Investigation: Hallucinations in Ernst & Young Report on Loyalty Fraud | GPTZeroGPTZeroInvestigations·ExclusiveChasing the HallucinationsErnst & Young (EY) Canada published a cybersecurity report on loyalty program safeguards. We chased down every citation. Most were hallucinated.View InvestigationInvestigationsPEACOm Ogale, Paul Esau, Alex CuiMAY 14, 2026Copy linkEarlier this year, an engineer at GPTZero coined the term “vibe citing” to describe the accidental creation of fake references via LLM hallucinations. It turns out that the friction of creating and checking citations is leading many researchers, consultants, lawyers, and public officials to embrace the vibe (if you know what we mean).Among the converts are the authors of a 2025 Ernst & Young report titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems. This report, stuffed with fake citations and inaccurate claims, is surfacing in newspapers, blog posts, and AI search overviews, poisoning the data that both human researchers and AI agents rely on.GPTZero began targeting vibe citations with our Hallucination Check tool in 2025, which we used to further investigations into a government publication, two different Deloitte reports, and prestigious machine learning / artificial intelligence conferences like NeurIPS and ICLR. Over the past few months we've set up an automated pipeline to search for vibe citations by finding and scanning public reports from major consulting firms. What we've found suggests that the vibe citing epidemic is already endemic, even among the major players.Instead of releasing our results all at once, we're going to focus on one report at a time. This approach both prevents individual examples being overlooked and allows us to illustrate the negative impacts of vibe citing on research quality and public trust.EY Tower, Toronto — as seen from GPTZero’s officeOn the menu: Ernst & Young (EY)Ernst & Young is one of the “big four” global consulting firms, providing accounting and consulting services to governments and private entities from 150 offices around the world. The Canadian member firm (EY Canada) provides millions of dollars of services to the Canadian government annually.In late 2025, EY Canada published a 44-page report on cyber security titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems. While credited to three employees (two partners and one senior manager), the document is a collage of vibe citations, misattributions, fake statistics, and AI-written text.Cover — EY 'Points of Attack' reportWhy the Vibes Are BadEY Canada’s report doesn’t use footnotes or normal academic citations. Instead, it references sources directly in the text and/or includes them in a resources table (p. 41-43). This table provides a source title, description, and URL for all sources, as well as the publisher and date in certain cases. Almost all of the URLs are broken or fake, and more than half of the titles don’t correspond to real sources.GPTZero uses a very specific definition of vibe citation because of the potential reputational cost (to both us and the report’s authors) of false positives. One of our team members manually verified Hallucination Check’s results to ensure their accuracy.0123456789%Hallucinated0 of 27 references hallucinated72%AIGPTZero AI ScanAirline Loyalty Breach: BleepingComputerReport on credential stuffing attacks that compromised millions of airline loyalty accounts.https://www.bleepingcomputer.com/news/security/airline-mileage-accounts-hacked-in-credential-stuffing-attacks/HallucinatedURL returns a 404 error. The article has been removed or never existed at this path.AI Voice Deepfakes Targeting Call CentersExplains how attackers use AI-generated voices to exploit customer service workflows.https://www.wired.com/story/voice-deepfakes-ai-scams/HallucinatedURL returns a 404 error. No Wired article exists at this path.Gartner Market Trends – Loyalty FraudStrategic guidance on fraud evolution in digital loyalty programs and mobile wallets.https://www.gartner.com/en/documents/4000201HallucinatedThis Gartner document does not exist. The URL resolves to the main site, and no Gartner publication matches this title.Forbes – The $200 Billion Loyalty EconomyBusiness case for loyalty programs as financially significant digital assets.https://www.forbes.com/sites/blakemorgan/2023/10/18/the-200-billion-loyalty-economy/HallucinatedURL is broken, and, while Blake Morgan has written articles for Forbes, none of the titles match. This 2020 Forbes article uses the phrase "$200 billion loyalty economy".McKinsey & Company – Loyalty Economics Report (2022)Estimates $200 billion in unredeemed rewards globally.https://www.mckinsey.comHallucinatedReport doesn't exist.Cisco Talos: API Attacks on RetailInsights into insecure API exploitation in commerce and loyalty systems.https://blog.talosintelligence.com/api-abuse-retail/HallucinatedURL