and combined indicators such as sender name, subject line, and banners can significantly reduce risky behavior. However, the effectiveness varies substantially between professional groups.
The following table shows for each tested intervention whether it had a statistically significant effect and how strong that effect was, both in general and for each specific professional group. The classification is based on statistical significance and the effect size of login rate reduction. Interventions without significant results are marked as having no effect.
It is important to note that these results were evaluated in a large German university hospital. Institutions should therefore carry out their own evaluation within their specific context to determine whether similar effects can be observed."
The results are categorized according to the following professional groups:
- Physicians
- Nursing & Functional Services
- Administration & IT
- Other Personnel(including medical-technical services, supply services such as disinfection, kitchen, laundry, technical services, utilities, and support roles such as pastoral care, staff welfare, child care, and other support services)
Suppress Display Name
“Suppress Display Name” means that the sender's display name in emails is hidden so that only the actual email address is visible, in order to prevent spoofing or misleading sender names.
Effectiveness
- Overall Effect
- no effect
- Physicians
- no effect
- Nursing & Functional Services
- no effect
- Administration & IT
- no effect
- Other Personnel
- medium
External Tag: From Field
This intervention involves marking external senders in the 'From' field with [EXTERNAL] of incoming emails. The aim is to alert recipients that the message originates from outside the organization, thereby increasing awareness of potential phishing risks.
Effectiveness
- Overall Effect
- no effect
- Physicians
- no effect
- Nursing & Functional Services
- no effect
- Administration & IT
- no effect
- Other Personnel
- medium
External Tag: Subject Line
This intervention adds an external sender warning directly to the subject line of incoming emails. The purpose is to raise recipient awareness as early as possible, reducing the likelihood of interacting with phishing emails.
Effectiveness
- Overall Effect
- no effect
- Physicians
- no effect
- Nursing & Functional Services
- no effect
- Administration & IT
- no effect
- Other Personnel
- medium
External Tag: Banner
This intervention adds a visual warning banner to the top of incoming emails from external senders. The goal is to immediately draw attention and increase user awareness of potential security risks through increased visibility.
Effectiveness
- Overall Effect
- medium
- Physicians
- no effect
- Nursing & Functional Services
- no effect
- Administration & IT
- no effect
- Other Personnel
- high
External Tag: From, Subject Line, Banner
This intervention combines three external tagging methods within an email: the sender's display name is marked as external, the subject line includes an external warning, and a prominent banner is added at the top of the message. Together, these layered visual cues are designed to clearly signal to the recipient that the email originates from outside the organization and should be handled with caution.
Effectiveness
- Overall Effect
- medium
- Physicians
- no effect
- Nursing & Functional Services
- high
- Administration & IT
- no effect
- Other Personnel
- high
HTML Warnbanner
This intervention combines three external tagging methods within an email: the sender's display name is marked as external, the subject line includes an external warning, and a prominent banner is added at the top of the message. Together, these layered visual cues are designed to clearly signal to the recipient that the email originates from outside the organization and should be handled with caution.
Effectiveness
- Overall Effect
- very high
- Physicians
- very high
- Nursing & Functional Services
- high
- Administration & IT
- high
- Other Personnel
- high
Plain Warning Banner
This intervention adds a simple, text-based warning at the top of the email. Unlike the HTML banner, it contains no graphical elements—just plain text indicating, for example, that the message originates from an external source. The goal is to raise user awareness by providing a visible security cue.
Effectiveness
- Overall Effect
- very high
- Physicians
- high
- Nursing & Functional Services
- high
- Administration & IT
- very high
- Other Personnel
- very high
HTML Warning Banner with Unverified Sender Alert
This intervention adds a prominently colored HTML warning banner to the top of the email, including an additional information that the sender has not been verified. The message warns recipients about potential threats such as spoofed or unconfirmed sender addresses. The goal is to increase security awareness by combining visual signals with explicit safety instructions.
Effectiveness
- Overall Effect
- very high
- Physicians
- very high
- Nursing & Functional Services
- very high
- Administration & IT
- very high
- Other Personnel
- very high
Friction – SPAM Folder
This intervention automatically redirects suspicious emails to the recipient’s SPAM or junk folder, preventing them from appearing in the main inbox. By adding this small barrier to access, the intervention reduces the likelihood that users will interact with potentially harmful content. The change in placement serves as both a technical defense and a behavioral nudge, signaling that the message may be untrustworthy and encouraging users to treat it with caution.
Effectiveness
- Overall Effect
- very high
- Physicians
- very high
- Nursing & Functional Services
- very high
- Administration & IT
- very high
- Other Personnel
- very high
Friction – Disabled Link
This intervention automatically disables hyperlinks in suspicious emails, making them non-clickable. Users must manually copy and paste the link to access the target page, which introduces a small behavioral barrier and interrupts the typical interaction flow. The goal is to prevent impulsive clicks on potentially harmful links and increase user caution.
Effectiveness
- Overall Effect
- high
- Physicians
- high
- Nursing & Functional Services
- high
- Administration & IT
- no effect
- Other Personnel
- high
Friction – Active Warning Page
This intervention redirects users who click on a link in a suspicious email to an intermediate warning page. The page clearly informs them that the requested link may be unsafe and encourages them to reconsider proceeding or to verify the source. The goal is to interrupt automatic click behavior and promote security awareness through conscious decision-making.
Effectiveness
- Overall Effect
- medium
- Physicians
- no effect
- Nursing & Functional Services
- no effect
- Administration & IT
- no effect
- Other Personnel
- high