- AI hallucinations riddled EY Canada’s 2025 cybersecurity report, with most citations linking to sources that simply don’t exist.
- AI hallucinations produced fake Forbes and McKinsey references, including one fabricated McKinsey report laundered from a low-quality fintech blog.
- GPTZero’s automated pipeline caught the errors, flagging broken URLs, invented statistics, and internal contradictions across the 44-page document.
- The report is now circulating in news coverage and AI search results, threatening to corrupt data that both humans and AI systems rely on.
- AI hallucinations riddled EY Canada’s 2025 cybersecurity report, with most citations linking to sources that simply don’t exist.
- AI hallucinations produced fake Forbes and McKinsey references, including one fabricated McKinsey report laundered from a low-quality fintech blog.
- GPTZero’s automated pipeline caught the errors, flagging broken URLs, invented statistics, and internal contradictions across the 44-page document.
- The report is now circulating in news coverage and AI search results, threatening to corrupt data that both humans and AI systems rely on.
When a Big Four Firm Publishes AI Hallucinations as Research
AI hallucinations aren’t just a problem for chatbots and student essays anymore. According to a detailed investigation by GPTZero, EY Canada — the Canadian arm of one of the world’s largest professional services firms — published a 44-page cybersecurity report in late 2025 where the majority of citations either link to pages that don’t exist, reference titles that were never published, or point to sources that say something entirely different from what the report claims. The document is called Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems, and it’s credited to two EY partners and a senior manager. It reads, in GPTZero’s words, like it was written without a single human fingerprint.
This isn’t a fringe actor or a startup cutting corners. EY Canada provides millions of dollars in services to the Canadian government annually. When a firm with that kind of institutional weight publishes a report on cybersecurity threats, people pay attention — journalists cite it, government departments read it, and AI-powered search tools index it. The damage from getting it wrong isn’t just reputational. It actively degrades the quality of information downstream.
The Term You Need to Know: Vibe Citing
Earlier this year, an engineer at GPTZero coined the phrase “vibe citing” to describe what happens when someone uses a large language model to generate references without verifying them. The model confidently produces author names, publication titles, URLs, and dates — but many of them are invented. They feel real. They look authoritative. They just don’t exist. It’s the citation equivalent of autocomplete gone wrong, and it’s spreading fast through consulting reports, academic papers, legal filings, and government publications. AI hallucinations are the engine behind this phenomenon, silently minting fake sources at scale.
GPTZero has already documented vibe citing in government publications, two separate Deloitte reports, and submissions to prestigious machine learning conferences including NeurIPS and ICLR. The firm has since built an automated pipeline specifically to scan public reports from major consulting firms for hallucinated references. EY Canada’s loyalty fraud report is its latest — and arguably most striking — find.
What the EY Canada Report Actually Says (and Doesn’t)
The report’s problems start almost immediately. In its executive summary, EY Canada claims the global loyalty points market is worth $200 billion, with 30 to 50 percent of those points going unused. Both figures are sourced to a Forbes article — but AI hallucinations appear to have generated that citation whole cloth. The URL is broken. The article doesn’t exist.
It gets worse. By page 10, the same $200 billion figure reappears, but now it represents the value of unredeemed loyalty points — not the total market. That’s a completely different claim. If up to 50 percent of points go unredeemed and those unredeemed points alone are worth $200 billion, simple arithmetic puts the total market at $400 billion or more. The two statistics can’t both be true, yet they sit a handful of pages apart with no acknowledgment of the contradiction.
A fabricated McKinsey & Company report — titled “Loyalty Economics Report (2022)” — is cited to support the unredeemed-points figure. GPTZero’s investigators found that this fake McKinsey citation appears verbatim in a blog post published roughly six months earlier on a little-known UK fintech publication called Financial IT. That blog post describes “more than $200 billion in points sitting idle each year” in language nearly identical to EY’s text. It cites the same non-existent McKinsey report. The most likely explanation: both documents drew on the same AI-generated content — or the EY report drew directly from the blog, laundering a fabricated source into a Big Four publication without anyone checking whether the McKinsey report existed. Either way, AI hallucinations are the root cause.
The 72% Statistic That Can’t Keep Its Story Straight
Page 6 of the report states that 72 percent of customer loyalty programs have reported theft or fraud, attributed to a 2019 post by Paystone, a Canadian payment processor. Then, on page 11, the same 72 percent figure reappears — but now it’s attributed to something called the “NRF 2020 summary,” published by digital fraud prevention company Forter. Neither source appears in the report’s reference table. Neither URL works. And when GPTZero traced the statistic back further, the likely original source turned out to be a 2017 Ipsos survey — meaning even the sources EY gestured toward were themselves referencing outdated data at best.
The 89 percent claim has a similar problem. Page 6 says loyalty program fraud attacks have increased 89 percent since 2019 — a sweeping multi-year figure with no specific attribution. Page 11 says the same 89 percent increase happened in a single year, from 2018 to 2019, citing the Forter Fraud Attack Index. That source does exist, and it does partially support the narrower claim. But it’s several years out of date, and the two versions of the statistic are flatly incompatible. This kind of slippage — where a number drifts between contexts and timeframes across the same document — is a known signature of AI hallucinations. The model reproduces a figure it’s seen somewhere, approximates a source, and moves on.
AI Hallucinations at Scale: Why This Isn’t Just EY’s Problem
It would be tempting to treat this as an isolated embarrassment for one firm. It isn’t. GPTZero’s investigation explicitly frames EY Canada’s report as a single data point in a much broader pattern. Vibe citing, the firm argues, is already endemic among major players — not an edge case. The friction involved in properly sourcing and fact-checking a report is real, especially when AI tools make the first draft so easy to produce. The temptation to skip verification is obvious. The consequences, until now, have been largely invisible.
The bigger systemic risk is compounding error. EY Canada’s report is already being picked up by newspapers, industry blogs, and AI-powered search summaries. Those AI hallucinations — the fake Forbes article, the invented McKinsey report, the contradictory statistics — are now being indexed and repeated as facts. When another researcher, consultant, or government analyst searches for data on loyalty fraud, they may find EY’s numbers surfaced by an AI overview and cite them in turn, never knowing the original source was fabricated. It’s misinformation that wears a suit.
The Reference Table Problem
EY Canada’s report skips footnotes entirely, opting instead for a resources table on pages 41 to 43 that lists source titles, descriptions, and URLs. Almost all of the URLs are broken or fake. More than half the listed titles don’t correspond to any real publication. This structure — the appearance of rigorous sourcing without the substance — is exactly what makes AI hallucinations so insidious in professional contexts. A busy reader sees a table full of citations and assumes due diligence was done. It wasn’t.
What Happens When No One Checks
There’s a professional services dimension here that deserves more scrutiny. EY isn’t a startup shipping fast and breaking things. It’s a firm where partner sign-off, compliance review, and brand protection are supposedly baked into every client deliverable. The fact that a report this visibly flawed — internally contradictory, stuffed with broken links, citing publications that don’t exist — made it out the door under two partners’ names suggests that AI-generated drafts are moving through review processes without anyone seriously verifying the underlying claims. AI hallucinations thrive precisely in that gap between easy generation and absent verification.
GPTZero says it will continue releasing results one report at a time rather than publishing everything at once, specifically to prevent individual cases from being lost in a flood of examples. That’s a reasonable editorial choice, and it means there are almost certainly more names to come. The question the industry needs to answer isn’t whether AI hallucinations are showing up in professional research — at this point, that’s settled. The question is whether firms like EY will treat this as a wake-up call or wait until a government contract, a legal challenge, or a public scandal forces the issue.
