Introduction

Financial fraud represents one of the most common forms of elder maltreatment. While people from any age group can be targeted by scammers, losses from fraud are not uniform across age groups, with greater monetary losses experienced by older adults. According to the Federal Bureau of Investigation (FBI), in 2021 there were 92,371 older victims of fraud resulting in $1.7 billion in losses, which was a 74% increase in losses compared to 2020. Financial losses due to exploitation can have devastating effects on health and independence of older adults.

Despite accumulation of world knowledge and life experience with age, older adults significantly decline in fluid cognition, i.e. the ability to process and integrate information and solve problems, resulting in reduced decision-making capacity and greater susceptibility to deception. For example, declines in episodic memory, processing speed, and working memory were associated with greater self-reported scam susceptibility among older adults. Similarly, a recent study reported that reduced conscious deliberation measured via executive functioning ability was associated with lower deception detection in older adults, with the strongest associations observed in individuals 80 years and over. In addition, reduced sensitivity to negative arousal cues likely underlies poorer deception detection with age. For example, relative to young adults, older adults showed diminished activity in the anterior insula and caudate when anticipating monetary losses (vs. gains) and were more trusting to negative cues of trustworthiness such as untrustworthy faces and fake news. Furthermore, age-related increased vulnerability to deception is also associated with neurobiological changes with age. For example, relative to age-matched controls who avoided exploitation, financially exploited older adults showed cortical thinning in the anterior insula, a brain region implicated in integrating emotionally valenced internal and external stimuli. Exploited older adults also showed decreased functional coupling within the default network and increased functional coupling between brain networks, two hallmark patterns of age-related brain changes.

Alzheimer's disease (Ad) further exacerbates the risk of financial exploitation in aging. Cross-sectional and longitudinal evidence supports that relative to age-matched controls, older adults with mild cognitive impairment (MCI) and Ad experience declines in financial capacity, lower scam awareness, and greater self-reported scam susceptibility. Furthermore, declines in fluid cognition, reduced volume in brain structure related to Ad pathology (e.g. medial prefrontal cortex, lateral parietal regions), and greater β-amyloid burden contributed to scam susceptibility in older individuals with MCI and Ad. However, to date, less is known about susceptibility to scams among generally healthy older adults at risk of developing Ad, despite evidence that Ad risk factors impact cognition and brain aging in the absence of overt Ad symptoms. In particular, presence of the apolipoprotein E e4 (APOE4) allele is a robust Ad risk factor that can be studied more readily than other risk factors (e.g. amyloid and/or tau pathology) and is linked to poorer cognition as well as pathological brain changes. For example, the presence of the APOE4 risk allele has been associated with reduced volume in the medial temporal lobe (40), a region associated with scam vulnerability among older adults. Therefore, being a carrier of APOE4 may constitute an Ad risk factor associated with greater deception vulnerability, even before emergence of the clinical syndrome.

The rapid shift to a digital world confronts the aging individual with drastically new contexts and risks. Email phishing, for example, has become a popular deception tool with immense costs to the individual and society. According to the FBI, phishing was among the most highly reported internet scams, with 300,497 victims reporting over $52 million in losses. Importantly, phishing emails are among the most common methods of contact used by fraudsters targeting older adults. While older adults (65 years and over) constitute only about 16.8% of the US population, they often hold positions of power in organizations and politics, have retirement savings accumulated over the course of their life, and make important financial and health-related decisions. Therefore, online deception via phishing emails of these individuals can result in negative consequences with broad societal impact and there is an urgent need to identify risk factors underlying phishing email detection.

Due to growing risks online and associated costs of online deception in aging, there has been an increased attention on the investigation of age-related changes in susceptibility to phishing emails. To this end, previous studies have conducted naturalistic field experiments, in which phishing susceptibility was measured by sending simulated phishing emails to participants without their knowledge, and consistently reported an age-related increase in vulnerability to phishing emails. Other studies which measured phishing detection performance by focusing on lab-based assessments under different task contexts, however, reported more mixed findings regarding age effects. For instance, one study asked participants to rate the suspiciousness of phishing and safe emails and found reduced discrimination ability between phishing and safe emails with increasing age. In contrast, Sarno et al. required participants to classify emails as “legitimate” or “phish” and reported greater detection of phishing emails with age. Similarly, a study which had participants browse safe and phishing websites to see whether or not they divulge sensitive information found that young adults were more vulnerable to phishing than older adults. To resolve this mixed pattern of findings across paradigms and contexts, there is a critical need for unifying lab-based assessment with assessment of actual behavior “in the wild” toward the development of ecologically valid measures of phishing susceptibility in aging. Further, while there is emerging evidence that declines in memory functioning may drive age-related increase in susceptibility to email phishing, current knowledge regarding factors that contribute to age effects in phishing email detection is still very limited.

As part of a larger project on aging and deception (see also Heemskerk et al.), the present study leveraged the newly developed PHishing Internet Task (PHIT; Figure 1A; adapted from Lin et al. and Oliveira et al.) to assess behavior-based real-life susceptibility to phishing. This task was conducted out of the participants’ homes where they received simulated phishing emails unbeknownst to them (Figure 1B for sample email) over a 30-day period (two emails per day). Our infrastructure recorded whether participants opened the emails, clicked on the links embedded in the emails, and submitted any information on the landing pages that accompanied the emails. Participants also completed the short version of the Phishing Email Suspicion Test (S-PEST; adapted from Hakim et al. and Grilli et al.), a lab-based phishing task that contains 40 emails (20 safe and 20 phishing). In this task, participants are asked to rate each email on its suspiciousness using a four-point scale that ranges from “definitely safe” to “definitely suspicious” (Figure 1C). Furthermore, we assessed each participants’ cognitive functioning using a test battery which involved measures of semantic and episodic memory, working memory, speed of processing, verbal fluency, reasoning, and task switching. Ad risk status was determined based on genotyping for APOE4 using self-collected dried blood samples (see Materials and methods for details of procedures).

Fig. 1.

_{Phishing email detection paradigms. A) PHIT: unbeknownst to them, participants received 60 simulated phishing emails over 30 days (two emails per day) in their personal email inbox and the PHIT infrastructure recorded participants’ interactions with these emails (i.e. number of emails opened, number of email links clicked, and whether a participant submitted content on the landing page). B) Sample of phishing email in PHIT, which each was personalized (using participant's first name). C) S-PEST: schematic of the display seen by participants to rate each of 40 emails (20 phishing and 20 safe, presented one at a time, in randomized order) on suspiciousness using a four-point scale from “definitely safe” to “definitely suspicious.” The email displayed is a phishing email.}

Our study investigated whether and how age, Ad genetic risk, and cognitive status contributed to increased susceptibility to email phishing. Critically, we used both lab-based and real-life phishing tasks toward the validation of a novel, easy-to-administer paradigm (S-PEST) with excellent potential for translation to clinical settings. We hypothesized that phishing email detection would decline with older age, both in the lab and in real life; older age, APOE4-positive status, and lower cognitive functioning would compound phishing susceptibility; and these findings would replicate from the lab to real-life phishing contexts.

Results

Participants

The sample for this analysis comprised 182 adults from a wide age range (18–90 years). Table 1 presents sample demographics. All participants were in good health, with no history of an unstable medical illness (e.g. metastatic cancer) or primary degenerative neurological disorders (e.g. traumatic brain injury, Ad). The Telephone Interview for Cognitive Status (TICS; Brandt et al., 1988) was used to screen for baseline cognitive functioning among individuals over 55 years and all participants had normal cognitive functioning (TICS score range = 29–41, M = 35.5, SD = 2.54). The sample comprised 46 individuals (25%; M_age = 42 years; 82% female) with at least one copy of the APOE4 allele (i.e. ε2/ε4, ε3/ε4, or ε4/ε4) and 136 individuals (75%; M_age = 48 years; 77% female) without an APOE4 allele (i.e. ε2/ε2, ε2/ε3, or ε3/ε3). This distribution aligns with previous reports.

Table 1.

_{Three participants had missing data on years of education; one participant on race; four participants on marital status; six participants on living condition; four participants on employment status; and three participants on income. Computer literacy was measured via a test of knowledge of symbols and terms related to computers and other electronic equipment (higher scores reflect greater computer literacy).}

Older age, APOE4-positive status, and lower cognitive functioning predicted worse phishing detection

We conducted separate regression models for S-PEST and PHIT, with chronological age, APOE4 status (APOE4 carriers vs. noncarriers), and cognition scores (i.e. semantic memory, episodic memory, working memory, speed of processing, verbal fluency, reasoning, and task switching) as predictors, while controlling for participant sex, years of education, income, marital status, and computer literacy to account for differences in computer knowledge. S-PEST was scored using standard signal detection theory to compute discrimination ability, with higher scores indicating a participant's greater ability to discriminate between phishing and safe emails. Susceptibility in PHIT was computed as the sum of the actions (i.e. opening, clicking, submitting information) taken at least once, with higher scores indicating a participant's greater susceptibility to phishing emails in real life. See Materials and methods for details on scoring and statistical modeling.

Our models revealed a main effect of chronological age on phishing detection performance both in the lab and in real life. In particular, the ability to discriminate between phishing and safe emails in S-PEST declined with age (B = −0.008, t = −3.83, P < 0.001, 95% CI = [−0.012, −0.004]; Figure 2A) and older age was associated with greater susceptibility to phishing emails in PHIT (B = 0.027, z = 3.12, P = 0.002, 95% CI = [0.010, 0.045]; Figure 2B).

Fig. 2.

