Less than half of workers can spot an AI phishing email

In a recent global survey, most people couldn’t differentiate between a phishing message written by artificial intelligence (AI) and an authentic, human-written email.

The survey of 18,000 employed adults from around the globe tested them on their awareness when it comes to cyber dangers, like AI and phishing, and found startling room for improvement.

When shown a phishing email, only 46% of survey respondents correctly identified that it was written by AI. The other 54% either believed it was an authentic message written by a human or were unsure.

But interestingly, age did not seem to play a role in awareness, as there were no significant differences between generations in being able to correctly recognize the phishing attempt (Gen Z 45%, millennials 47%, Gen X and baby boomers, both 46%), highlighting the fact that no group is exempt from needing extra cyber-caution in the age of AI.

And although the phishing simulation caught most respondents by surprise, the study did find that respondents are conscious of AI being used to trick them in digital environments — they’re just not able to consistently identify threats.

In another test, they were shown an authentic, human-written email that could have been sent by any one of their employers for a real purpose, and less than a third (30%) were able to correctly identify that it was genuine. This highlights the prevalence of human error in recognizing cyber threats in the digital era.

The study was conducted by Talker Research on behalf of Yubico as part of their annual Global State of Authentication Survey, just in time for Cybersecurity Awareness Month in October, and polled employed respondents from the U.S., the U.K., Australia, India, Japan, Singapore, France, Germany and Sweden.

The results found that more than four in 10 people (44%) have interacted with a phishing message (e.g. clicked on a link, opened an attachment) in the last year, with 13% even admitting they’ve done so in the last week.

And younger people appear to be especially susceptible and at risk to phishing, as more Gen Z respondents admitted to interacting with a phishing scam in the last year when compared to other age groups (Gen Z 62%, millennials 51%, Gen X 33%, baby boomers 23%).

According to the findings, the most common phishing methods respondents reported falling prey to were emails (51%), texts (27%) and social media messages (20%).

To uncover part of why phishing is so successful, the survey asked respondents who’ve been tricked by phishing attempts to explore why they think they were successfully duped.

The most common answers were that the phishing message seemed like it came from a real, trusted source (34%) and that respondents admitted to being in a rush when they received it, and didn’t think too hard about it (25%).

But falling for phishing attempts comes with consequences. Respondents said the most common information they’ve accidentally disclosed to phishers has been, for both personal and work, email addresses (29% personal, work 21%), their full name (22% personal, 16% work) and phone numbers (21% personal, 15% work).

“Because our personal and professional lives are so intertwined, and there’s widespread cross-contamination between personal and work devices, a successful phishing attack on your personal data and devices could compromise your work security, and vice versa,” said Ronnie Manning, chief brand advocate at Yubico. “That’s why individuals and companies need to employ the highest level of security, using multi-factor authentication and things like device-bound passkeys, across all of their accounts. Because weak cybersecurity practices at any level of an organization could lead to significant and dangerous security breaches.”

In the study, half of employed people (50%) revealed that they’re currently logged into work accounts on their personal devices, which their company may not be aware of.

But, younger generations are more likely than older generations to be logged into work accounts on personal devices. (Answers for “I only use work-permitted devices”: Gen Z 30%, millennials 40%, Gen X 55%, baby boomers 66%).

Forty percent of all respondents admitted to being logged into their personal emails on their work devices, 17% said they’re signed into their online banking portals on work devices, 19% have work documents saved on personal devices and 23% are signed into their personal social media accounts on work devices.

Yet in spite of cyber these vulnerabilities when it comes to AI scams and phishing attempts, three in 10 respondents (30%) still don’t have multi-factor authentication (MFA) enabled for their personal accounts.

Along with that, a shocking 40% said the company they work for has not given them any cybersecurity training, 44% revealed that security requirements differ based on role and title at the company and half (49%) reported that the company uses a handful of various authentication/login methods for different company applications and programs, instead of employing one, consistent and secure MFA method.

“With gaps in cybersecurity training, employee usage of devices between work and personal and vulnerabilities when it comes to identifying AI scams and phishing attempts, both companies and individuals are at risk in an increasingly sophisticated online world,” said Manning. “Turn on MFA on your apps, services and accounts wherever you can. Phishing-resistant MFA, like that on a security key, is the most proven way to protect yourself, your data and your assets in this ever-evolving digital world.

Survey methodology:
Talker Research surveyed 2,000 employed adults from each of the following countries: the United States, the United Kingdom, Australia, India, Japan, Singapore, France, Germany and Sweden; the survey was commissioned by Yubico and administered and conducted online by Talker Research between Aug. 15 and Aug. 27, 2025.

We are sourcing from a non-probability frame and the two main sources we use are:
● Traditional online access panels — where respondents opt-in to take part in online market research for an incentive
● Programmatic — where respondents are online and are given the option to take part in a survey to receive a virtual incentive usually related to the online activity they are engaging in
Those who did not fit the specified sample were terminated from the survey. As the survey is fielded, dynamic online sampling is used, adjusting targeting to achieve the quotas specified as part of the sampling plan.

Regardless of which sources a respondent came from, they were directed to an Online Survey, where the survey was conducted in English; a link to the questionnaire can be shared upon request. Respondents were awarded points for completing the survey. These points have a small cash-equivalent monetary value.

Cells are only reported on for analysis if they have a minimum of 80 respondents, and statistical significance is calculated at the 95% level. Data is not weighted, but quotas and other parameters are put in place to reach the desired sample.

Interviews are excluded from the final analysis if they failed quality-checking measures. This includes:
● Speeders: Respondents who complete the survey in a time that is quicker than one-third of the median length of interview are disqualified as speeders
● Open ends: All verbatim responses (full open-ended questions as well as other please specify options) are checked for inappropriate or irrelevant text
● Bots: Captcha is enabled on surveys, which allows the research team to identify and disqualify bots
● Duplicates: Survey software has “deduping” based on digital fingerprinting, which ensures nobody is allowed to take the survey more than once
It is worth noting that this survey was only available to individuals with internet access, and the results may not be generalizable to those without internet access.