Talking to family about online security is one of those conversations that goes wrong in predictable ways. You come in with too much information and they tune out. You lead with fear and they get defensive. You give advice without context and they don’t apply it. Here’s a different approach — one that actually changes behavior.
The main mistake: framing it as a lecture
Most online safety conversations between tech-aware people and their families follow the same pattern: the tech person lists a series of things the family member is doing wrong, explains why those things are dangerous, and offers to fix it. The family member nods, feels vaguely criticized, and doesn’t change anything.
The problem isn’t the information — it’s the framing. Leading with what someone is doing wrong creates defensiveness before you’ve said anything useful. And a list of six security improvements is five too many: people make one change from a list of six, if any.
Start with one specific, low-effort thing
Pick the single change with the best ratio of protection to effort. For most people who haven’t done any security basics, that’s a password manager. Email compromise stems mostly from password reuse, and a password manager fixes it with minimal ongoing friction.
Instead of explaining the whole landscape, try: “I set up a password manager for myself and it’s made things easier — I want to help you set one up if you’re open to it.” Offering help rather than advice shifts the dynamic. You’re doing something for them, not criticizing them.
Sit with them and do the setup together. Don’t just explain — do it while they watch. Having someone guide you through Bitwarden’s setup once is worth more than reading ten articles about password security.
Use a concrete story, not statistics
Statistics about breach volumes don’t land. “3 billion credentials were leaked last year” means nothing to someone who’s never thought about what that means for them personally. A specific story does land: “My colleague’s email got hacked because they reused a password from an old account. Someone got into their email, reset their PayPal password, and moved money before they noticed.”
Real consequences, specific scenario, person like them. This isn’t fear-mongering — it’s using narrative the way human brains actually process risk information. People don’t respond to abstract threat statistics; they respond to stories about people they identify with.
Meet them where they’re most at risk
Different family members face different threats. Older relatives are disproportionately targeted by tech support scams, grandparent scams, and Medicare fraud calls. The conversation there is about recognizing that legitimate companies never call you and demand immediate payment, and that it’s always okay to hang up and call back on a number you looked up yourself.
Teenagers are more likely to overshare on social media, use the same password everywhere, and be targeted by account takeover attempts on gaming platforms. The conversation there is about why using the same password on their gaming account as their email is a bad idea — practically, not in general.
Tailor the conversation to the person’s actual risk. Generic security advice sounds generic. “Here’s why this specifically matters for someone in your situation” sounds relevant.
Create a moment, not a policy
Security conversations that lead to action usually happen in a moment — someone just got a suspicious email, you’re setting up a new phone together, a news story about a breach comes up. Use those moments. “Since we’re setting up your new phone anyway, want me to put a password manager on it?” is more effective than scheduling a security review.
Keep setup simple. The more steps involved, the less likely it sticks. Install Bitwarden, set a master password, save one or two accounts in it. That’s enough for a first session. Don’t try to migrate every password in one sitting.
Make yourself available for follow-up
The most important thing you can do after an initial conversation is make it easy to follow up. “If you get a weird email or something seems off, send it to me before you click anything.” This keeps the conversation going and catches real threats before they become problems. Most people who fall for phishing or tech support scams do so because they didn’t have someone to ask.
The bottom line
One change, done together, with a specific story of why it matters, timed to a natural moment. That’s the formula that actually works. You can’t transfer all your security knowledge to a family member in one conversation. But you can help one specific person avoid one specific type of harm — and that’s worth doing.