_{Older age impaired email phishing detection. Greater chronological age was associated with both A) lower discrimination between phishing and safe emails in S-PEST and B) greater susceptibility to phishing emails in PHIT. Each dot corresponds to a participant (jittered for visualization). Shaded areas around the regression lines reflect the 95% CI. Higher scores in S-PEST indicate greater lab-based discrimination ability between phishing and safe emails. Higher scores in PHIT indicate greater real-life email phishing susceptibility.}

Further, the interaction between chronological age, APOE4 status, and cognitive functioning was also significant (S-PEST: B = 0.008, t = 2.12, P = 0.036, 95% CI = [0.001, 0.016]; PHIT: B = −0.035, z = −2.03, P = 0.042, 95% CI = [−0.069, −0.001]). To interpret this significant three-way interaction, we compared the effects of age and cognitive functioning on S-PEST and PHIT separately for APOE4 carriers vs. noncarriers. For S-PEST, older age and lower working memory (measured via Digit Span Backwards; Tun and Lachman) predicted reduced discrimination performance between phishing and safe emails in the lab, with this effect, however, only present among APOE4 carriers (B = 0.009, t = 2.34, P = 0.027, 95% CI = [0.001, 0.018]; Figure 3A) but not APOE4 noncarriers (B = −0.001, t = 0.22, P = 0.830, 95% CI = [−0.002, 0.003]; Figure 3B). A comparable effect was observed for PHIT in that older age and lower working memory (measured via Digit Span Backwards; Tun and Lachman (51)) predicted increased susceptibility to phishing emails in real life, with this effect again present among APOE4 carriers (B = 0.041, z = 2.05, P = 0.040, 95% CI = [0.002, 0.078]; Figure 3C) but not APOE4 noncarriers (B = 0.001, z = 0.13, P = 0.894, 95% CI = [−0.009, 0.010]; Figure 3D)^a. No other effects were significant at P < 0.05.

Fig. 3.

_{Older age, APOE4-positive status, and lower cognitive functioning were related to reduced email phishing detection. Older APOE4 carriers with lower working memory (WM) showed both A) lower discrimination between phishing and safe emails in S-PEST and C) greater susceptibility to phishing emails in PHIT. Age did not interact with cognitive status to predict phishing detection neither B) in the lab nor D) in real life among noncarriers of the APOE4 allele. Shaded areas around the regression lines reflect the 95%CI. Cognition scores were submitted as continuous variables in the analysis but are categorized for plotting purposes; medium WM indicates the mean residual WM score in the current sample while low and high levels indicate 1 SD below and above the mean residual WM score, respectively. Higher scores in S-PEST indicate greater lab-based discrimination ability between phishing and safe emails. Higher scores in PHIT indicate greater real-life email phishing susceptibility. APOE4±, apolipoprotein E e4 carriers/noncarriers.}

Reduced email phishing detection in the lab was related to increased email phishing susceptibility in real life

Performance in S-PEST and PHIT was significantly related (r = −0.21, P = 0.006), suggesting that participants with lower discrimination ability between phishing and safe emails as measured in the lab-based S-PEST were more likely to fall for phishing emails in the real-life PHIT^b.

Discussion

Increased internet use has resulted in online deception tactics like email phishing to become a major public health concern, leading to dramatic financial (e.g. fraud and exploitation) and psychological (e.g. depression and suicide) consequences, with particular risks among aging individuals. While prior work has reported an age-related increase in vulnerability to phishing emails, results are currently mixed with some studies providing evidence for greater phishing detection ability with age.

Our newly developed PHIT paradigm, which allowed us to obtain a real-life behavioral measure of phishing susceptibility, not only goes beyond previous self-report but also is placed in the everyday life of our participants, thus offering ecological validity by assessing participants’ susceptibility to email phishing as it occurs in naturalistic contexts. Further, our data revealed that this real-life measure of phishing susceptibility (assessed via PHIT) was correlated with phishing detection in the well-controlled lab context (assessed via S-PEST). Importantly, using for the first time the lab-based S-PEST in combination with the real-life PHIT, we observed an age-related decline in phishing email detection ability across both assessment contexts. Further, informing individualized risk profiles, our findings demonstrate that lower cognition combined with higher genetic risk of developing Ad contributes to greater phishing susceptibility in aging. In particular, reduced phishing detection was specifically pronounced among older individuals who were carriers of the APOE4 risk allele and with lower working memory. This finding aligns with previous research which suggests that decision making under risk and ambiguity tends to impair early in the progression of Ad, with this impairment of decision-making capacity exacerbated by deficits observed in basic cognitive functioning.

Interestingly, our results highlight working memory as the main construct influencing phishing vulnerability among older APOE4 carriers given that none of the other measures, which tapped into different cognitive processes (e.g. reasoning, processing speed, semantic and episodic memory), predicted phishing email detection. Working memory represents a series of operations such as active maintenance of goals and manipulation of task-relevant information that are domain general and common to other cognitive functions. Importantly, working memory is among early cognitive impairments in healthy aging that reliably predict the progression from MCI to Ad even in the absence of deficits in episodic memory. Thus, although speculative, it is possible that declines in working memory have a greater impact on phishing and other forms of deception detection among older adults who are in the early stages of Ad pathology, which APOE4 carriers are at higher risk to develop. Meta-analytical evidence demonstrated that cognitive training that targets working memory processes results in reliable improvements on the trained task as well as shows near- and far-transfer tasks. Thus, future intervention on reducing deception risk in aging could entail working memory training among older individuals who carry an APOE4 allele.

As touched on earlier, past measurement of phishing susceptibility involved diverse methodological approaches, ranging from lab-based assessments across task contexts (e.g. web browsing; roleplaying a person checking their emails; email classification) to naturalistic field experiments (e.g. sending simulated phishing emails to participants’ email addresses. Going beyond this previous research, the current study established ecological validity of S-PEST as an in-lab measure by showing an association between S-PEST and PHIT performance, whereby people who perform poorly on S-PEST were more susceptible to real-life phishing. This finding complements our previous work in which we found that emails that were rated more suspicious in the lab were more likely to phish people in the real world using a separate group of participants. Moving forward, item response theory will allow refining S-PEST by identifying items that are most sensitive at detecting online deception and exploitation risk toward launching the application of S-PEST as a short, easy-to-administer diagnostic assessment tool in clinic and practice.

While the current study sheds light on risk profiles associated with vulnerability to email phishing, it is limited in scope of investigation. Future work should consider both breadth (coverage) and depth (specificity) of analysis to better delineate a diverse set of interindividual and contextual factors contributing to deception risk and design of interventions. For instance, to expand the breadth of investigation, future research could extend our investigation into socioemotional functioning domains by considering variables such as depression and social isolation among older adults can exacerbate deception risk.

Also, the present study used the Brief Test of Adult Cognition by Telephone (BTACT), as a brief measure to capture basic cognitive abilities (e.g. attention, working memory, fluency, episodic memory). In future extension of this work, a more extensive cognitive characterization of participants, including cognitive capacities such as complex problem solving and decision making, would be beneficial to delineate the role of specific cognitive capacities in phishing detection among older adults. Additionally, while our investigation did not specifically focus on financial exploitation, participants’ perceived financial status and income inequality as well as objective measures of their financial status such as household income, household assets and debt would be beneficial to assess to determine their impact on phishing susceptibility.

Of note, our approach is limited in that APOE4-positive status represents only one genetic indicator of Ad risk; future studies could benefit from obtaining genome-wide polygenic risk scores and additional biomarkers such as amyloid-β, tau protein levels, and blood-based biomarkers (e.g. ratio of amyloid-β peptides: Aβ42/Aβ40, levels of phosphorylated tau isoforms) to enhance the depth of investigation on cognitive disease-related risk profiles and deception. Lastly, the current study adopted a cross-sectional design with a primarily non-Hispanic White, well-educated, and largely female sample, and results will need to be confirmed via longitudinal or cross-sequential design including individuals from diverse backgrounds, to allow dissociation of age from cohort effects in a more representative adult lifespan sample for broader generalizability of findings.

Interestingly, and consistent with mounting evidence on increased variability in performance among older compared to younger adults, older age was associated with greater variation in phishing detection ability (see Figure 2). This pattern could be a result of greater age-related variation in socioemotional processes (e.g. theory of mind, loneliness) with relevance to phishing detection, which were not examined here; or could be due to increased age-related variation in brain structure and function in regions with particular relevance for deception detection (e.g. insula) or in physiological response subserving deception detection (e.g. interoceptive awareness). Systematically determining such moderating variables in future research will further inform the design of interventions aimed at reducing exploitation risk among older adults. Also, future studies that specifically delineate cognitive, socioemotional, and brain-related characteristics of older adults who perform particularly poor or particularly well in phishing detection (e.g. by comparing super agers and poor agers) will increase understanding of risk vs. protective profiles.

The present study takes a unique and important step toward a more naturalistic, real-life behavior-based approach at determining phishing susceptibility among adults of different ages, and it identifies crucial risk factors (age, genetic risk for Ad, cognitive status). Crucial extension of this work includes recruitment of community-dwelling older adults who are particularly vulnerable (e.g. have been, or continue to be, victims of fraud in real life) as well as are from disadvantaged backgrounds, a population segment that is currently severely understudied regarding exploitation. Also, moving forward, prospective studies are needed to allow prediction of future fraud susceptibility based on lab-generated risk profiles. Integration of public records will be essential to start addressing challenges with underreporting of exploitation in real life) and underestimated base rates. Machine learning approaches in behavioral analytics will further facilitate the profiling of consumer behavior and fraud risk (e.g. detection of irregularities in bank transaction trends for prediction of fraud risk). Finally, knowledge transfer into the community and policy stakeholders (e.g. elder community care, law) will be essential.

