Ernst & Young's Major Cybersecurity Report Exposed as AI-Generated Hallucination Riddled with Fake Citations
Key Takeaways
- ▸Ernst & Young's 44-page 'Points of Attack' cybersecurity report contains dozens of fake citations, nonexistent sources, and fabricated statistics, despite being published as authoritative professional research
- ▸The phenomenon of 'vibe citing' (AI-generated fake citations) is endemic across major professional firms, government agencies, and academic institutions—not an isolated problem
- ▸Hallucination-infected reports already circulating in newspapers, blogs, and AI search results are poisoning the information ecosystem for both human researchers and AI systems
Summary
A 2025 Ernst & Young cybersecurity report on loyalty systems and fraud has been exposed as heavily AI-generated and filled with fabricated citations, nonexistent sources, and contradictory statistics. The 44-page report, officially credited to three EY employees and published by EY Canada, exemplifies a widespread phenomenon called "vibe citing"—the accidental creation of fake academic and industry references through LLM hallucinations. GPTZero's investigation revealed that nearly all URLs in the report's source table are broken or fake, and more than half of the cited sources do not exist. The report has already circulated widely through newspapers, blogs, and AI-powered search tools, poisoning information sources relied upon by researchers, policymakers, and AI systems alike.
This discovery is part of a broader pattern GPTZero has identified across major consulting firms, government publications, and academic conferences. The investigation suggests the "vibe citing epidemic" is endemic even among prestigious, well-resourced organizations. EY Canada, which provides millions of dollars in annual services to the Canadian government, appears to have prioritized speed and cost savings over quality verification when producing this research. The report's text scans as entirely AI-generated, riddled with common LLM errors including fake statistics, misattributions, and internal logical contradictions that would be caught by any competent human reviewer.
- The case reveals critical gaps in quality control and professional accountability in how major consulting firms deploy generative AI tools without proper verification safeguards
Editorial Opinion
This is a watershed moment for professional accountability in the AI era. When the "Big Four" consulting firm Ernst & Young publishes a report that reads like it was generated by a malfunctioning chatbot—yet still reaches newspapers, policy makers, and AI systems—we're witnessing a systemic failure. The problem isn't just sloppy work; it's the normalization of unverified AI-generated content in spaces that require rigor and truth. Unless major firms establish mandatory hallucination detection, human verification workflows, and accountability standards for AI-assisted research, we should expect this to become the industry default rather than a scandal.
