By Heidi Mitchell
Be vigilant: we- are seeing a rise in increasingly sophisticated cybersecurity scams targeting investors of all ages.
Older adults have become one of the fastest-growing targets for cybercrime. From pension and investment fraud to romance scams and increasingly convincing AI-driven deepfakes, attackers are finding new ways to exploit retirees online.
According to the Federal Bureau of Investigation’s Internet Crime Complaint Center, Americans over the age of 60 reported more than 147,000 frauds in 2024, with losses of around $4.8 billion—far higher than any other age group. And the true numbers are likely greater because many victims are too ashamed to report that they fell for a scam.
But the reasons retirees are vulnerable aren’t always what people assume. To better understand why cybercriminals target retirees, we spoke to Pam Briggs, a professor of applied psychology at Northumbria University in Newcastle, England, who has done extensive research on the topic.
Here are edited excerpts of the conversation:
The Stereotype
WSJ: What do people get wrong about why retirees are vulnerable to cyberattacks?
PAM BRIGGS: People tend to have a stereotyped image of retired people—frail, digitally illiterate, isolated and unable to cope. Those factors can play a part, but what people forget is that older adults are an extremely diverse group, including when it comes to technical literacy.
WSJ: Your research suggests retirement itself is a cybersecurity risk factor. Why?
BRIGGS: When we started researching this, we thought about the way things like social and technical support gets lost in retirement and asked how those losses could translate into cybersecurity vulnerabilities. In the workplace you’re constantly exposed to information about scams and new technologies. You hear about problems from colleagues, you see what tools people are using and what apps are popular. When you leave that environment, much of that informal support disappears, and information sources about cybersecurity can become more unreliable.
But one thing that really stood out in our research was a loss of confidence. People start to doubt their ability to do things for themselves. Once confidence drops, they become reluctant to try new things—even installing software or updates—because they worry they might “break the computer” or do something wrong.
There is also sometimes a sense of shame about asking for help. People may hesitate to talk to a professional or even a neighbor. Quite often they actually do have the knowledge, especially if they worked in technology, but they become nervous about making changes to their devices.
WSJ: Does the loss of workplace security routines lead to retirees letting down their guard?
BRIGGS: In many workplaces, our research shows you’re regularly reminded about cyber threats. You might receive alerts about ransomware attacks, be required to update passwords every six months or complete annual cybersecurity training.
Once you leave that environment, it is a lot to maintain on your own, and we do see a kind of vigilance fatigue. Many people also assume they won’t be targeted because they are just individuals. They think attackers wouldn’t be interested in them, that they aren’t valuable targets. But attackers can target hundreds of thousands of people at once, especially now with AI. Even a small payoff per victim can make those attacks worthwhile. But keeping up with all the cyber-related threats in the world can become a little overwhelming, to the point where people may just put their heads in the sand and switch off completely from thinking about cybersecurity.
Creating Dependency
WSJ: How does a smaller support network affect retirees’ vulnerability?
BRIGGS: Retirees have diverse support networks. Some have a grandchild who will say, “Just give it here, I’ll fix it,” and quickly take over the phone or laptop. That may solve the immediate problem, but it can create dependency and make the older person feel inadequate. If someone fixes something very quickly, you may not be able to follow what they did. Asking for a step-by-step explanation, can bring feelings of embarrassment or a lack of confidence.
The best forms of support avoid that dependency and seek to help people understand both the threat and the action they might take to counter that threat. My colleagues have been involved in setting up more supportive local networks where they train older “cybersecurity guardians” who can share that knowledge with peers in a way that doesn’t reinforce those feelings of incompetence.
WSJ: Where do most retirees find out about cyber threats?
BRIGGS: In one of our studies we looked at where older adults get their information, and the radio turned out to be quite important. People hear stories about cyberattacks while listening. The problem is that these sources usually focus on the threats, not the solutions.
Radio presenters rarely explain practical steps such as the importance of accepting updates, using two-factor authentication or creating strong passwords. If people hear only the horror stories without clear actions, it can become overwhelming and they may simply switch off from thinking about cybersecurity.
WSJ: Retirement also means gaining lots of free time. Does that create new risks?
BRIGGS: People sometimes get bored in retirement after losing their daily work routine, and so may download a range of apps and games or join new online communities that they didn’t participate in before. Some of these apps operate on a freemium model where users exchange data for access to services. Many older adults understand there is a privacy trade-off, but they may not fully explore the risks.
We heard from some retirees who took on new responsibilities, like managing Facebook groups or websites for community organizations or charities because they had a little bit of technical experience in their work lives. These are rewarding activities but they can create new risks, especially if people have only a limited understanding of cyber threats. One person’s actions can then impact the security of the whole organization, introducing new vulnerabilities. I’d like to see more resources available for older people taking on these responsibilities.
How to Fix Things
WSJ: How can retirees reduce their cyber risk?
BRIGGS: One practical step is to buy new devices and have them set up properly in the shop, ideally with a support package so you can return for help without feeling embarrassed. It is expensive, but it can make a big difference. Our research shows that financial factors can be important, and that there is clearly a divide between people using hand-me-down devices with weaker security settings and those with newer equipment. Resetting older devices isn’t always straightforward, so getting things configured correctly from the start helps.
Using two-factor authentication and password managers are excellent protections, of course, But if that feels too complex, creating passwords from three random dictionary words can still be strong and easier to remember. Keeping them written down somewhere safe in the house isn’t a terrible solution. But the worst thing is to use the same password for every account.
Libraries are quite good at knowing the latest technology and threats and often offer digital literacy training. Local universities or academic websites sometimes run courses on cyber hygiene. I’d like to see more community programs helping older people build digital skills and cybersecurity knowledge in retirement.
