Accenture Finds Gen Z Most Prone to Phishing Risks

At a time when cyberattacks dominate headlines, a new Accenture study exposes a troubling cybersecurity divide, widening by the day as AI-fuelled threats multiply.

Accenture’s State of Cybersecurity Resilience Report 2025 finds that while only 36% of leaders concede AI is outrunning their defences, 90% of organisations still lack the capability to guard against AI-powered cyber risks.

Even more alarming, one in four UK employees under 35 say they would act on a suspicious message if they believed it came from a colleague or a senior leader.

The research also reveals that 15% would share company data or approve payments via messaging apps – without verifying the sender – if the request appeared to come from a leader or co-worker.

Set against a backdrop of widespread confidence, where four in five employees (81%) believe they can spot a phishing attempt, these findings are a recipe for disaster.

Kamran Ikram, Accenture’s Security lead in the UK & Ireland, says: “Recent cyber-attacks prove no organisation is untouchable and these results show a growing threat from AI-driven social engineering where attackers target trust instead of technical flaws.

“With cyber criminals weaponising information from social media to deceive people with realistic messages or calls, employees must make faster judgement calls on what’s real and what’s not. 

“The workforce feels cyber confident – though it's uneven among men and women, there remains a serious skills and training gap across the board. 

“Being overconfident yet undertrained is a dangerous position to be in.”

Bridging the Security Maturity Gap and the AI Training Divide

Accenture’s 2025 State of Cybersecurity Resilience Report segments organisations into three zones Cybersecurity Resilience – reinvention-ready, progressing and exposed – based on their strategy and cyber capability.

Only 10% have reached the reinvention-ready zone, 27% sit in the progressing zone, and a striking 63% fall into the most vulnerable, exposed zone.

Crucially, organisations in the reinvention-ready zone are 69% less likely to be hit by a cyberattack than those in the exposed zone.

The 2025 State of Cybersecurity Resilience Report by Accenture categorises organisations into specific zones namely: the reinvention-ready zone, progressing zone and the exposed zone, based on their strategy and cyber capability. 

Only 10% of organisations have achieved the status of being in the reinvention-ready zone, while 27% lay in the progressing zone and a whopping 63% landed in the most vulnerable, exposed zone. 

Being in the reinvention-ready zone would make an organisation 69% less likely to be subject of a cyberattack compared to those in the exposed zone.

Accenture’s latest research finds that more than a third of UK employees have received no cybersecurity training.

With only 20% trained to recognise deepfakes and AI-generated phishing emails, organisations remain highly exposed to social engineering threats.

As companies race to deploy AI across the enterprise, clear, organisation-wide guidance on safe usage is lagging far behind.

Actions for AI Security: How companies can prepare for AI cyber threats

The report outlines four decisive steps to become reinvention-zone ready.

With 72% of organisations reporting increased cyber threats, the first is to establish an organisation-wide security governance framework that reflects the realities of an AI-disrupted world.

Second, as AI is widely adopted, by companies should design their digital core to be Gen AI-secure by embedding security into every layer of AI development, deployment and operations.

Third, sustain resilient AI systems with proactive, AI‑specific threat management—essential in a landscape where AI‑driven attacks, including worms like Morris II, are on the loose.

Fourth and finally, drive enterprise‑wide cybersecurity reinvention by leveraging GenAI to help close the talent gap and detect threats earlier.

“Organisations must look to be resilient in every area of their operations and supply chain, which means ongoing education on cyber threats, “ Kamran says.

“Businesses can’t rely on patchy preparedness when attackers are advancing by the day.”