GPTZero uncovers a wave of fabricated references – dubbed “vibe citations” – in Ernst & Young’s 2025 report on loyalty‑system fraud, showing how AI‑generated errors can poison research and public trust.
EY’s Loyalty‑Fraud Report under the microscope
In late 2025 EY Canada released Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems, a 44‑page document that quickly appeared in news feeds, blog posts and AI‑driven search summaries. The report is marketed as a data‑driven guide for governments and enterprises, yet a closer look by GPTZero reveals a pattern of fabricated references and contradictory statistics.
What the investigation found
| Section | Claim | Cited source (as listed) | Reality |
|---|---|---|---|
| Executive summary | Global loyalty‑points market worth $200 billion; 30‑50 % of points unused | Forbes article (2023) | URL returns 404; no such Forbes piece exists. |
| Page 10 | $200 billion represents unredeemed points only | McKinsey “Loyalty Economics Report (2022)” | No McKinsey report with that title; the citation matches a low‑quality fintech blog. |
| Page 6 | 72 % of programs reported theft or fraud | Paystone 2019 post | Paystone page not found; the statistic actually traces to a 2017 Ipsos survey. |
| Page 6 | Fraud attacks increased 89 % since 2019 | Forter Fraud Attack Index | Forter index confirms a rise but only for 2018‑2019, not the broader period claimed. |
GPTZero’s Hallucination Check flagged 72 % of the 27 listed references as fabricated or unreachable. Many URLs resolve to generic home pages or return 404 errors, and several titles do not correspond to any known publication.
How the false citations spread
The report does not use traditional footnotes. Instead, it embeds source titles directly in the prose and provides a “resources table” on pages 41‑43. That table repeats the same bogus entries, effectively copying invented citations from a little‑known UK fintech blog called Financial IT. The blog itself lists a non‑existent McKinsey report, creating a feedback loop where a fabricated source is amplified by a major consulting firm.
Why this matters for the wider community
- Research contamination – When a high‑profile document is indexed by search engines, AI assistants such as Claude, ChatGPT and Perplexity retrieve its content as if it were factual. Subsequent queries about loyalty‑fraud statistics return the same hallucinated numbers.
- Decision‑making risk – Companies that base risk‑assessment models on the report may allocate resources based on inflated threat levels, leading to inefficient security spending.
- Erosion of trust – Repeated exposure to unreliable citations can make readers skeptical of all consulting research, even when the underlying analysis is sound.
Counter‑perspectives
Some analysts argue that the presence of a few erroneous citations does not invalidate the overall insights about API abuse, credential‑stuffing attacks and the need for stronger authentication. They point out that the technical recommendations (e.g., implementing token‑binding, monitoring API call patterns) align with best practices from reputable sources such as the Cisco Talos blog and Gartner security briefings.
However, critics counter that the credibility of any recommendation hinges on transparent sourcing. When the foundational data cannot be verified, even well‑intentioned advice loses its persuasive power.
What GPTZero is doing
Since 2025 GPTZero has offered a Hallucination Check tool that scans documents for broken URLs, mismatched titles and statistical inconsistencies. The system is now integrated into the review pipelines of conferences like IJCAI, ICLR and ICSE, helping reviewers flag papers that rely on fabricated references.
Looking ahead
The EY case illustrates a broader trend: as AI‑assisted authoring becomes commonplace, the friction of manually verifying each citation encourages shortcuts that manifest as “vibe citations.” Organizations that publish research should adopt automated citation‑validation steps, and readers should treat any source—no matter how prestigious—with a degree of skepticism.
If you want to test documents for similar issues, try GPTZero’s Hallucination Check or contact the team for a custom audit.
Comments
Please log in or register to join the discussion