ISJ hears exclusively from Niall McConachie, Regional Director (UK & Ireland) of Yubico about why Gen Z are the most at risk of phishing attacks.
For decades, the prevailing wisdom in cybersecurity has been relatively simple with people believing that older generations are less familiar with the rapid evolution of digital technology and therefore are the most vulnerable to online scams.
We made the assumption that digital natives – people who grew up with a smartphone in hand – had an inherent immunity to cyber-threats given their familiarity with technology.
However, findings from Yubico’s latest Global State of Authentication Report reveal a surprising paradox that challenges this assumption.
While younger generations are indeed the fastest to adopt modern security tools like multi-factor authentication (MFA), they are also, by a significant margin, the most likely to fall victim to social engineering and phishing attacks.
The research paints a complex picture of the modern threat landscape.
Gen Z are not merely click-happy; they are navigating a sophisticated web of social engineering that specifically targets their digital behaviours.
For security professionals and business leaders, understanding this generational divide is no longer just an academic exercise; it is a critical imperative for securing the modern enterprise.
The click-happy paradox
One of the most concerning findings from Yubico’s recent research is the sheer scale of phishing vulnerability among younger users, with data revealing that Gen Z are nearly three times more vulnerable to phishing than baby boomers.
62% of Gen Z respondents admitted to interacting with a phishing message – whether by clicking a link, opening an attachment or responding – within the last year.
In stark contrast, only 23% of baby boomers reported doing the same.
This statistic upends the stereotype of the older user being reluctant to familiarise themselves with technology.
In fact, baby boomers appear to be protected by their hesitation.
This generations reluctance to interact with unsolicited messages or navigate unfamiliar digital terrain serves as an accidental but effective defence mechanism.
On the other hand, Gen Z’s comfort with digital communication makes them a prime target.
They live in an always-on environment where speed is currency.
When looking at why respondents were tricked, the generational motivations diverged sharply. Gen Z were most likely to be fooled because they were “in a rush” (28%) or because the malicious message offered a “valuable opportunity”, such as a job offer or prize (19%).
Baby boomers, on the other hand, were rarely swayed by urgency or opportunity but were most susceptible to messages that appeared to come from a “trusted source”.
The AI blind spot
This vulnerability to phishing is exacerbated by the rise of artificial intelligence (AI) in cyber-crime.
Organised crime groups are increasingly using AI tools to supercharge their scams, making phishing emails and messages virtually indistinguishable from legitimate communication.
Also notable is that younger generations appear to suffer from overconfidence regarding their ability to detect these AI-generated threats.
When presented with an AI-generated message, 38% of Gen Z confidently believed it was written by a human.
Conversely, baby boomers were more sceptical with only 21% making the same mistake.
This overconfidence is a critical weakness.
Gen Z typically exhibits high usage of MFA: 71% use it for personal accounts compared to just 51% of baby boomers.
Yet, this technical layer has not immunised them against social engineering.
If a user can be tricked into handing over a one-time passcode (OTP) or approving a push notification because they believe they are interacting with a legitimate entity, the security protocol is rendered useless.
The specific ways in which Gen Z interacts with technology also open new avenues for attackers. Unlike older generations, who may primarily encounter phishing via email, Gen Z is fighting a multi-front war.
Yubico research shows they are significantly more likely to interact with phishing attempts via methods such as scanning QR codes (13% vs 4% for boomers) and social media messages (24% vs 14% for Boomers).
Furthermore, the consequences of these interactions are severe. When Gen Z falls for a scam, they are disclosing highly sensitive personal data.
Approximately 26% of Gen Z respondents who divulged information to a phisher accidentally revealed their phone number and nearly 20% disclosed their date of birth.
This level of personal data exposure lays the groundwork for identity theft and increasingly sophisticated spear-phishing attacks that can easily bleed into the workplace.
The enterprise implication
For chief information security officers (CISOs) and business leaders, this data serves as a warning.
As Gen Z comprises an increasingly large portion of the workforce, their personal digital habits inevitably become enterprise security risks.
The boundaries between personal and professional devices are blurring as employees frequently access work applications on personal devices.
If the most tech-native generation in history is falling for phishing attacks at such high rates, reliance on employee vigilance and phishing awareness training is clearly insufficient.
Business leaders cannot train their way out of this persistent problem. When a user is in a rush or when an AI-generated message is perfectly tailored to their interests, human error is inevitable.
Moving beyond blame: A strategy for resilience
The narrative must shift from blaming users to empowering them with security tools that work. Organisations must move towards phishing-resistant MFA.
The clear successor to the legacy password and the phishable OTP is the physical passkey. Passkeys represent a fundamental shift in how we approach authentication.
In their most secure form, they are device-bound and stored on a physical hardware security key rather than a remote server.
Crucially, passkeys bridge the gap between security and usability that Gen Z demands.
They work by pairing a public key with an unguessable private key.
As the authentication is bound to the specific domain, a passkey simply will not work if a user is tricked into clicking a link to a fraudulent website.
The authentication fails and the attacker is stopped in their tracks, regardless of how convincing the AI-generated lure might be.
The click-happy paradox of Gen Z is a symptom of a broken security model that relies too heavily on human judgment.
Business leaders do not need to be security experts to recognise that the cost of remediation – which is currently over £14 billion annually for UK businesses – far outweighs the investment in proper authentication.
By embracing modern, phishing-resistant authentication strategies, organisations can protect their data against the vulnerabilities of every generation.
Ultimately, no generation is immune to social engineering and phishing attacks.
However, by acknowledging that being tech-savvy does not equate to being cyber-secure, we can begin to implement the security measures necessary to protect our digital future.
True security requires a combination of healthy scepticism and hardware-backed tools that keep personal and professional data safe – even when we inevitably click.
As regional director, UK & Ireland, at Yubico, Niall McConachie has dedicated more than a decade to working within the cybersecurity and software space.
In his role at Yubico, he aims to change the game for strong authentication by advocating for better authentication technology initiatives throughout the region.
