EY Canada cybersecurity report riddled with AI-hallucinated citations and fake stats

A 44-page Ernst & Young Canada report on loyalty system fraud, Points of Attack, is laced with fabricated citations, contradictory statistics, and AI-generated text, according to an analysis by GPTZero. Most URLs in the report’s resource table are broken or fake, and over half of the source titles do not correspond to real documents. The executive summary pegs the global loyalty points market at $200 billion citing a nonexistent Forbes article, while page 10 reassigns that same $200 billion figure to unredeemed points only — a contradiction propped up by an invented McKinsey report that also appears verbatim in an obscure fintech blog, suggesting the Big Four firm laundered a low-quality source into a professional publication.

Other claims show the same pattern: a 72% fraud statistic is attributed to two different companies on different pages, with the actual origin traceable to a 2017 Ipsos survey, and an 89% fraud increase figure is inconsistently scoped between pages. GPTZero argues this kind of “vibe citing” — accidentally generating fake references via LLMs — is becoming endemic among major consulting firms. The report has already been syndicated through a Canberra Times piece reaching 60+ Australian newspapers, and AI search tools including Claude, ChatGPT, and Perplexity are now surfacing its hallucinated claims as fact.

The broader concern is data poisoning. Publishing fabricated information under a trusted brand contaminates the corpus that both human researchers and AI deep-research agents draw from, with the latter being especially vulnerable because they weight source authority differently than humans. GPTZero is pitching its Hallucination Check tool — already used to screen submissions at conferences like ICLR and IJCAI — as a defense against the trend.