Phishing someone, even testing them requires legal agreement from them either directly or indirectly such as their employer at least here in the US. Check with a lawyer before even contemplating this further for your own protection. Your relationship to them will not shield you from legal fallout should your parents / siblings catch and report the incident not realizing it was you. Once the government machine starts moving towards something it does not stop even if your family members say oh, nevermind it was a family member.
Consider instead sending them links to examples of people getting popped by phishing sites and that show all the financial losses and headaches involved such as having all their data encrypted, accessed by attackers and then ransomed to get it back. Also consider helping them automate local backups of their data and teach them how to use something like KeypassXC and how to back it up with their data.