Conclusion

In conclusion, our work provides crucial insights into mechanisms of online deception risk toward informing public health efforts for reducing financial exploitation risk and optimizing prevention solutions among older adults. Results from this study importantly advance understanding of the role of older age, presence of the APOE4 allele, and lower working memory as risk factors that contribute to fraud and exploitation in cyberspace. Also, integrating in-lab and real-life measures of phishing susceptibility, our work provides a crucial first step in the development of easy-to-administer, ecologically valid assessment tools for those at particular risk of neurodegenerative disease. Finally, current training and warning solutions for online scams and threats operate under the implicit assumption that one-size-fits-all. However, our work suggests that this is not the case and that rather an individualized approach is warranted to assist the particularly vulnerable aging individual when navigating online.

Materials and methods

Study overview and recruitment

This paper reports findings from a larger project on susceptibility to deception in aging (see Supplemental Figure S1 for an overview of the larger project). All procedures were approved by the University of Florida's Institutional Review Board (IRB protocol #: IRB201801057), and all participants provided written informed consent. Participants were told that the study was about how well they “understand themselves and others.” They were informed that the study comprised sessions completed at home via zoom as well as lab visits both with an experimenter present and questionnaires sent to their personal email for completion on their own. Participants were not told that they would receive simulated phishing emails from our study team while enrolled in the study. This approach was used to prevent any changes in behavior if the real study purpose had been known.

Participants were recruited from the community in North Central Florida via university participant registries, senior citizen facilities, ResearchMatch, and word of mouth. Participants were eligible for the study if they were between 18 and 100 years old, able and willing to provide informed consent, English-speaking, on a stable regimen of medications, had at least an eighth grade education, and had access to a personal email account they used regularly.

As depicted in Supplemental Figure S1, data analyzed in the paper comprised the following components of the larger project: (i) a screening session which involved obtaining informed written consent, determining overall health and cognitive status (via TICS), and collecting demographic information; (ii) a 30-day at-home portion during which participants completed three online questionnaire packages (from which the computer literacy scale, adapted from Sengpiel and Dittberner, was included in this paper) and received, unbeknownst to them, two simulated phishing emails each day to their personal email account as part of PHIT; and (iii) a follow-up in-lab session in which participants completed S-PEST, a series of cognitive functioning measures, and provided dried blood samples to determine APOE4 allele status. Participants were debriefed and compensated with up to $430 upon study completion. Upon completion of all study components, participants were compensated with up to $430 and debriefed regarding the real purpose of the study. They were then given the option to withdraw their data now that they had learned about the real study purpose. All participants granted permission to use their data.

Measures

This paper analyzed data from (i) two phishing paradigms (PHIT and S-PEST) to determine email phishing detection ability, (ii) cognitive functioning measures, and (iii) dried blood sampling for APOE4 genotyping. Below, each of these measures is described in more detail.

Phishing email paradigms

PHishing Internet Task (PHIT)

PHIT (Figure 1A) comprised 120 simulated phishing emails created by our research team. Each email contained a subject line and was personalized by using the participant's first name. The body of each email comprised HTML elements and images related to the email content along with a link that directed participants to an accompanying landing page, also created by our research team and that contained fields requesting submission of information (e.g. email, phone number).

Each participant was sent a subset of 60 emails (two emails per day over 30 days; see Figure 1B for a sample email). Emails were pseudo-randomly sampled from a larger pool of emails following a counterbalancing scheme that ensured equal numbers of emails from impersonated vs. fictitious companies/entities and leveraging weapons of influence (Authority, Scarcity, Social Proof, Liking/Kindness, Reciprocity, Commitment) to ensure a diverse set of emails. The first of each day's two emails was sent in the morning (at random between 8 AM and 11:55 AM) and the second around late afternoon (at random between 3 PM and 9:55 PM), with these times chosen to mimic typical work and leisure times.

The PHIT infrastructure was hosted on three Amazon EC2 virtual servers (i.e. instances; https://aws.amazon.com/ec2/), with one domain per server. Servers and domains were configured with standard IT protocols (e.g. SSH, SPF, DMARC) to secure participant data and prevent them from being used by malicious agents. Sender addresses were randomly determined to be impersonated (e.g. google@domain.com) or fictitious (e.g. marylou@domain.com) at the time of scheduling emails for send-out. Each server contained a different set of fictitious sender addresses to introduce variability to spam filters (e.g. in gmail, hotmail), and throughout the duration of the project, servers were periodically refreshed with new domains and new sender addresses to improve deliverability, mitigate spam filtering, and keep a good sending reputation. Email send-outs were scheduled separately for each participant via the open-source phishing framework Gophish (https://getgophish.com/) and sent through mail server IPs provided by the third-party service Mailgun (https://www.mailgun.com/). Responses were recorded separately for each participant via the Gophish listener, which used the SQLite database to store (i) email opens, (ii) email link clicks, and (iii) submission of information on the landing pages, which was captured via text entry data. Responses captured by the Gophish listener were coded based on whether the participant opened at least one email (0 = no; 1 = yes); clicked on at least one email (0 = no; 1 = yes); and submitted information on the landing page at least once (0 = no; 1 = yes). Susceptibility in PHIT was computed as the sum of these actions taken at least once by a participant and ranged from 0 to 3, with higher scores indicating a participant's greater susceptibility to phishing emails in real life (i.e. lower ability to detect phishing emails).

Short Phishing Email Suspicion Test (S-PEST)

S-PEST (Figure 1C) contained 40 emails sampled from the original Phishing Email Suspicion Test. To assure a diverse set, emails varied in legitimacy (safe vs. phishing), source (real vs. simulated), and whether a link was embedded in the email body or whether the email contained an attachment.

Participants received written task instructions and two practice trials. In particular, participants were informed that they would see a series of emails as in a regular email inbox, with some of these emails phishing and some safe messages. Participants were asked to categorize each email via keyboard press regarding the level of suspiciousness on a four-point scale from 1 = definitely safe to 4 = definitely suspicious. Email presentation order was randomized, and each email was presented for 120 seconds during which participants were instructed to give their response. At the end of the task, participants received an individualized score based on their task accuracy. S-PEST was coded in PsychoPy and presented via Pavlovia (https://github.com/zmhakim/s-pest). The total duration of the task was about 10 minutes.

S-PEST was scored using standard signal detection theory to compute discrimination ability (i.e. d-prime denoted as d′). Phishing emails were considered as “signal present,” and correct responses of “definitely suspicious” or “possibly suspicious” for phishing emails reflected hits, whereas incorrect responses of “definitely safe” or “possibly safe” reflected misses. For safe emails, responses of “definitely safe” or “possibly safe” reflected correct rejections, whereas responses of “definitely suspicious” or “possibly suspicious” reflected false alarms. Using the formula d′ = z(H)−z(F), d′ was calculated for each participant across all emails, with higher d′ indicating a participant's greater ability to discriminate between phishing and safe emails (i.e. greater ability to detect phishing emails).

Cognitive functioning measures

Automated Operation Span (OSPAN) task

The automated OSPAN is a computerized version of the original OSPAN, measuring working memory capacity. The task requires participants to solve a series of math operations while trying to remember, in order, a series of unrelated letters. In particular, participants are first shown a simple math problem (e.g. (1 × 2) + 1 = ?). Participants click on the screen to move on as soon as they solve the problem. Next, a number appears on the screen (e.g. 3) and participants indicate whether the number represents the correct answer to the math problem. This is then followed by a single, unrelated letter (e.g. P) presented for 800 ms. After completing a block of trials (ranging from 3 to 7), participants are shown a 3 × 4 grid of letters and instructed to select the letters they have seen before, in the order they were presented, followed by feedback regarding their performance (correct math problems solved as well as correct letters recalled) for 2,000 ms before the next block starts. The automated OSPAN has both good internal consistency (alpha = 0.78) and test–retest reliability (r = 0.83) and takes approximately 20–25 minutes. For analysis, we used the absolute automated OSPAN score, reflecting the sum of all trials in which all letters were recalled in the correct serial order.

Brief Test of Adult Cognition by Telephone (BTACT)

The BTACT contains seven subscales that assess key aspects of cognition. Episodic memory is measured with Word List Immediate Recall and Word List Delayed Recall subscales, which involve immediate recall and delayed retrieval of a list of 15 words. The memory composite score reflects the average of z-scores for the two subscales standardized to z-score (DeBlasio et al. 2021). Working memory is measured with the Digit Span Backwards subscale in which strings of numbers are repeated in reverse order and the length of the strings of numbers increased with each correct repetition (ranging from 2 to 8 digits). The Backward Digit Span is scored from 0 to 8 corresponding to the longest set of digits correctly repeated backwards. Verbal fluency is measured by the Category Fluency subscale in which participants list as many items as they could remember belonging to a particular category (i.e. “animals”) in 60 seconds. The score reflects the total number of unique animals listed. Task-switching ability is measured by the Stop and Go Switch Task. On No-switch trials, participants are required to quickly respond with “go” or “stop” when the experimenter reads the words “green” or “red,” respectively. On Switch trials, participants are required to respond “stop” or “go” when the experimenter reads the words “green” or “red,” respectively. The task includes 18 No-switch and 14 Switch trials, and the score is derived from the total number of correct responses (0–32). Inductive reasoning is assessed with the Number Series subscale, in which participants read a brief series of numbers and are instructed to identify the next number in the pattern. The score reflects the total number of correct answers (0–5). Speed of processing is assessed with the Backward Counting subscale in which participants verbally count backwards beginning at 100 for 30 seconds. The score reflects the total number of correct numbers listed. The subscales were completed in the following order for all participants: (i) Word List Immediate Recall; (ii) Digit Span Backwards; (iii) Category Fluency; (iv) Stop and Go Switch Task; (v) Number Series; (vi) Backwards Counting; and (vii) Word List Delayed Recall. The task takes approximately 20 minutes to complete.

