When Trust Overrides Caution: Investigating Spear Phishing in Personal Contexts Among Young and Older Adults

Spear phishing messages are highly tailored attacks designed to obtain confidential information or funds from individuals, yet systematically studying these attacks in non-organisational settings is challenging. This study conducted a realistic simulated spear-phishing campaign aimed at the general public. Among 20 younger adults (aged 18–25) and 21 older adults (aged 65 and above), 65% of younger participants and 90% of older participants entered their personal information on a ‘fake’ website after receiving the spear-phishing email. While some participants recognised signs of a potential scam, they dismissed these warnings due to their trust in the sender and the belief that someone they knew could not be spoofed by a malicious actor. These findings highlight how personal trust in an individual, rather than a recognised organisation, can override suspicion. We discuss the implications of our results and the ethical considerations of gathering such in-the-wild data using deceptive methods.