Complacent Gen Z and Millennial workers are more likely to be duped by social engineering attacks

Ethical hacker concept image showing hands of a female pentester typing on a laptop keyboard. — (Image credit: Getty Images)

While most workers believe they can spot a phishing attempt, nearly one-in-four under-35s would fall for a suspicious message if they thought it came from a colleague or boss.

Four-in-five British workers told Accenture researchers they were confident they'd spot a suspicious message, even though more than a third have never received cybersecurity training.

Men show the biggest faith in themselves, being nearly twice as likely as women to report high confidence in spotting cyber threats, at 22% compared with 12%.

But younger workers in particular may be wrong about this. The survey of over 1,000 British employees found that 15% would share company data or make payments via messaging apps, without verifying the sender, if the message seemed to come from a leader or colleague.

Among under-35s, so those in the millennial and Gen Z demographics, this rose to nearly a quarter (24%).

“With cyber criminals weaponizing information from social media to deceive people with realistic messages or calls, employees must make faster judgement calls on what’s real and what’s not," said Kamran Ikram, Accenture’s security lead in the UK and Ireland.

"The workforce feels cyber confident – though its uneven among men and women – there remains a serious skills and training gap across the board. Being overconfident yet undertrained is a dangerous position to be in."

More cybersecurity training is needed

Notably, more than one-third (37%) of British workers have never received any cybersecurity training, including 44% of over-55s. Meanwhile, only one-in-five have been trained to recognize deepfakes or AI-generated phishing emails.

This lack of training is more significant in smaller companies, where 79% of microbusinesses with less than 10 employees and 55% of small firms with between 10 and 49 employees offer no cybersecurity training at all.

"Organizations must look to be resilient in every area of their operations and supply chain, which means ongoing education on cyber threats," said Ikram. "Businesses can’t rely on patchy preparedness when attackers are advancing by the day.”

Even when employees are receiving training, it's not adequately covering all the risks, Accenture found. Half of those that have been trained said they've received no guidance on using AI safely, such as what data should not be shared with public tools or how to identify AI-enabled attacks.

As a result, 17% have no awareness of AI-driven cyber threats while only 61% are aware of deepfake videos or AI-generated phishing emails, and fewer than half are aware of voice cloning or identity theft.

“AI is bringing immense opportunity to business, but it also is changing the risk landscape as criminals increasingly incorporate AI into their arsenal," said Ikram.

"Today, awareness of AI-enabled attacks is still uneven, and that gap is where the next wave of breaches will likely happen. But more than that - building a cyber-savvy workforce isn’t just about protecting your systems, it’s also what allows innovation and trust to scale together.”

Workers do at least have a sense of collective responsibility. While a quarter of British employees believe that the IT or security department is most responsible for protecting a company against cyber threats, more than twice as many accept that it's a joint responsibility across the organization.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.