Quantity–Accuracy Profile (QAP)

The QAP is a 60-item multiple-choice, general knowledge questionnaire that measures semantic memory functioning. The updated English version includes questions such as “In biology, what is the process by which carbon dioxide is converted to sugar in plants?” and “What is the capital city of Argentina?”. The task includes a forced-report and a free-report phase. In the forced-report phase, participants are required to select one of five potential answers for each question and rate their confidence in the accuracy of their answer on a scale ranging from 20 to 100%. In the free-report phase, participants are shown the same questions and their corresponding answers, but not their confidence ratings, and are given the choice to report or not report their response. The semantic memory score computed in the current study reflected the free-report accuracy which was the number of correct answers divided by the total number answers reported in the free-report phase.

Blood sampling for APOE genotyping

Participants provided dried blood spots which were self-collected under the supervision of a trained research assistant. Briefly, a participant cleaned their hands with soap and water, selected a finger to use for blood spot donation, and wiped the tip of the selected finger with an isopropyl alcohol pad. After a brief period of air drying, the selected finger was warmed for approximately 1 minute. Blood was collected via lancet puncture of the finger pad capillary bed on either side of the center of the selected finger. The first drop of blood was wiped away with sterile gauze and discarded. The next drop of blood (∼30 µL) was deposited directly onto the tip of a Mitra microsampler device (Neoteryx, Torrance, CA, USA) and allowed to air dry completely at room temperature for a minimum of 3 hours. DNA was isolated from the Mitra device using the Maxwell RSC instrument (Promega, Madison, WI, USA) according to the manufacturer's instructions in the customized Product Application Note (RSC FFPE Plus DNA Kit; catalog #AS1720; Application Note “Automated DNA Purification from Blood on a Mitra Microsampler”). Purified DNA was quantitated via Nanodrop (Thermo Fisher Scientific, Waltham, MA, USA), and 18 ng of DNA was used to determine APOE genotypes (at SNPS rs429358 and rs7412) via TaqMan chemistry (Thermo Fisher Scientific) using Fast Advanced Master Mix and assay IDs C___3084793_20 and C____904973_10 according to the manufacturer's suggestions on the QuantStudio 6 Flex instrument (Thermo Fisher Scientific). All experimental samples were genotyped in parallel with sequence-confirmed control samples representing the six common APOE genotypes to aid in cluster anchoring during genotype calling. All genotype calls were derived from the automated calling algorithm in the QuantStudio Real Time PCR Software (Thermo Fisher Scientific).

Statistical modeling

Statistical analyses were conducted using regression models separately for S-PEST and PHIT. Specifically, for the continuous outcome variable from S-PEST (d′ scores), we conducted multiple linear regression models; for the ordinal outcome variable from PHIT (susceptibility score), we conducted ordinal logistic regression models. All regression models included the main effect of chronological age (continuous), and its interaction with APOE4 status (0 = APOE4 noncarriers, 1 = APOE4 carriers) and cognitive functioning scores (continuous) as well as the main effects of each of these moderators. To control for multicollinearity between cognition scores and chronological age, we removed the covariance with age for each of the scores and used the unstandardized residuals as predictors in the regression analyses. Participant sex, years of education, income, marital status, and computer literacy scores were added as covariates in all models. All analyses were conducted using R version 4.1.2 (The R Foundation), and figures were produced using the ggplot2 and sjPlot packages in R.

Introduction

Financial fraud represents one of the most prevalent forms of elder maltreatment. While individuals across all age groups may encounter scams, older adults frequently experience greater financial losses. In 2021, the Federal Bureau of Investigation (FBI) reported 92,371 older victims of fraud, resulting in $1.7 billion in losses, a 74% increase from 2020. Financial exploitation can have severe consequences for the health and independence of older adults.

Despite accumulating knowledge and life experience, older adults exhibit notable declines in fluid cognition, which is the ability to process, integrate information, and solve problems. This reduction in decision-making capacity increases susceptibility to deception. For instance, diminished episodic memory, processing speed, and working memory have been linked to higher self-reported scam susceptibility among older adults. Recent research also indicates that reduced conscious deliberation, as measured by executive functioning, correlates with lower deception detection, particularly in individuals aged 80 and above. Additionally, a decreased sensitivity to negative emotional cues likely underlies poorer deception detection with advancing age. For example, older adults demonstrate less activity in specific brain regions (anterior insula and caudate) when anticipating monetary losses compared to gains, and they show increased trust in negative indicators of trustworthiness, such as untrustworthy faces and fabricated news. Neurobiological changes with age further contribute to this vulnerability, with exploited older adults showing cortical thinning in the anterior insula and altered functional coupling in brain networks.

Alzheimer's disease (AD) significantly heightens the risk of financial exploitation in aging populations. Studies confirm that older adults with mild cognitive impairment (MCI) and AD experience declines in financial capacity, lower scam awareness, and greater self-reported scam susceptibility. Cognitive declines, reduced brain volume in AD-related structures, and increased beta-amyloid burden contribute to scam vulnerability in individuals with MCI and AD. While less is known about scam susceptibility in generally healthy older adults at risk for AD, the apolipoprotein E e4 (APOE4) allele is a robust AD risk factor, linked to poorer cognition and pathological brain changes. Thus, being an APOE4 carrier may indicate greater vulnerability to deception before the onset of clinical AD symptoms.

The accelerating shift to a digital environment presents aging individuals with novel risks, notably email phishing. The FBI identified phishing as one of the most frequently reported internet scams, with substantial financial losses. Phishing emails are a primary method fraudsters use to target older adults, who, despite representing a smaller percentage of the U.S. population, often hold influential positions and possess significant financial assets. Online deception targeting these individuals can have broad societal consequences, underscoring the urgent need to identify factors contributing to phishing email detection vulnerability. Previous studies on age-related changes in phishing susceptibility have yielded mixed findings, highlighting a critical need to integrate lab-based assessments with real-world behavioral measures to develop ecologically valid measures of phishing susceptibility in aging. Current knowledge regarding factors that contribute to age effects in phishing email detection remains limited.

The present study, part of a larger project on aging and deception, utilized the PHishing Internet Task (PHIT) to assess real-life phishing susceptibility. Participants received simulated phishing emails over 30 days, and interactions were recorded. They also completed the Short Phishing Email Suspicion Test (S-PEST), a lab-based phishing task. Cognitive functioning was assessed using a battery of tests, and AD risk status was determined via APOE4 genotyping. The study investigated the contributions of age, AD genetic risk, and cognitive status to increased email phishing susceptibility. It was hypothesized that phishing email detection would decline with age, both in the lab and in real life, and that older age, APOE4-positive status, and lower cognitive functioning would compound phishing susceptibility, with findings replicating across contexts.

Results

Participants

The analysis sample consisted of 182 adults, aged 18 to 90 years. All participants were in good health, with no history of unstable medical illness or primary degenerative neurological disorders. Cognitive functioning was normal for all participants over 55 years, as screened by the Telephone Interview for Cognitive Status (TICS), with scores ranging from 29 to 41 (mean = 35.5, SD = 2.54). The sample included 46 individuals (25%; mean age = 42 years; 82% female) carrying at least one copy of the APOE4 allele, and 136 individuals (75%; mean age = 48 years; 77% female) without an APOE4 allele, consistent with previous reports. Data regarding years of education, race, marital status, living condition, employment status, and income had minor missing values for a small number of participants. Computer literacy was assessed via a test measuring knowledge of computer-related symbols and terms, with higher scores indicating greater literacy.

Older age, APOE4-positive status, and lower cognitive functioning predicted worse phishing detection

Separate regression models were conducted for the Short Phishing Email Suspicion Test (S-PEST) and the PHishing Internet Task (PHIT). Predictors included chronological age, APOE4 status (carriers vs. non-carriers), and cognitive functioning scores (semantic memory, episodic memory, working memory, speed of processing, verbal fluency, reasoning, and task switching). Participant sex, years of education, income, marital status, and computer literacy were included as covariates to control for differences in computer knowledge. S-PEST was scored using signal detection theory to determine discrimination ability, with higher scores indicating better ability to differentiate between phishing and safe emails. PHIT susceptibility was calculated as the sum of actions (opening, clicking, submitting information) taken at least once, with higher scores indicating greater real-life phishing susceptibility.

The models revealed a significant main effect of chronological age on phishing detection in both lab-based and real-life contexts. Specifically, the ability to discriminate between phishing and safe emails in S-PEST declined with age (B = −0.008, t = −3.83, P < 0.001, 95% CI = [−0.012, −0.004]). Conversely, older age was associated with greater susceptibility to phishing emails in PHIT (B = 0.027, z = 3.12, P = 0.002, 95% CI = [0.010, 0.045]). These relationships are visually represented in accompanying figures, where increasing age correlates with lower S-PEST discrimination and higher PHIT susceptibility.

Furthermore, a significant three-way interaction between chronological age, APOE4 status, and cognitive functioning was observed (S-PEST: B = 0.008, t = 2.12, P = 0.036, 95% CI = [0.001, 0.016]; PHIT: B = −0.035, z = −2.03, P = 0.042, 95% CI = [−0.069, −0.001]). This interaction indicated that older age and lower working memory (measured by Digit Span Backwards) predicted reduced discrimination performance in S-PEST and increased susceptibility in PHIT, but this effect was specific to APOE4 carriers (S-PEST: B = 0.009, t = 2.34, P = 0.027, 95% CI = [0.001, 0.018]; PHIT: B = 0.041, z = 2.05, P = 0.040, 95% CI = [0.002, 0.078]). This relationship was not observed among APOE4 non-carriers (S-PEST: B = −0.001, t = 0.22, P = 0.830, 95% CI = [−0.002, 0.003]; PHIT: B = 0.001, z = 0.13, P = 0.894, 95% CI = [−0.009, 0.010]). Other effects were not statistically significant at P < 0.05. Visualizations of these findings demonstrate how older APOE4 carriers with lower working memory exhibit diminished phishing detection across both assessment types.

