Gen Z more likely to engage with phishing than Boomers
Gen Z consumers report significantly higher engagement with phishing messages than Baby Boomers, despite adopting multi-factor authentication (MFA) more frequently, according to new research from Yubico.
The findings, published in the 2025 Global State of Authentication Report, reveal that 62% of Gen Z respondents admitted to interacting with a phishing scam, such as clicking a suspicious link or opening an attachment, within the past year. This susceptibility exists even though the demographic is nearly 20% more likely to use MFA than older generations.
The data highlights a distinct generational divide between the uptake of modern login methods and day-to-day digital behaviour. While younger users are more proactive in securing their accounts with advanced authentication tools, they appear more prone to "digital complacency" or over-familiarity with rapid online communications.
Interestingly, the report found that the ability to actually recognise a phishing attempt was consistent across all age groups, suggesting that Gen Z's higher engagement rate stems from behavioural habits rather than a lack of awareness.
Yubico said 62 percent of Gen Z respondents admitted interacting with a phishing message in the last year. The company defined interaction as clicking a link, opening an attachment, or responding to the message. In comparison, 23 percent of Baby Boomers reported the same behaviour.
The results challenge the assumption that younger "digital natives" face lower risk online. Yubico said older groups showed more reliance on passwords, while also appearing less inclined to engage with unsolicited messages.
Security adoption
The report suggests Gen Z leads on adoption of multi-factor authentication for personal accounts. Yubico said 71 percent of Gen Z respondents use MFA for personal logins. It said 51 percent of Baby Boomers reported using MFA.
Yubico drew a distinction between having additional login steps in place and resisting social engineering attempts. The company said MFA use did not prevent Gen Z respondents from interacting with phishing messages at a higher rate.
Niall McConachie, Regional Director, UK & Ireland, Yubico, said the data showed a mismatch between tools and behaviour.
"Now is the perfect time to debunk the myth that being tech-savvy equates to being cyber resilient and safe online. Our data shows a concerning disconnect: Gen Z is adopting the right tools, like MFA, but their comfort with digital communication makes them a prime target for social engineering and phishing attacks," said Niall McConachie, Regional Director, UK & Ireland, Yubico.
AI confidence
The research also looked at perceptions of AI-generated content. Yubico said 38 percent of Gen Z respondents believed an AI-generated message was written by a human when shown an example message. It reported a lower figure of 21 percent for Baby Boomers.
The findings arrive as organisations and consumers report higher volumes of scams that imitate official brands, colleagues, or recruiters. Security teams have warned that generative AI can lower the cost of producing realistic phishing emails and text messages, even where the attack relies on simple tactics such as urgency and curiosity.
Yubico did not specify the sample size or geographic breakdown in the summary it shared, but it framed the results as part of a broader trend in authentication and consumer security habits.
Password habits
While Gen Z respondents reported higher MFA usage, the report suggests passwords still dominate. Yubico said 57 percent of Gen Z primarily rely on a simple username and password for personal account logins.
The figure rose to 67 percent among Baby Boomers, according to Yubico. The company said this pattern leaves older users exposed to credential theft, including password reuse and password database leaks. It also said reduced willingness to engage with unsolicited messages may limit exposure to some phishing attempts.
McConachie said the report also points to differing triggers across generations.
"When we look at why people are falling for these scams, the data tells a deeper story: Gen Z are most likely to be tricked because they are 'in a rush' or because the message offered a 'valuable opportunity' like a job or prize. In contrast, Baby Boomers are rarely tricked by opportunities but are more likely to fall for messages that appear to come from a 'trusted source'," said McConachie.
The differences match well-known patterns in scam design. Phishing messages often use urgency to force quick decisions. Some target job seekers with interview offers or salary claims. Others mimic delivery notifications, banking alerts, or internal company requests, where the attacker depends on trust in a familiar brand or person.
Hardware keys
Yubico, which sells security keys and related authentication products, used the findings to argue for phishing-resistant approaches. Hardware-backed methods can reduce reliance on shared secrets such as passwords. They can also change what an attacker gains from a stolen credential.
McConachie said users should combine caution around messages with modern authentication options.
"The takeaway for 2026 is that no generation is immune, but that the vulnerabilities differ. True privacy and security require a combination of the right habits - scepticism of unexpected messages - and modern, phishing-resistant tools like hardware security keys that protect your personal information even when you do inevitably click on a fraudulent phishing link in emails or text messages," said McConachie.
Companies continue to tighten access controls for consumer and workforce accounts. More services now default to MFA prompts or passkey sign-in options, while banks and online platforms increase monitoring for account takeovers and payments fraud.
Yubico said its data points to a persistent gap between awareness, adoption of security features, and real-world behaviour. The company said the risk landscape remains driven by human response to messages as much as it is by the login technology in place.