Data poisoning is spreading》Ernst & Young's 44-page cybersecurity report was exposed: 16 out of 27 citations were fabricated by AI

An AI detection company, GPTZero, has exposed major flaws in a 44-page cybersecurity report issued by Ernst & Young (EY) Canada. Of the 27 citations, 16 are AI hallucinations (fabricated or invalid), and about 72% of the report’s text is AI-generated.
(Background: Missouri formally sues CoinFlip—crypto ATMs as a fraud and money-laundering tool—seeking damages up to $1.826 million.)
(Additional context: Canada is considering legislation to ban crypto ATMs: 4,000 machines, a G7 first; FINTRAC data sets the policy logic.)

Table of Contents

Toggle

• Two self-contradictory $200 billion figures
• When large language models replace Google Scholar
• Data poisoning: a new systemic risk in AI search tools

AI monitoring company GPTZero publicly investigated in mid-May and found that EY Canada’s 44-page white paper, Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems, published at the end of 2025, has major shortcomings.

GPTZero checked 27 citations one by one and found 16 hallucinations—more than 70%. The report itself does not use academic footnotes; instead, it uses in-text notations and includes a “resource table” on pages 41 to 43 listing source titles, descriptions, and URLs, with some entries also including the publisher and date.

The issue is in this table: almost all URLs are either invalid or simply do not exist, and more than half of the source titles don’t match any real reference. About 72% of the report’s text is judged to be AI-generated.

Two self-contradictory $200 billion figures

The report’s most direct problem is a set of numbers that are so inconsistent that they almost certainly could not have been written by the same person.

The executive summary claims that “the global loyalty points market size reaches $200 billion,” while also stating that 30 to 50% of points have never been used. Yet on page 10, the report says that “$200 billion” is the total value of “unredeemed points.” If 50% of points are unredeemed and their value is already equal to $200 billion, then the global market size would have to be at least $400 billion—so the two page-level figures contradict each other.

More critically, each of these two numbers comes with its own citation: one fake Forbes and one fake McKinsey.

GPTZero traced “McKinsey & Company: Loyalty Economics Report (2022),” which simply does not exist. Going back half a year, they found nearly identical wording in a Financial IT blog post, which also cites this nonexistent “fake McKinsey report” as the source.

In other words, someone first fabricated an academic citation in a low-traffic blog, and EY’s report later “laundered” it into a Big Four firm publication. This is what’s known as citation-chain contamination.

When large language models replace Google Scholar

GPTZero engineers coined a term for this phenomenon: vibe citing. In short, researchers or consultants are too lazy to verify real sources, so they have AI generate references directly—resulting in a bunch of entries that look like citations but are actually made up out of thin air.

This is the first wave of GPTZero’s series investigation. In recent months, they built automated pipelines that systematically scan public reports from major consulting firms. Preliminary results show that vibe citing has already reached an epidemic level—even industry leaders have been affected.

Data poisoning: a new systemic risk in AI search tools

GPTZero calls the report’s biggest harm “data poisoning.”

Put simply, uploading files containing false information to the internet is like injecting toxins into a shared knowledge pool that everyone contributes to, misleading future researchers and decision-makers. Every year, EY Canada provides the Canadian government with millions of dollars in audit and consulting services. When the publisher is an institution of this caliber and the files are hosted on high-traffic official websites, the toxins spread faster and the resulting erosion of trust is harder to repair.

The report has already caused ripple effects in Australian media: a Canberra Times report citing the document was republished by more than 60 Australian newspapers.

GPTZero’s testing shows that when asked questions such as the “average detection time for loyalty program fraud,” Claude, ChatGPT, and Perplexity have all cited this EY report filled with hallucinations. “Deep research” AI tools use different signals than humans when selecting sources; they rely more heavily on the brand halo, which makes this kind of data poisoning even more fragile.

GPTZero’s hallucination detection tool has already been used to screen paper submissions at top academic conferences such as IJCAI, ICLR, and ICSE. Previously, GPTZero has also examined government documents, two KPMG reports, and papers from the NeurIPS and ICLR conferences.

After the investigation report was released, EY Canada removed the white paper from its website and issued a statement: “EY Canada takes the accuracy of all content we publish seriously, and we have an organization-wide commitment to the responsible use of AI. We are reviewing why this report was published.”

A global top-tier firm known for rigorous auditing entrusted its brand credibility to an AI-generated white paper—one that didn’t even bother to verify citations. Only after a small team of three people publicly dismantled it did they realize how serious the problem was.

This is not just an isolated case; it’s what the entire industry is dealing with: when “AI-generated” replaces “professional judgment,” brand endorsement itself becomes the most risk-prone kind of citation.