Reduced email phishing detection in the lab was related to increased email phishing susceptibility in real life

Performance on the Short Phishing Email Suspicion Test (S-PEST) was significantly correlated with performance on the PHishing Internet Task (PHIT) (r = −0.21, P = 0.006). This indicates that individuals who demonstrated lower discrimination ability between phishing and safe emails in the controlled lab setting (S-PEST) were more prone to falling for phishing emails in real-life scenarios (PHIT).

Discussion

Increased internet usage has made online deception tactics, such as email phishing, a significant public health concern. These tactics lead to substantial financial and psychological consequences, with older adults facing particular risks. While previous research has indicated an age-related increase in vulnerability to phishing emails, some studies have reported mixed findings regarding age effects on detection ability.

The present study employed the newly developed PHishing Internet Task (PHIT) to obtain a real-life behavioral measure of phishing susceptibility, offering ecological validity by assessing behavior in naturalistic contexts. This real-life measure (PHIT) was found to correlate with phishing detection in a controlled lab setting (Short Phishing Email Suspicion Test, S-PEST), validating the latter. Across both assessment contexts, an age-related decline in phishing email detection ability was observed. Importantly, the findings contribute to individualized risk profiles, demonstrating that lower cognitive functioning combined with a higher genetic risk for developing Alzheimer's disease (AD) increases phishing susceptibility in aging. Specifically, reduced phishing detection was more pronounced among older individuals who were carriers of the APOE4 risk allele and exhibited lower working memory. This aligns with research suggesting that decision-making under risk and ambiguity can be impaired early in AD progression, exacerbated by basic cognitive deficits.

The results notably highlight working memory as a primary cognitive construct influencing phishing vulnerability among older APOE4 carriers, distinguishing it from other cognitive measures like reasoning or processing speed. Working memory involves active maintenance of goals and manipulation of task-relevant information, representing a domain-general cognitive function. It is also among the early cognitive impairments in healthy aging that reliably predict progression from mild cognitive impairment (MCI) to AD. This suggests that declines in working memory may disproportionately affect deception detection among older adults in early stages of AD pathology, a risk heightened for APOE4 carriers. Given meta-analytical evidence for working memory training improvements, future interventions aimed at reducing deception risk in aging could explore working memory training for older individuals carrying the APOE4 allele.

This study advanced previous research by establishing the ecological validity of S-PEST as an in-lab measure, demonstrating its association with real-life PHIT performance. This finding complements prior work showing that emails rated as more suspicious in the lab were more likely to phish individuals in real-world settings. Future efforts will involve refining S-PEST using item response theory to identify items most sensitive for detecting online deception and exploitation risk, facilitating its application as a short, easy-to-administer diagnostic tool in clinical and practical settings. However, the current study's scope of investigation is limited. Future research should expand on both breadth and depth, considering additional interindividual and contextual factors such as socioemotional functioning (e.g., depression, social isolation), more extensive cognitive characterization including complex problem-solving and decision-making, and objective measures of financial status.

Furthermore, the study's reliance on APOE4-positive status as the sole genetic indicator of AD risk limits the depth of investigation; future studies could benefit from genome-wide polygenic risk scores and additional biomarkers (e.g., amyloid-β, tau protein levels). The cross-sectional design, along with a sample primarily composed of non-Hispanic White, well-educated, and largely female participants, limits generalizability. Future research should employ longitudinal or cross-sequential designs with diverse, representative adult lifespan samples to differentiate age from cohort effects. The observed increased variability in phishing detection among older adults suggests further investigation into socioemotional processes, brain structure/function, or physiological responses relevant to deception detection. Future work should also recruit community-dwelling older adults who are particularly vulnerable (e.g., prior victims of fraud, disadvantaged backgrounds) and integrate public records to address underreporting of exploitation. Machine learning approaches could further refine fraud risk profiling, and knowledge transfer to community and policy stakeholders is essential.

Conclusion

This research provides crucial insights into the mechanisms of online deception risk, aiming to inform public health initiatives for reducing financial exploitation and optimizing prevention strategies among older adults. The findings significantly advance the understanding of how older age, the presence of the APOE4 allele, and lower working memory contribute as risk factors to fraud and exploitation in the digital realm.

By integrating both in-lab and real-life measures of phishing susceptibility, this study represents a vital initial step in developing easily administered, ecologically valid assessment tools for individuals at particular risk of neurodegenerative disease. This approach allows for a more comprehensive evaluation of vulnerability beyond self-report or single-context assessments.

Finally, the work challenges the implicit assumption of a "one-size-fits-all" approach in current training and warning solutions for online scams. Instead, the results suggest that an individualized approach is necessary to effectively assist vulnerable aging individuals as they navigate the complexities of the online environment, tailoring interventions to specific risk profiles.

Materials and methods

Study overview and recruitment

This paper presents findings from a broader project investigating susceptibility to deception in aging. All procedures received approval from the University of Florida's Institutional Review Board, and participants provided written informed consent. Participants were informed that the study focused on self and social understanding, involving at-home Zoom sessions, lab visits, and online questionnaires. The use of simulated phishing emails was not disclosed to prevent behavioral changes.

Participants were recruited from the North Central Florida community through university registries, senior citizen facilities, ResearchMatch, and word of mouth. Eligibility criteria included being 18 to 100 years old, providing informed consent, English proficiency, stable medication regimen, at least an eighth-grade education, and regular access to a personal email account.

The analyzed data encompassed a screening session (consent, health/cognitive status, demographics), a 30-day at-home period where participants completed questionnaires (including computer literacy) and received two simulated phishing emails daily as part of the PHishing Internet Task (PHIT), and a follow-up in-lab session. During the lab session, participants completed the Short Phishing Email Suspicion Test (S-PEST), a battery of cognitive functioning measures, and provided dried blood samples for APOE4 allele status determination. Upon completing all study components, participants received compensation up to $430 and were fully debriefed regarding the true purpose of the study. All participants subsequently granted permission for their data to be used.

Measures

This section details the specific measures employed in the study, encompassing phishing email detection paradigms, cognitive functioning assessments, and genetic testing for APOE4.

Phishing Email Paradigms The study utilized two primary paradigms to assess email phishing detection:

• PHishing Internet Task (PHIT): PHIT involved 120 simulated phishing emails developed by the research team, each personalized and containing a link to a landing page requesting information. Participants received a subset of 60 emails (two daily for 30 days) to their personal inboxes. Email send-outs were scheduled to mimic typical work and leisure times. The PHIT infrastructure recorded participant interactions, including email opens, link clicks, and information submissions on landing pages. Susceptibility in PHIT was calculated as the sum of these actions (0-3), with higher scores indicating greater real-life susceptibility. Figure 1A illustrates the PHIT paradigm, where participants unknowingly received simulated phishing emails over 30 days, and interactions were recorded. Figure 1B shows a sample personalized phishing email from PHIT.

• Short Phishing Email Suspicion Test (S-PEST): S-PEST comprised 40 emails (20 safe, 20 phishing) sampled for diversity in legitimacy, source, and presence of links/attachments. Participants were instructed to rate each email's suspiciousness on a four-point scale. Email presentation was randomized, with each email displayed for 120 seconds. S-PEST was scored using standard signal detection theory to compute discrimination ability (d′), where higher scores indicated a greater ability to differentiate between phishing and safe emails. Figure 1C provides a schematic of the S-PEST display, where participants rated each email on suspiciousness.

Cognitive Functioning Measures A battery of tests assessed participants' cognitive abilities:

• Automated Operation Span (OSPAN) task: This computerized task measured working memory capacity by requiring participants to solve math problems while remembering unrelated letters in sequence. The absolute OSPAN score, summing trials where all letters were recalled in correct serial order, was used for analysis.

• Brief Test of Adult Cognition by Telephone (BTACT): The BTACT assessed seven cognitive subscales. Episodic memory was measured by Word List Immediate and Delayed Recall. Working memory was assessed via Digit Span Backwards, requiring reverse repetition of number strings. Verbal fluency involved listing items from a category. Task-switching ability was measured by the Stop and Go Switch Task. Inductive reasoning was assessed with Number Series, and speed of processing with Backward Counting.

• Quantity–Accuracy Profile (QAP): This 60-item general knowledge questionnaire measured semantic memory functioning. The free-report accuracy score, reflecting the number of correct answers divided by the total reported answers, was used.

Blood Sampling for APOE Genotyping Dried blood spots, self-collected under supervision, were used for APOE genotyping. DNA was isolated from Mitra microsampler devices, quantified, and used to determine APOE genotypes (at SNPs rs429358 and rs7412) via TaqMan chemistry. Genotype calls were derived from an automated calling algorithm, confirmed with control samples.

Statistical modeling

Statistical analyses employed regression models applied separately for S-PEST and PHIT outcomes. For the continuous S-PEST discrimination scores (d′), multiple linear regression models were utilized. For the ordinal PHIT susceptibility scores, ordinal logistic regression models were conducted. All regression models included chronological age, its interaction with APOE4 status (carriers vs. non-carriers), and cognitive functioning scores as predictors, along with the main effects of these moderators. To mitigate multicollinearity between cognition scores and chronological age, age covariance was removed from each score, and unstandardized residuals were used as predictors. Participant sex, years of education, income, marital status, and computer literacy scores were included as covariates in all models. Analyses were performed using R version 4.1.2, with figures generated using the ggplot2 and sjPlot packages.