returns a 404 error. Cisco Talos has no blog post at this path.TechCrunch: Loyalty Program BreachesNews coverage on incidents involving compromised reward accounts and user data.https://techcrunch.com/tag/loyalty-program/HallucinatedThe URL points to a generic TechCrunch tag page for "loyalty-program", not an article about loyalty program breaches.Wired: API Security GapsExploration of overlooked API vulnerabilities in consumer-facing digital services.https://www.wired.com/story/api-security-risks-retail/HallucinatedURL returns a 404 error. No Wired article exists at this path.During our previous analysis of academic conference submissions, we found that many authors primarily used AI to generate and format their references, resulting in papers with vibed citations but low AI text scores overall.However, it’s hard to find human fingerprints in Points of Attack — harder, even, than finding a human-written LinkedIn post. Not only does the text scan as AI-generated, it’s riddled with common LLM errors like fake statistics, misattributions, and internal contradictions.1/4EY Report, Page 4A bold claim in the executive summaryIn the report’s Executive Summary, its authors claim the global loyalty points market is $200 billion, and that 30–50% of those points go unused.EY Report, Page 42A fake Forbes citationThe citation we just looked at supports the author's original claim of a $200 billion global market.EY Report, Page 10A contradictory claimYet on page 10, the $200 billion figure is now the estimate of unredeemed loyalty points, not the collective value of all points globally. Since the authors have already claimed that up to 50% of points are unredeemed, this new statistic requires a global market value of at least $400 billion.EY Report, Page 43A second fabricated citation: McKinseyA few rows down, a fabricated McKinsey & Company report provides evidence for the latter claim — $200 billion as the value of unredeemed points globally. Two invented citations, two incompatible numbers.We chased the source of this McKinsey citation back to an obscure fintech blogpost by Financial IT, which was published six months earlier.1/2Financial IT, Page 1A similar claimSix months before EY’s report, a blog post on the obscure U.K. fintech magazine Financial IT claims that "more than $200 billion in points sit idle each year." The language is nearly identical to the EY report.Financial IT, Page 3The vibes are identicalThe blog’s sources section cites "McKinsey & Company: Loyalty Economics Report (2022)" — a report that does not exist. This fabricated citation appears verbatim in the EY report’s reference table, laundering an invented source from a low-quality blog into a Big Four publication.Some of the report’s most dubious claims weren’t even cited at all.1/2EY Report, Page 6The source is attributed to PaystoneOn page 6, the authors claim that 72% of customer loyalty programs have reported theft or fraud. This fact is attributed to a 2019 post by the Canadian payment processor Paystone.EY Report, Page 11Actually, the source is ForterHowever, on page 11, the same statistic is attributed to a different source — the unusually-named “NRF 2020 summary” published by the digital fraud prevention company Forter. Neither of these sources are included in the report’s reference table. In fact, while the statistic is referenced on both the Paystone and Forter pages, the original source seems to be a 2017 survey by Ipsos.Contradicting references, low-quality sources, and out-of-date statistics are all indications of AI slop.1/2EY Report, Page 6The 89% claimOn page 6, the authors claim that loyalty program fraud attacks have increased 89% since 2019.EY Report, Page 11A specific source for this claimYet on page 11, this 89% increase is limited to a single year, 2018 to 2019, and the statistic is attributed to a specific source: the Forter Fraud Attack Index. Surprisingly, this source both exists and partially confirms the second version of the claim. However, like many of the sources used in the EY report, it is substantially out of date. Poorly paraphrased statistics are also a sign of AI slop.Why Vibes MatterIt’s difficult to measure the public impact of EY’s report. Points of Attack seems to have made few waves in Canada; however, it was recently referenced in a Canberra Times article that was syndicated to more than 60 newspapers across Australia. It may also have circulated through client briefings, internal decks, and other proprietary media that aren’t in the public domain. Yet vibe citations don’t just deceive readers or corporate audiences — they also have another, more insidious, impact.Publishing a report online is essentially a form of data injection into the pool of knowledge that is the internet. When the report includes fake information (either vibed citations or false claims) it can “poison the well” by misleading future researchers, especially if the report is published by a well-known consulting firm and hosted on a high-traffic website.This risk has been aggravated by the emergence of AI “deep research” tools which rely on different signals than humans when choosing sources and are therefore more vulnerable to data poisoning.Fake information poisons the well and misleads future researchers, especially when published by a well-known consulting firm. Claude, ChatGPT, and Perplexity all surface hallucinations from EY's flawed report.