RSS

Ernst & Young published cybersecurity report full of hallucinations

smartmic1 pts0 comments

Investigation: Hallucinations in Ernst & Young Report on Loyalty Fraud | GPTZero

GPTZeroInvestigations·<br>Exclusive<br>Chasing the Hallucinations<br>Ernst & Young (EY) Canada published a cybersecurity report on loyalty program safeguards. We chased down every citation. Most were hallucinated.<br>View Investigation

Investigations

PE

AC

Om Ogale, Paul Esau, Alex Cui<br>MAY 14, 2026

Copy link

Earlier this year, an engineer at GPTZero coined the term “vibe citing” to describe the accidental creation of fake references via LLM hallucinations. It turns out that the friction of creating and checking citations is leading many researchers, consultants, lawyers, and public officials to embrace the vibe (if you know what we mean).<br>Among the converts are the authors of a 2025 Ernst & Young report titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems. This report, stuffed with fake citations and inaccurate claims, is surfacing in newspapers, blog posts, and AI search overviews, poisoning the data that both human researchers and AI agents rely on.<br>GPTZero began targeting vibe citations with our Hallucination Check tool in 2025, which we used to further investigations into a government publication, two different Deloitte reports, and prestigious machine learning / artificial intelligence conferences like NeurIPS and ICLR. Over the past few months we've set up an automated pipeline to search for vibe citations by finding and scanning public reports from major consulting firms. What we've found suggests that the vibe citing epidemic is already endemic, even among the major players.<br>Instead of releasing our results all at once, we're going to focus on one report at a time. This approach both prevents individual examples being overlooked and allows us to illustrate the negative impacts of vibe citing on research quality and public trust.

EY Tower, Toronto — as seen from GPTZero’s office

On the menu: Ernst & Young (EY)<br>Ernst & Young is one of the “big four” global consulting firms, providing accounting and consulting services to governments and private entities from 150 offices around the world. The Canadian member firm (EY Canada) provides millions of dollars of services to the Canadian government annually.<br>In late 2025, EY Canada published a 44-page report on cyber security titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems. While credited to three employees (two partners and one senior manager), the document is a collage of vibe citations, misattributions, fake statistics, and AI-written text.

Cover — EY 'Points of Attack' report

Why the Vibes Are Bad<br>EY Canada’s report doesn’t use footnotes or normal academic citations. Instead, it references sources directly in the text and/or includes them in a resources table (p. 41-43). This table provides a source title, description, and URL for all sources, as well as the publisher and date in certain cases. Almost all of the URLs are broken or fake, and more than half of the titles don’t correspond to real sources.<br>GPTZero uses a very specific definition of vibe citation because of the potential reputational cost (to both us and the report’s authors) of false positives. One of our team members manually verified Hallucination Check’s results to ensure their accuracy.

0123456789%Hallucinated<br>0 of 27 references hallucinated

72%<br>AI<br>GPTZero AI Scan

Airline Loyalty Breach: BleepingComputerReport on credential stuffing attacks that compromised millions of airline loyalty accounts.https://www.bleepingcomputer.com/news/security/airline-mileage-accounts-hacked-in-credential-stuffing-attacks/HallucinatedURL returns a 404 error. The article has been removed or never existed at this path.

AI Voice Deepfakes Targeting Call CentersExplains how attackers use AI-generated voices to exploit customer service workflows.https://www.wired.com/story/voice-deepfakes-ai-scams/HallucinatedURL returns a 404 error. No Wired article exists at this path.

Gartner Market Trends – Loyalty FraudStrategic guidance on fraud evolution in digital loyalty programs and mobile wallets.https://www.gartner.com/en/documents/4000201HallucinatedThis Gartner document does not exist. The URL resolves to the main site, and no Gartner publication matches this title.

Forbes – The $200 Billion Loyalty EconomyBusiness case for loyalty programs as financially significant digital assets.https://www.forbes.com/sites/blakemorgan/2023/10/18/the-200-billion-loyalty-economy/HallucinatedURL is broken, and, while Blake Morgan has written articles for Forbes, none of the titles match. This 2020 Forbes article uses the phrase "$200 billion loyalty economy".

McKinsey & Company – Loyalty Economics Report (2022)Estimates $200 billion in unredeemed rewards globally.https://www.mckinsey.comHallucinatedReport doesn't exist.

Cisco Talos: API Attacks on RetailInsights into insecure API exploitation in commerce and loyalty systems.https://blog.talosintelligence.com/api-abuse-retail/HallucinatedURL...

loyalty report vibe ernst young gptzero

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Naphtha Shortages Having a Growing Impact in Japan

takakaze13 ptsnaphtha packaging products shortages calbee from
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.