Introduction

Financial fraud is a common form of mistreatment experienced by older adults. While individuals of any age can be targeted, older adults often experience greater monetary losses from these scams. In 2021, for example, the Federal Bureau of Investigation (FBI) reported that over 92,000 older individuals were victims of fraud, resulting in $1.7 billion in losses—a significant increase from the previous year. Such financial losses can severely impact the health and independence of older adults.

Despite accumulating life experience, older adults often experience declines in fluid cognition, which involves processing information, integrating it, and solving problems. This decline can lead to reduced decision-making abilities and increased vulnerability to deception. For instance, declines in memory, processing speed, and working memory have been linked to higher self-reported scam susceptibility. Additionally, reduced sensitivity to negative emotional cues may contribute to poorer deception detection with age. Neurobiological changes associated with aging also play a role, as financially exploited older adults have shown thinning in brain regions involved in processing emotional stimuli.

The risk of financial exploitation is further heightened in older adults who have Alzheimer's disease (AD). Studies indicate that individuals with mild cognitive impairment (MCI) and AD experience reduced financial capacity, lower scam awareness, and increased self-reported susceptibility to scams compared to age-matched peers. Cognitive decline, changes in brain structure, and the accumulation of certain proteins related to AD pathology are all factors contributing to scam susceptibility in these individuals. However, less is known about scam vulnerability in generally healthy older adults who are at risk of developing AD, particularly those who carry the apolipoprotein E e4 (APOE4) allele, a significant AD risk factor linked to poorer cognition and brain changes.

The widespread adoption of digital technology presents new contexts and risks for aging individuals. Email phishing, a prevalent deception method, incurs substantial costs for individuals and society. The FBI reported phishing as one of the most common internet scams, affecting hundreds of thousands of victims and resulting in millions of dollars in losses. Phishing emails are frequently used by fraudsters targeting older adults, who often hold influential positions, possess significant retirement savings, and make critical financial and health decisions. Therefore, understanding the risk factors for detecting phishing emails is crucial to mitigate broad societal impacts.

Increased attention has been given to age-related changes in phishing email susceptibility due to growing online risks. Previous naturalistic field experiments, which involved sending simulated phishing emails to participants without their knowledge, have consistently shown an age-related increase in vulnerability to phishing. However, lab-based studies measuring phishing detection performance have produced mixed results, with some showing reduced discrimination ability with age and others reporting greater detection among older adults. There is a clear need for studies that combine lab-based assessments with real-world behavior to develop ecologically valid measures of phishing susceptibility in aging. While memory decline may contribute to increased phishing susceptibility with age, current knowledge about contributing factors remains limited.

This study used a novel approach, the PHishing Internet Task (PHIT), to assess real-life susceptibility to phishing behaviors. Over 30 days, participants unknowingly received simulated phishing emails in their personal inboxes, and their interactions (opening emails, clicking links, submitting information) were recorded. Participants also completed the Short Phishing Email Suspicion Test (S-PEST), a lab-based task requiring them to rate the suspiciousness of emails. Additionally, participants underwent a comprehensive cognitive assessment and were genotyped for the APOE4 allele to determine their AD risk status.

This research aimed to investigate how age, AD genetic risk, and cognitive status contribute to increased susceptibility to email phishing. The study critically used both lab-based and real-life phishing tasks to validate a new, easy-to-administer paradigm (S-PEST) with potential for clinical application. Researchers hypothesized that phishing email detection would decline with older age in both lab and real-life settings, and that older age, APOE4-positive status, and lower cognitive functioning would increase phishing susceptibility. It was also anticipated that these findings would transfer from lab to real-life phishing contexts.

Results

Participants

The analysis included 182 adults ranging from 18 to 90 years of age. All participants were healthy, without a history of unstable medical illness or primary degenerative neurological disorders, and those over 55 years had normal cognitive functioning based on screening. The sample included 46 individuals (25%) who carried at least one copy of the APOE4 allele and 136 individuals (75%) without an APOE4 allele, a distribution consistent with previous research.

Older age, APOE4-positive status, and lower cognitive functioning predicted worse phishing detection

Separate regression models were conducted for S-PEST and PHIT, with chronological age, APOE4 status, and cognitive scores as predictors, while controlling for participant sex, education, income, marital status, and computer literacy. S-PEST scores measured the ability to discriminate between phishing and safe emails, with higher scores indicating better detection. PHIT scores represented susceptibility, with higher scores indicating greater vulnerability to real-life phishing.

The models revealed that chronological age significantly impacted phishing detection in both lab and real-life settings. Specifically, the ability to distinguish between phishing and safe emails in S-PEST decreased with age (B = −0.008, t = −3.83, P < 0.001), and older age was associated with greater susceptibility to phishing emails in PHIT (B = 0.027, z = 3.12, P = 0.002).

Furthermore, a significant interaction was found among chronological age, APOE4 status, and cognitive functioning (S-PEST: B = 0.008, t = 2.12, P = 0.036; PHIT: B = −0.035, z = −2.03, P = 0.042). This three-way interaction indicated that older age and lower working memory predicted reduced discrimination performance in S-PEST and increased susceptibility in PHIT, but only among APOE4 carriers (S-PEST: B = 0.009, t = 2.34, P = 0.027; PHIT: B = 0.041, z = 2.05, P = 0.040). This effect was not observed in APOE4 noncarriers. No other significant effects were found.

Reduced email phishing detection in the lab was related to increased email phishing susceptibility in real life

Performance in the lab-based S-PEST and the real-life PHIT was significantly correlated (r = −0.21, P = 0.006). This suggests that individuals with a lower ability to distinguish between phishing and safe emails in the lab were more likely to fall for phishing emails in real-life scenarios.

Discussion

The increasing prevalence of internet use has made online deception, such as email phishing, a major public health concern. This can lead to severe financial and psychological consequences, particularly for aging individuals. Although some prior research has reported an age-related increase in phishing vulnerability, findings have been mixed, with some studies suggesting improved detection with age.

The newly developed PHIT paradigm provided a real-life behavioral measure of phishing susceptibility, extending beyond self-report data. This tool offered ecological validity by assessing participants' vulnerability in their everyday lives. Importantly, this real-life measure (PHIT) correlated with phishing detection in the controlled lab environment (S-PEST). This study, uniquely combining S-PEST and PHIT, observed an age-related decline in phishing email detection across both assessment contexts. Furthermore, findings indicated that lower cognitive function combined with a higher genetic risk for developing Alzheimer's disease (AD) contributed to greater phishing susceptibility in older adults. Reduced phishing detection was notably pronounced among older individuals who were APOE4 carriers and had lower working memory, aligning with research suggesting that decision-making under risk can be impaired early in AD progression.

Working memory emerged as the primary cognitive factor influencing phishing vulnerability among older APOE4 carriers, unlike other cognitive measures such as reasoning or processing speed. Working memory involves maintaining goals and manipulating task-relevant information, which are general cognitive operations. Working memory impairments are among the earliest cognitive declines in healthy aging and reliably predict the progression from mild cognitive impairment to AD. While speculative, it is possible that working memory declines have a greater impact on deception detection in older adults in the early stages of AD pathology, a risk increased for APOE4 carriers. This suggests that future interventions aimed at reducing deception risk in aging could include working memory training for older individuals with the APOE4 allele.

Previous research on phishing susceptibility has used various methods, from lab-based assessments to naturalistic field experiments. This study advanced prior work by establishing the ecological validity of S-PEST as an in-lab measure, demonstrating a link between S-PEST and PHIT performance. Individuals who performed poorly on S-PEST were more susceptible to real-life phishing. This finding complements earlier work showing that emails rated as more suspicious in the lab were more likely to phish individuals in the real world. Future efforts could refine S-PEST using item response theory to identify the most sensitive items for detecting online deception and exploitation risk, facilitating its use as a diagnostic tool in clinical and practical settings.

While this study offers crucial insights into risk profiles for email phishing vulnerability, its scope has limitations. Future research should consider a broader and more specific analysis of various individual and contextual factors contributing to deception risk and intervention design. For example, exploring socioemotional factors like depression and social isolation could reveal how these variables exacerbate deception risk in older adults. A more extensive cognitive characterization, including measures of complex problem-solving and decision-making, would help delineate the specific roles of various cognitive capacities in phishing detection among older adults. Furthermore, assessing participants' perceived and objective financial status, such as household income and assets, would be beneficial to determine their impact on phishing susceptibility, particularly as this study did not focus specifically on financial exploitation.

The current study also used APOE4-positive status as a single genetic indicator for AD risk. Future studies could benefit from obtaining genome-wide polygenic risk scores and additional biomarkers (e.g., amyloid-β, tau protein levels, blood-based biomarkers) to enhance the depth of investigation into cognitive disease-related risk profiles and deception. Additionally, this study used a cross-sectional design with a sample that was primarily non-Hispanic White, well-educated, and largely female. Future research should employ longitudinal or cross-sequential designs with diverse adult lifespan samples to differentiate age from cohort effects and ensure broader generalizability of findings.

Interestingly, older age was associated with greater variability in phishing detection ability, consistent with growing evidence of increased performance variability among older adults. This pattern might be due to greater age-related variation in socioemotional processes (e.g., theory of mind, loneliness) or in brain structure and function relevant to deception detection (e.g., insula). Systematically identifying such moderating variables in future research will inform the design of interventions aimed at reducing exploitation risk among older adults. Future studies that specifically delineate the cognitive, socioemotional, and brain-related characteristics of older adults with particularly poor or strong phishing detection abilities (e.g., by comparing "super agers" and "poor agers") will further enhance understanding of risk versus protective profiles.