“What is the average time to detect loyalty fraud?”ConclusionGPTZero is Chasing the Vibe (Citations)Our research over the past few months proves that vibe citing is a clear and present danger to researchers, academics, consultants, and (frankly) anyone who drinks from the digital pool by searching the web. Our Hallucination Check tool is our answer to this threat: a way to identify vibe citations and hallucinations without manually checking every citation. It is already being used to screen submissions by elite academic conferences like IJCAI, ICLR, and ICSE.Now, more than ever, it's crazy to accept citations on faith — even those from a reputable source like Ernst & Young.Try GPTZero’s Hallucination Check for yourself, or reach out to GPTZero’s team.InvestigationsCase StudyResearchPEACWritten by Om OgaleStay in the loopGet notified when we publish new investigations.Email addressSubscribeSubscribe

An investigation into the reliability of information derived from large language models and public reports has focused on the phenomenon of "vibe citing," which describes the accidental creation of false references through hallucinations. This issue is particularly relevant as researchers, consultants, lawyers, and public officials rely heavily on cited sources, making the presence of fabricated data a significant threat to the integrity of the digital knowledge pool. This concern was highlighted by the fact that authors of various documents, including a 2025 Ernst & Young report, have incorporated these hallucinations, poisoning data upon which both human researchers and artificial intelligence agents depend.

The investigation involved tracing these fabricated references within the Ernst & Young (EY) Canada report titled Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems. The report, despite being published by a major global consulting firm, was found to be a collage containing vibe citations, misattributions, fake statistics, and text generated by artificial intelligence. The report, which typically avoids formal academic citations, instead uses a resources table that lists sources, many of which were found to be either broken, non-existent, or drastically misrepresented. For instance, several cited URLs returned error messages, and numerous source titles did not correspond to real publications.

Furthermore, the analysis uncovered instances of contradictory claims and the laundering of invented sources. For example, the report made claims regarding the global loyalty points market, but subsequent analysis revealed conflicting figures regarding the total market value and the proportion of unused points. The investigation also tracked a claim attributed to a McKinsey & Company report, which was traced back to an obscure blog post, demonstrating how low-quality information can be injected into high-level publications. Similarly, statistics regarding loyalty program fraud, such as the 89 percent increase since 2019, were attributed to various sources, some of which were substantially outdated or incorrectly linked. These discrepancies indicate that the flaws stem not only from simple errors but from a systemic issue where easily generated content from large language models is integrated into professional documentation.

The negative impact of vibe citing extends beyond deceiving individual readers; it poses an insidious risk to the collective body of knowledge. By publishing reports filled with fabricated information, especially those from reputable firms, these documents contribute to data poisoning in the internet. This is exacerbated by the rise of AI deep research tools, which rely on signals that can be more vulnerable to such data contamination than human verification processes. The findings suggest that the standard of citation on faith is unsustainable, necessitating tools to detect these subtle errors. Consequently, GPTZero developed a Hallucination Check tool to systematically identify vibe citations in public reports, aiming to provide a method for screening information without requiring exhaustive manual checks. This work, along with the investigation into the EY report, serves as a demonstration that confronting AI-generated misinformation is critical for maintaining research quality and public trust in the digital information landscape.