When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults

Rhian Lukins; Neeranjan Chitare; Nalin Arachchilage; Lynne Coventry; James Nicholson

doi:10.1109/EuroUSEC69254.2025.00017

When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults

Rhian Lukins, Neeranjan Chitare, Nalin Arachchilage, Lynne Coventry, James Nicholson^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

62 Downloads (Pure)

Abstract

Spear phishing messages are highly tailored attacks designed to obtain confidential information or funds from individuals, yet systematically studying these attacks in non-organisational settings is challenging. This study conducted a realistic simulated spear-phishing campaign aimed at the general public. Among 20 younger adults (aged 18–25) and 21 older adults (aged 65 and above), 65% of younger participants and 90% of older participants entered their personal information on a ‘fake’ website after receiving the spear-phishing email. While some participants recognised signs of a potential scam, they dismissed these warnings due to their trust in the sender and the belief that someone they knew could not be spoofed by a malicious actor. These findings highlight how personal trust in an individual, rather than a recognised organisation, can override suspicion. We discuss the implications of our results and the ethical considerations of gathering such in-the-wild data using deceptive methods.

Original language	English
Title of host publication	2025 European Symposium on Usable Security
Subtitle of host publication	EuroUSEC 2025
Place of Publication	Piscataway, US
Publisher	IEEE
Pages	76-85
Number of pages	10
ISBN (Electronic)	9798331559236
ISBN (Print)	9798331559243
DOIs	https://doi.org/10.1109/EuroUSEC69254.2025.00017
Publication status	Published - 10 Sept 2025
Event	EuroUSEC - 2025 European Symposium on Usable Security - Digital Security Hub (DiSH), Manchester, United Kingdom Duration: 10 Sept 2025 → 11 Sept 2025

Conference

Conference	EuroUSEC - 2025 European Symposium on Usable Security
Abbreviated title	EuroUSEC
Country/Territory	United Kingdom
City	Manchester
Period	10/09/25 → 11/09/25

Keywords

spear phishing
older adults
phishing simulations

Access to Document

10.1109/EuroUSEC69254.2025.00017

2025277003Accepted author manuscript, 189 KB

Cite this

@inproceedings{57fcb07438cd48eb994479be4f2e0648,

title = "When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults",

abstract = "Spear phishing messages are highly tailored attacks designed to obtain confidential information or funds from individuals, yet systematically studying these attacks in non-organisational settings is challenging. This study conducted a realistic simulated spear-phishing campaign aimed at the general public. Among 20 younger adults (aged 18–25) and 21 older adults (aged 65 and above), 65\% of younger participants and 90\% of older participants entered their personal information on a {\textquoteleft}fake{\textquoteright} website after receiving the spear-phishing email. While some participants recognised signs of a potential scam, they dismissed these warnings due to their trust in the sender and the belief that someone they knew could not be spoofed by a malicious actor. These findings highlight how personal trust in an individual, rather than a recognised organisation, can override suspicion. We discuss the implications of our results and the ethical considerations of gathering such in-the-wild data using deceptive methods.",

keywords = "spear phishing, older adults, phishing simulations",

author = "Rhian Lukins and Neeranjan Chitare and Nalin Arachchilage and Lynne Coventry and James Nicholson",

year = "2025",

month = sep,

day = "10",

doi = "10.1109/EuroUSEC69254.2025.00017",

language = "English",

isbn = "9798331559243",

pages = "76--85",

booktitle = "2025 European Symposium on Usable Security",

publisher = "IEEE",

address = "United States",

note = "EuroUSEC - 2025 European Symposium on Usable Security<br/>, EuroUSEC ; Conference date: 10-09-2025 Through 11-09-2025",

}

Lukins, R, Chitare, N, Arachchilage, N, Coventry, L & Nicholson, J 2025, When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults. in 2025 European Symposium on Usable Security: EuroUSEC 2025. IEEE, Piscataway, US, pp. 76-85, EuroUSEC - 2025 European Symposium on Usable Security
, Manchester, United Kingdom, 10/09/25. https://doi.org/10.1109/EuroUSEC69254.2025.00017

When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults. / Lukins, Rhian; Chitare, Neeranjan; Arachchilage, Nalin et al.
2025 European Symposium on Usable Security: EuroUSEC 2025. Piscataway, US: IEEE, 2025. p. 76-85.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults

AU - Lukins, Rhian

AU - Chitare, Neeranjan

AU - Arachchilage, Nalin

AU - Coventry, Lynne

AU - Nicholson, James

PY - 2025/9/10

Y1 - 2025/9/10

N2 - Spear phishing messages are highly tailored attacks designed to obtain confidential information or funds from individuals, yet systematically studying these attacks in non-organisational settings is challenging. This study conducted a realistic simulated spear-phishing campaign aimed at the general public. Among 20 younger adults (aged 18–25) and 21 older adults (aged 65 and above), 65% of younger participants and 90% of older participants entered their personal information on a ‘fake’ website after receiving the spear-phishing email. While some participants recognised signs of a potential scam, they dismissed these warnings due to their trust in the sender and the belief that someone they knew could not be spoofed by a malicious actor. These findings highlight how personal trust in an individual, rather than a recognised organisation, can override suspicion. We discuss the implications of our results and the ethical considerations of gathering such in-the-wild data using deceptive methods.

AB - Spear phishing messages are highly tailored attacks designed to obtain confidential information or funds from individuals, yet systematically studying these attacks in non-organisational settings is challenging. This study conducted a realistic simulated spear-phishing campaign aimed at the general public. Among 20 younger adults (aged 18–25) and 21 older adults (aged 65 and above), 65% of younger participants and 90% of older participants entered their personal information on a ‘fake’ website after receiving the spear-phishing email. While some participants recognised signs of a potential scam, they dismissed these warnings due to their trust in the sender and the belief that someone they knew could not be spoofed by a malicious actor. These findings highlight how personal trust in an individual, rather than a recognised organisation, can override suspicion. We discuss the implications of our results and the ethical considerations of gathering such in-the-wild data using deceptive methods.

KW - spear phishing

KW - older adults

KW - phishing simulations

U2 - 10.1109/EuroUSEC69254.2025.00017

DO - 10.1109/EuroUSEC69254.2025.00017

M3 - Conference contribution

SN - 9798331559243

SP - 76

EP - 85

BT - 2025 European Symposium on Usable Security

PB - IEEE

CY - Piscataway, US

T2 - EuroUSEC - 2025 European Symposium on Usable Security<br/>

Y2 - 10 September 2025 through 11 September 2025

ER -

When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this