EY Canada Cybersecurity Report: Are Many Citations Hallucinated by AI?

AI Hallucinations Undermine Trust in

Citations A recent investigation by GPTZero, a company specializing in AI detection tools, has revealed that many of the citations in a cybersecurity report issued by the major consulting firm EY Canada (Ernst & Young Canada) at the end of 2025 were likely fabricated through AI “hallucinations.” This report has already been cited in newspapers, blogs, and even AI-generated search summaries, raising alarms in the industry about the potential contamination of data relied upon by researchers and AI systems.

GPTZero’s Investigation and the Reality of

“Vibe-Sighting” GPTZero refers to fictitious citations accidentally created by large language models (LLMs) as “vibe-sighting.” Since 2025, the company has been using its proprietary “Hallucination Check” tool to analyze citations in government publications, various Deloitte reports, and papers presented at prominent machine learning and AI conferences such as NeurIPS and ICLR. Recently, GPTZero developed an automated pipeline to explore and scan publicly available reports from major consulting firms. This initiative has uncovered a growing trend of vibe-sighting becoming normalized among industry leaders. To ensure individual cases are not overlooked and to concretely demonstrate the adverse effects on research quality and public trust, the company has adopted a strategy of releasing its findings sequentially, focusing on one report at a time.

Fabricated Citations and Misinformation in

the Report The report in question, published by EY Canada at the end of 2025, spans 44 pages and is titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems. It credits three of its employees—two partners and one senior manager—as the authors. However, GPTZero’s analysis has concluded that the report is a “collage of vibe-sighting, misattributions, fabricated statistics, and AI-generated text.” Unlike academic papers, the report does not use standard referencing formats like footnotes. Instead, it provides an integrated list of resources on its final pages (41–43), including titles, descriptions, URLs, and sometimes publishers or publication dates. According to GPTZero’s findings, most of the URLs listed in this section were either broken links or entirely fake. Furthermore, the majority of the titles did not correspond to actual sources. GPTZero has strictly defined the criteria for hallucination checks in order to mitigate risks to the report authors’ and its own reputation. Team members manually verified the results to ensure accuracy.

Industry Impacts and Erosion of Trust

Cybersecurity is a critical field that protects the digital assets of businesses and governments. Reports based on analyses and recommendations in this domain are highly trusted by decision-makers and stakeholders. Reports from globally renowned consulting firms like EY, part of the “Big Four,” carry significant authority and can heavily influence policy-making and corporate strategies. However, if the citations and data forming the backbone of such a report are fabricated by AI, the credibility of the entire report collapses. If GPTZero’s findings are accurate, the EY Canada report could lead to misunderstandings about cybersecurity threats and the implementation of ineffective countermeasures. Furthermore, the continued citation of this report in newspapers, blogs, and AI-powered search summaries could degrade the overall quality of information in the digital sphere, creating a phenomenon referred to as “data contamination.” This issue transcends the quality management of a single company. While AI tools can enhance the efficiency of report creation, this case starkly illustrates the dangers of neglecting to verify their outputs. It raises questions about the operational processes and quality assurance systems across the entire consulting industry.

Challenges Ahead and the Need for Solutions

GPTZero has announced its intention to continue similar investigations and release findings incrementally. This issue underscores the growing importance of human oversight and verification in an era of expanding AI utilization. Organizations and research institutions must establish new workflows to thoroughly fact-check AI-generated citations and data in content creation. It is crucial not to bypass the labor-intensive process of manually verifying all sources. Additionally, improving the accuracy of AI detection tools and developing models designed to minimize hallucinations will become increasingly important. Ultimately, it is up to individual information consumers to critically assess the sources and credibility of the information they encounter. The need to redefine information literacy for the AI era is more pressing than ever.