This study makes a significant and unique contribution by adopting a more naturalistic, real-life, behavior-based approach to determine phishing susceptibility across different adult ages. It also identifies crucial risk factors: age, genetic risk for AD, and cognitive status. Important future extensions of this work include recruiting community-dwelling older adults who are particularly vulnerable (e.g., those who have been or continue to be victims of fraud) and those from disadvantaged backgrounds, a population segment currently understudied regarding exploitation. Prospective studies are also needed to predict future fraud susceptibility based on lab-generated risk profiles. Integrating public records will be essential to address challenges with underreporting of exploitation and underestimated base rates. Machine learning approaches in behavioral analytics will further facilitate consumer behavior profiling and fraud risk detection. Finally, transferring this knowledge to community and policy stakeholders (e.g., elder community care, law enforcement) will be vital.

Conclusion

This research offers critical insights into the mechanisms of online deception risk, which can inform public health efforts to reduce financial exploitation and optimize prevention strategies for older adults. The study significantly advances understanding of older age, the presence of the APOE4 allele, and lower working memory as risk factors contributing to fraud and exploitation in cyberspace. By integrating in-lab and real-life measures of phishing susceptibility, this work represents an important first step in developing easy-to-administer, ecologically valid assessment tools for individuals particularly at risk of neurodegenerative disease. Finally, while current training and warning solutions for online scams often assume a one-size-fits-all approach, this study suggests that an individualized strategy is necessary to assist particularly vulnerable aging individuals in navigating the online world.

Materials and methods

This paper presents findings from a broader project on deception susceptibility in aging. All procedures received approval from the University of Florida's Institutional Review Board, and participants provided written informed consent. Participants were informed the study concerned "understanding themselves and others" and involved both at-home sessions via Zoom, lab visits, and questionnaires sent to their personal email. To avoid influencing behavior, participants were not told they would receive simulated phishing emails.

Participants were recruited from the community in North Central Florida, aged 18 to 100 years, English-speaking, on stable medication regimens, with at least an eighth-grade education, and regular access to a personal email account. The study comprised three main components: an initial screening session to gather consent, assess health and cognitive status, and collect demographic data; a 30-day at-home period during which participants completed online questionnaires and unknowingly received two simulated phishing emails daily as part of the PHishing Internet Task (PHIT); and a follow-up in-lab session where they completed the Short Phishing Email Suspicion Test (S-PEST), a series of cognitive functioning measures, and provided dried blood samples for APOE4 allele status determination. Participants received compensation upon study completion and were fully debriefed about the study's true purpose, with all granting permission for their data to be used.

The data analyzed included measures from two phishing paradigms (PHIT and S-PEST) to assess email phishing detection, a battery of cognitive functioning measures, and dried blood samples for APOE4 genotyping. PHIT involved sending 60 simulated phishing emails over 30 days, designed to mimic real phishing attempts, personalized with the participant's first name, and directing them to a landing page requesting information. The PHIT infrastructure recorded whether participants opened emails, clicked links, or submitted information, with susceptibility computed as the sum of these actions. S-PEST was a lab-based task where participants rated the suspiciousness of 40 emails (20 safe, 20 phishing) on a four-point scale. This task was scored using signal detection theory to calculate discrimination ability, where higher scores indicated a greater ability to distinguish between phishing and safe emails.

Cognitive functioning was assessed using several measures. The Automated Operation Span (OSPAN) task measured working memory capacity by requiring participants to solve math problems while remembering sequences of letters. The Brief Test of Adult Cognition by Telephone (BTACT) assessed various cognitive domains, including episodic memory (word list recall), working memory (Digit Span Backwards), verbal fluency, task-switching ability, inductive reasoning, and processing speed. Semantic memory functioning was measured using the Quantity–Accuracy Profile (QAP), a general knowledge questionnaire. APOE4 genotyping was performed using self-collected dried blood spot samples to determine the presence of specific APOE alleles.

Statistical analyses used regression models for S-PEST (multiple linear regression for continuous d′ scores) and PHIT (ordinal logistic regression for ordinal susceptibility scores). All models included chronological age, APOE4 status (carriers vs. noncarriers), and cognitive functioning scores as predictors, along with participant sex, education, income, marital status, and computer literacy as covariates. To manage multicollinearity, cognitive scores were residualized for age. Analyses were conducted using R statistical software.

Introduction

Financial scams are a common and serious problem for older adults. While people of all ages can be targeted, older individuals often suffer greater financial losses. These losses can severely affect their health and ability to live independently. Despite a lifetime of experience, older adults may experience declines in their ability to think quickly, process information, and make decisions, which can make them more vulnerable to deception. Changes in short-term memory, processing speed, and awareness of warning signs, along with certain brain changes, contribute to this increased susceptibility.

Alzheimer's disease (AD) significantly increases the risk of financial exploitation in older adults. Studies show that individuals with even mild cognitive impairment (MCI) and AD have reduced ability to manage finances and are less aware of scams. Declines in thinking skills, changes in brain structure, and the buildup of a specific protein in the brain also make individuals with MCI and AD more prone to scams. Less is known about healthy older adults who are at risk of developing AD, such as those with a specific gene called APOE4. This gene is a strong risk factor for AD and has been linked to changes in brain areas connected to scam vulnerability, even before any clear signs of AD appear.

The rapid move to a digital world creates new risks for older individuals. For example, scam emails, known as "phishing," have become a popular way to deceive people, leading to huge costs. Phishing emails are often used by fraudsters to target older adults. While older adults make up about 17% of the U.S. population, they often have significant retirement savings and hold important positions. Deceiving these individuals online can have a wide impact on society, so it is important to find out what makes people vulnerable to phishing emails.

Because of growing online risks, researchers have been studying how a person's age affects their vulnerability to phishing emails. Studies conducted in real-life settings have generally shown that older age increases vulnerability to these scams. However, studies done in a lab have had mixed results, sometimes showing older adults are less able to tell the difference, and other times showing they are better at it, or even that younger adults are more easily fooled. To better understand these differences, there is a clear need to combine both lab-based tests and real-world observations.

This study aimed to investigate how age, genetic risk for Alzheimer's (APOE4), and cognitive status affect a person's ability to detect scam emails. Researchers used two main methods: the PHishing Internet Task (PHIT), which involved sending simulated phishing emails to participants' home inboxes over 30 days, and the Short Phishing Email Suspicion Test (S-PEST), a lab-based task where participants rated the suspiciousness of emails. Cognitive abilities were also assessed, and APOE4 status was determined from blood samples. The study hypothesized that the ability to detect phishing emails would decrease with age, both in lab and real-life settings. It was also predicted that older age, having the APOE4 gene, and lower cognitive function would increase vulnerability to phishing, and that these findings would apply to both lab and real-life situations.

Results

Participants

The study included 182 adults, aged 18 to 90 years. All participants were in good health and showed normal mental function for their age, as determined by a cognitive screening test. About one-quarter of the participants (46 individuals) had at least one copy of the APOE4 gene, while the remaining three-quarters (136 individuals) did not. The age of participants with the APOE4 gene averaged 42 years, while those without the gene averaged 48 years, and most participants were female. This breakdown of participants with and without the APOE4 gene is consistent with what has been observed in other studies.

Older age, APOE4-positive status, and lower cognitive functioning predicted worse phishing detection

Researchers analyzed the results from both the lab-based S-PEST and the real-life PHIT tasks. For S-PEST, higher scores meant a greater ability to tell the difference between scam and safe emails. For PHIT, higher scores indicated greater vulnerability to phishing emails in real life. The analysis revealed that as people aged, their ability to tell the difference between scam and safe emails in the lab (S-PEST) decreased. Similarly, older age was linked to being more vulnerable to phishing emails in real-life situations (PHIT).

The study also found a complex relationship among age, APOE4 status, and cognitive function. Specifically, older age combined with lower working memory (a type of short-term memory crucial for mental tasks) predicted a reduced ability to spot scam emails. However, this effect was only seen in individuals who carried the APOE4 gene, meaning they are at a higher genetic risk for Alzheimer's disease. Among participants who did not carry the APOE4 gene, age and working memory did not significantly impact their ability to detect phishing. This pattern was consistent for both the lab-based and real-life phishing tasks.

Reduced email phishing detection in the lab was related to increased email phishing susceptibility in real life

The results also showed a connection between performance in the lab and in real life. Participants who were less able to tell the difference between scam and safe emails in the lab-based S-PEST task were also more likely to fall for phishing emails when tested in real-life situations using PHIT. This suggests that the lab test is a good indicator of real-world vulnerability to phishing.

Discussion

Increased internet use has made online deception, like email phishing, a major public health concern. These scams lead to serious financial and psychological problems, especially for older adults. While previous research has shown that older age often increases vulnerability to phishing, some studies have had mixed results regarding how well older adults can actually detect these scams.

This study used a new real-life task, PHIT, to measure how vulnerable people are to phishing scams in their daily lives. This new method provides more realistic data. The study found that this real-life measure was linked to results from the controlled lab test (S-PEST). Both tests showed that the ability to detect phishing emails decreased with age. The findings also showed that a combination of lower cognitive abilities and a higher genetic risk for Alzheimer's disease increases susceptibility, particularly for older individuals with the APOE4 gene and lower working memory.

Interestingly, the study highlighted working memory as the key cognitive skill affecting phishing vulnerability among older APOE4 carriers. Working memory is a fundamental skill for many mental tasks and is often one of the first cognitive abilities to decline in healthy aging. While speculative, this suggests that declines in working memory might have a greater impact on spotting scams for older adults who are in early stages of Alzheimer's-related brain changes. Therefore, future efforts to reduce scam risks could include working memory training for older individuals who carry the APOE4 gene.

