Complacent Gen Z and Millennial workers are more likely to be duped by social engineering attacks
Overconfidence and a lack of security training are putting organizations at risk
While most workers believe they can spot a phishing attempt, nearly one-in-four under-35s would fall for a suspicious message if they thought it came from a colleague or boss.
Four-in-five British workers told Accenture researchers they were confident they'd spot a suspicious message, even though more than a third have never received cybersecurity training.
Men show the biggest faith in themselves, being nearly twice as likely as women to report high confidence in spotting cyber threats, at 22% compared with 12%.
But younger workers in particular may be wrong about this. The survey of over 1,000 British employees found that 15% would share company data or make payments via messaging apps, without verifying the sender, if the message seemed to come from a leader or colleague.
Among under-35s, so those in the millennial and Gen Z demographics, this rose to nearly a quarter (24%).
“With cyber criminals weaponizing information from social media to deceive people with realistic messages or calls, employees must make faster judgement calls on what’s real and what’s not," said Kamran Ikram, Accenture’s security lead in the UK and Ireland.
"The workforce feels cyber confident – though its uneven among men and women – there remains a serious skills and training gap across the board. Being overconfident yet undertrained is a dangerous position to be in."
More cybersecurity training is needed
Notably, more than one-third (37%) of British workers have never received any cybersecurity training, including 44% of over-55s. Meanwhile, only one-in-five have been trained to recognize deepfakes or AI-generated phishing emails.
This lack of training is more significant in smaller companies, where 79% of microbusinesses with less than 10 employees and 55% of small firms with between 10 and 49 employees offer no cybersecurity training at all.
"Organizations must look to be resilient in every area of their operations and supply chain, which means ongoing education on cyber threats," said Ikram. "Businesses can’t rely on patchy preparedness when attackers are advancing by the day.”
Even when employees are receiving training, it's not adequately covering all the risks, Accenture found. Half of those that have been trained said they've received no guidance on using AI safely, such as what data should not be shared with public tools or how to identify AI-enabled attacks.
As a result, 17% have no awareness of AI-driven cyber threats while only 61% are aware of deepfake videos or AI-generated phishing emails, and fewer than half are aware of voice cloning or identity theft.
“AI is bringing immense opportunity to business, but it also is changing the risk landscape as criminals increasingly incorporate AI into their arsenal," said Ikram.
"Today, awareness of AI-enabled attacks is still uneven, and that gap is where the next wave of breaches will likely happen. But more than that - building a cyber-savvy workforce isn’t just about protecting your systems, it’s also what allows innovation and trust to scale together.”
Workers do at least have a sense of collective responsibility. While a quarter of British employees believe that the IT or security department is most responsible for protecting a company against cyber threats, more than twice as many accept that it's a joint responsibility across the organization.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
MORE FROM ITPRO
- Are we in a cyber awareness crisis?
- Employee phishing training is working – but don’t get complacent
- Best online cyber security courses
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Two US nationals sentenced for role in prolific fake worker laptop farmsNews The Americans were raising money for the North Korean regime by allowing fake IT workers to appear as legitimate US-based employees
-
Beware of emails threatening a code of conduct review
News A widespread phishing campaign has targeted tens of thousands of employees
-
‘The inbox is no longer the only frontline’: Phishing attacks are evolving as cyber criminals ramp up ‘multi-channel’ campaigns over email and Microsoft TeamsNews New research shows threat actors are ramping up “multi-channel” phishing attacks by combining lures via email and Microsoft Teams
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businesses
News Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Zephyr Energy hackers swiped £700,000 after redirecting a contractor paymentNews Payment to a Zephyr Energy contractor was siphoned off, but the incident has been contained and new security measures implemented
-
Microsoft and NCSC issue alerts over hacker campaigns targeting WhatsApp, Signal messaging appsNews Microsoft warns about a sophisticated attack that starts with WhatsApp messages, while the NCSC says such incidents are on the rise
-
'AI-generated phishing became the baseline' for hackers last year – Kaseya warns it's going to get worse in 2026News Forget looking for typos and bad grammar, phishing campaigns are using AI to boost their attack success
