- Yubico study finds nearly half of respondents interacted with phishing emails in the past year
- Gen Z emerges as the most vulnerable demographic to phishing attacks
- Passwords remain dominant despite low confidence in their actual security strength
Phishing emails have advanced to the point where many people can no longer tell the difference between real and fraudulent messages, new research has claimed.
A Yubico survey found nearly half (44%) of respondents interacted with at least one phishing message in the past year, through actions such as clicking a link or opening an attachment.
More than half of the participants either assumed a phishing message was authentic or admitted they were unsure, showing how much attackers now rely on deception rather than technical flaws.
Younger users most exposed
Gen Z was found to be the most susceptible, with 62% engaging with phishing scams in the past year, a figure far higher than other age groups.
Interestingly, when it came to recognizing phishing attempts, the differences between generations were negligible.
This suggests although younger users interact more frequently with suspicious content, the overall challenge of identifying phishing remains universal across age groups.
Unfortunately, the security practices of both individuals and organizations are raising serious concerns.
“Our survey revealed a disconnect. Individuals are complacent about securing their own online accounts, and organizations appear slow to adopt security best practices,” said Ronnie Manning, chief brand advocate, Yubico.
Despite widespread acknowledgment that usernames and passwords are insecure, they remain the most common authentication method for personal and work accounts.
Less than half of companies have implemented multi-factor authentication across all applications, and 40% of employees reported receiving no cybersecurity training.
Even for personal email accounts, which often serve as gateways to critical services like banking and mobile carriers, nearly a third of users still lack multi-factor authentication.
However, there are pockets of progress, most notably in France, where multi-factor authentication adoption for personal accounts jumped from 29% in 2024 to 71% in 2025.
This marks a sharp shift in attitudes toward more secure login methods.
At the same time, concern over artificial intelligence is rising quickly in countries such as Japan and Sweden, where apprehension has more than doubled in a year.
Confidence in advanced authentication methods is also beginning to grow, particularly in the use of hardware-based options such as security keys and passkeys.
Both the United Kingdom and the United States reported a marked increase in the number of people viewing these tools as the most secure available.
While phishing attempts are evolving at an alarming pace, the gradual adoption of phishing-resistant authentication hints at a potential path forward.
“Both individuals and organizations have the power to protect themselves by adopting these phishing-resistant solutions today. Modern MFA is clearly no longer just ‘nice to have’ and has quickly become essential,” Manning added.
For now, the gap between awareness and protection remains wide, leaving individuals and organizations exposed to increasingly convincing attacks.