This study also showed that the lab-based S-PEST is a good indicator of real-life phishing vulnerability, as poor performance in S-PEST was linked to greater susceptibility to actual phishing in PHIT. This finding supports the development of S-PEST as a simple, effective diagnostic tool to identify individuals at risk of online deception.

While this study provided important insights into factors linked to phishing vulnerability, it had a limited scope. Future research should look at a wider range of individual and situational factors, such as social and emotional aspects or more detailed assessments of complex problem-solving. This study also focused on APOE4 as the only genetic risk factor for Alzheimer's and included a specific participant group (mostly well-educated, non-Hispanic White women at one point in time). Future studies should use more comprehensive genetic markers, follow people over time, and include a more diverse group to ensure broader applicability of findings. Additionally, older adults showed more variation in their phishing detection ability, suggesting a need for future research to identify factors that explain these differences and to compare those exceptionally good at spotting scams with those who are particularly poor.

Conclusion

In conclusion, this study offers important insights into what makes people vulnerable to online deception. The findings are crucial for public health efforts aimed at reducing financial exploitation and improving prevention strategies for older adults. This research notably advances understanding of how older age, the presence of the APOE4 gene, and lower working memory contribute to fraud and exploitation in the digital world. By integrating both lab-based and real-life measures of phishing vulnerability, the study has taken a vital first step in developing easy-to-use and realistic assessment tools for those at higher risk of brain diseases that worsen over time. Finally, while current training and warnings for online scams often assume a single approach works for everyone, this work suggests that a more personalized approach is needed to help vulnerable older individuals navigate the online world safely.

Materials and methods

This study was part of a larger project on deception vulnerability in aging. All procedures were approved by the University of Florida's Institutional Review Board, and participants gave written consent. Participants were told the study was about understanding themselves and others, involving at-home Zoom sessions, lab visits, and emails. They were not informed about receiving simulated phishing emails to ensure natural behavior. Participants were recruited from North Central Florida, aged 18-100, English-speaking, on stable medication, with at least an eighth-grade education, and regular email access. The study included an initial screening (health, cognitive status, demographics), a 30-day at-home period where they unknowingly received simulated phishing emails, and a follow-up lab session for cognitive tests and blood samples. Participants were compensated and debriefed about the study's true purpose, with all granting permission for their data to be used.

Two main tasks measured email phishing detection. The PHishing Internet Task (PHIT) involved sending 60 simulated phishing emails to participants' personal inboxes over 30 days. The study's system recorded whether participants opened the emails, clicked on any links, or submitted information on the linked pages, with higher scores indicating greater vulnerability. The Short Phishing Email Suspicion Test (S-PEST) was a lab-based task where participants rated 40 emails (half scam, half safe) on their suspiciousness. A score, called d′, was calculated to show how well each participant could tell the difference between scam and safe emails.

Participants also completed a battery of cognitive tests to assess various mental abilities. These included measures of short-term memory (working memory) through tasks like the Automated Operation Span (OSPAN) and Digit Span Backwards (part of the Brief Test of Adult Cognition by Telephone, BTACT). Long-term memory (episodic memory) was assessed with word list recall tasks. Other BTACT tests measured how quickly participants could process information, their verbal fluency (how easily they could list words), reasoning skills, and ability to switch between tasks. Semantic memory was assessed using the Quantity–Accuracy Profile (QAP) general knowledge questionnaire.

Finally, genetic risk for Alzheimer's disease was determined by analyzing participants' blood samples to identify the presence of the APOE4 gene. Blood was self-collected by participants under supervision and then analyzed for specific genetic markers.

The study used statistical methods called regression models to analyze the data. Separate models were run for S-PEST and PHIT results. These models looked at how age, APOE4 status, and cognitive scores predicted phishing detection, while also accounting for other factors like sex, education, income, marital status, and computer literacy. Scores for cognitive function were adjusted to remove any overlap with age before being used in the analysis.

Introduction

Getting tricked out of money is a serious problem for older adults. While anyone can be targeted by scammers, older people tend to lose more money. In 2021, over 92,000 older adults lost about $1.7 billion to fraud, which was a big increase from the year before. Losing money this way can really harm an older person's health and ability to live on their own.

As people get older, their brains change. It can become harder to process new information, solve problems, and make quick decisions. This can make older adults more likely to be scammed. For example, some studies show that if an older person has trouble with memory or thinking quickly, they might be more likely to fall for a scam. Also, older adults might not react as strongly to warning signs, making it harder for them to spot a lie.

Brain changes from conditions like Alzheimer's disease can make the risk of financial trickery even higher. Studies show that older adults with mild memory problems or Alzheimer's often have more trouble handling money and spotting scams. Even people who are healthy but have a higher chance of getting Alzheimer's, like those with a specific gene (APOE4), might be more open to scams before they show clear signs of the disease.

Today, many people use the internet, which creates new risks. Phishing emails are a common trick, where scammers send fake emails to get personal information. These emails cause a lot of money loss. Many older adults use the internet and often have savings or important jobs. If they fall for a phishing scam, it can have wide-reaching negative effects.

Because of these growing online risks, experts are studying how aging affects a person's ability to spot fake emails. Some studies found that older adults are more likely to fall for phishing emails when tested in real-life settings. However, other studies done in a lab have had mixed results. There is a need for new ways to test people that connect what happens in a lab to what happens in real life.

Results

The study included 182 adults aged 18 to 90 years. All participants were healthy and had normal thinking skills for their age. About a quarter of the people in the study had at least one copy of the APOE4 gene, which increases the risk for Alzheimer's disease. The rest did not have this gene.

The study found that older age made it harder to spot phishing emails, both in a lab test and in real-life situations. As people got older, they were less able to tell the difference between real and fake emails in the lab. They also fell for more fake emails in their personal inbox.

The study also found that age, the APOE4 gene, and thinking skills all worked together to affect how well people spotted phishing emails. Older people who had the APOE4 gene and lower "working memory" (a type of thinking skill used for holding and using information) had more trouble telling fake emails from real ones. This was true in both the lab test and in real-life situations. This connection was not seen in older adults who did not have the APOE4 gene.

The study showed a clear link between doing poorly on the lab test and falling for more fake emails in real life. This means that if someone had trouble spotting scams in the lab, they were more likely to be tricked by phishing emails in their everyday life.

Discussion

The increase in internet use has made online tricks like phishing emails a big public health concern. These scams can lead to serious money loss and emotional problems. Previous studies have shown mixed results about how aging affects spotting these fake emails.

This study used a new way to measure how people react to phishing in real life, called PHIT, by sending fake emails to their personal inboxes. This allowed the study to see how people really act. The results from this real-life test also matched the results from a lab test called S-PEST. This is important because it means the lab test can give a good idea of what happens in the real world. The study found that older adults had more trouble spotting fake emails in both test settings.

The findings also showed that a person's risk for falling for scams can depend on their age, their genes related to Alzheimer's, and their thinking skills. Specifically, older people who had the APOE4 gene and weaker "working memory" (a type of thinking ability) were more likely to be tricked by phishing emails. This matches other research that suggests decision-making problems can start early in Alzheimer's.

Working memory seemed to be the most important thinking skill linked to being tricked among older adults with the APOE4 gene. Working memory helps people keep track of information and complete tasks. It is one of the first thinking skills to decline as people age and can be an early sign of Alzheimer's risk. This suggests that helping older adults improve their working memory might reduce their risk of falling for scams, especially if they carry the APOE4 gene.

This study also helps make the S-PEST lab test useful for real-world situations, showing that if someone does poorly on it, they are more likely to be fooled in real life. Future work can improve this test to make it an easy way to check for online scam risk in clinics and doctors' offices.

While this study gives important information about who is at risk, it also has some limits. Future studies should look at more things, like how feelings, loneliness, or a person's financial situation might affect their risk. It would also be good to study people from many different backgrounds and follow them over time. Also, the APOE4 gene is only one factor; future studies could look at more genetic information or other signs of brain changes.

Conclusion

This study offers important insights into the risks of online trickery. It helps us understand how being older, having the APOE4 gene, and having lower working memory can make older adults more likely to be victims of scams online. By bringing together lab tests and real-life measures, this work also helps create new, easy ways to test people who might be at higher risk for brain diseases. Finally, the study suggests that a "one-size-fits-all" approach to warning people about scams might not work. Instead, a more personal approach is needed to help older adults stay safe online.

How the Study Was Done

The information for this paper came from a larger project about how people are tricked as they age. All steps of the study were approved by a special review board, and all participants agreed to take part. Participants were told the study was about how they understand themselves and others, but they were not told that they would receive fake phishing emails. This was done so their actions would be natural.

People for the study were recruited from the community. They were adults aged 18 to 100, spoke English, were in stable health, had at least an eighth-grade education, and used a personal email account regularly.

The study had different parts. First, there was a screening visit to check general health and thinking skills and gather basic information. Next, for 30 days, participants completed online surveys at home and, without knowing it, received two fake phishing emails each day to their personal email as part of the PHIT test. After that, they had an in-lab visit where they did the S-PEST test, other thinking skill tests, and gave a small blood sample to check for the APOE4 gene. After the study was over, participants learned the real purpose of the study and were paid for their time.

The study looked at how well people detected fake emails using two tests: the PHIT, which sent fake emails to their personal inbox, and the S-PEST, where they rated emails as safe or suspicious in a lab setting. They also measured different thinking skills, like memory and how fast people processed information. The APOE4 gene was checked using blood samples. All the information was then carefully analyzed using statistical methods to find connections between age, genes, thinking skills, and the ability to spot phishing emails.