EY Canada published a cybersecurity report that was supposed to be an industry knowledge compendium. Instead, it became proof of how AI generates fake sources. Most of the citations in the document simply don’t exist.
TL;DR: EY Canada retracted a cybersecurity report after it was revealed that most of the cited sources were AI hallucinations. The document contained dozens of references to studies and articles that never existed. The case demonstrates how dangerous it is to uncritically use tools like ChatGPT or Claude when creating analytical reports.
How were the fabricated citations in the EY Canada report discovered?
Several weeks after the report’s publication, researchers independently verified random citations from the document. It turned out that the cited industry organization reports did not exist in any database. Moreover, the names of the authors of these publications were also fictitious. EY Canada had to retract the entire document and issue a statement. The story made headlines on technology portals, including Radio ZET describing the phenomenon of AI-generated fake content, highlighting the growing problem of disinformation.
Hallucinations are a known problem with language models. Systems like ChatGPT or Gemini generate text that sounds plausible but has no basis in facts. In the case of analytical reports, the consequences are serious — decision-makers take actions based on data that is simply made up. Furthermore, this creates enormous difficulties in subsequent auditing.
Who determined that the citations were fake?
The verification was carried out by cybersecurity researchers and technology journalists. They noticed that some citations pointed to studies with titles that sounded plausible but did not appear in any scientific catalog. The document looked professional, but its foundations were empty. Thus, rigorous verification proved crucial.
For example, one citation referenced a supposed industry organization report from 2024. When researchers tried to locate the original, it turned out the organization had never published such a report. The same was true for more than a dozen other sources — the titles existed only in the imagination of the language model that generated the report text.
Here are several typical signs of fabricated citations detected in the document:
- Study titles sound professional but don’t appear in any database
- Author names are fictitious or belong to people unconnected to the topic
- DOI numbers don’t exist in scientific publication registration systems
- Publication dates are inconsistent with content — for example, citing future data
- The publisher denies publishing the material in question
- Fragments of supposedly cited text don’t appear in the original
- URLs in citations lead to 404 error pages
- The bibliography contains entries with identical structure, suggesting automated generation
Why do AI tools generate fake sources?
Language models don’t search for information in databases. Instead, they predict the next token based on patterns from training data. When a model encounters a question about a source, it generates text that statistically matches the format of a scientific citation. The result is a reference that looks authentic but has no reflection in reality. Although, from the system’s perspective, this is a correct match.
| Feature | Real Citation | Fabricated Citation (Hallucination) |
|---|---|---|
| Author | Exists, has publications | No search results |
| Title | Found in databases (Google Scholar) | Not in any catalog |
| Publisher | Confirms publication | Denies publication |
| URL | Works, leads to content | 404 error or no domain |
| Year | Logical, consistent with content | Often inconsistent with data |
This problem affects all models — ChatGPT, Claude, Gemini. None of them is immune to hallucinations in the context of citations. As highlighted by TECHNOSenior in their analysis of cyber threats, cybercriminals also use AI to generate fake content, further complicating the security landscape.
How does this situation differ from an ordinary editorial error?
A classic editorial error is a typo, a wrong year, or an outdated statistic. In the case of the EY Canada report, we’re dealing with systematic generation of fictitious sources on a scale covering most of the bibliography. This is not a single mistake. It’s a structural problem in the document creation process.
Normally, the editorial process includes fact-checking. In this case, apparently that step was skipped or done superficially. An AI tool generated text with citations, and someone accepted the result without verification. Such a practice is dangerous because advisory reports shape business decisions at the board and supervisory board level.
This phenomenon fits into a broader trend described by RP.pl in the context of Poland’s digital security — organizations are losing control over the quality of content they produce. Automation without verification is a straight path to losing credibility.
What consequences did EY Canada face?
After the matter was revealed, EY Canada retracted the report from circulation. The firm issued a statement acknowledging that the document contained incorrect citations. The case reverberated widely across the consulting and technology industries, undermining the credibility of one of the world’s largest consulting firms.
Reputation in the consulting industry is built on trust. A client pays for reliable analysis, not for literary fiction in a scientific frame. Every citation should be verified, regardless of who authored the report. This incident shows that even the largest organizations are vulnerable to errors arising from reflexive AI use.
The consequences extend beyond the firm itself. The entire consulting industry had to face the question of how it verifies content generated with the help of AI tools. Similar to the false alarms described by RP.pl, where efficient services prove helpless against a flood of disinformation, here the consulting industry faced a similar verification challenge.
What does this case teach organizations using AI?
Organizations must treat AI as a supportive tool, not a replacement. Every generated text requires verification, especially in the area of citations and sources. The editorial process cannot be skipped, even when the deadline is near.
The most important thing is building processes in which a human verifies every fact generated by a model. For example, if ChatGPT provides a source, the analyst must locate it in the original database. Only then does the information make it into the report. This takes time, but it protects against blunders on the scale of what EY Canada experienced.
What citation verification techniques do editorial teams use?
Editorial teams and analytical groups are implementing procedures to check every source before publication. This requires manual confirmation of whether the cited author exists, whether the publication title appears in catalogs, and whether links lead to active pages. Over 80% of digital services sales revenue in EU countries goes to US-based companies (RP.pl, 2025), showing the scale of dependence on digital processes that often lack adequate quality control procedures.
The verification process can be tedious. It requires access to scientific databases and sometimes contact with authors. A simple search engine check is not enough, because AI-generated titles can look very credible. Therefore, editorial teams must invest in fact-checking tools and train teams to recognize hallucinations.
Here are the basic techniques used during verification:
- Checking whether the cited author exists in databases like Google Scholar
- Verifying DOI numbers in scientific publication registries
- Copying title fragments into a search engine with “PDF” or “abstract” appended
- Directly contacting the publisher to confirm the publication was issued
- Checking the URL domain for registration and history
- Analyzing content for date and data inconsistencies
- Comparing cited fragments with available text databases
- Establishing the authenticity of the original document’s publication
Can AI hallucinations be completely eliminated?
It is impossible to completely eliminate hallucinations from language models because text generation is based on probability, not on a database. One in five surveyed individuals reports having been a victim of a cyberattack or online fraud (Radio ZET, 2025), meaning that AI-generated fake content poses a real threat. However, reducing the risk requires appropriate procedures.
Models like ChatGPT or Claude do not understand the concept of truth. Generated citations will always require human verification. Even the best prompts don’t guarantee correctness. The system might provide a real source with a wrong year or distort a title. As a result, the only defense remains human fact-checking before every publication.
How is the consulting industry responding to the EY Canada incident?
Following the EY Canada incident, consulting firms began introducing additional verification layers for documents created with AI assistance. During Q4 2025 — Q1 2026, cybercriminal group activity increased (TECHNOSenior, 2026), meaning the industry must simultaneously combat internal fake content and external threats.
Many firms have introduced a ban on directly copying content from language models into final reports. Analysts must use AI exclusively as a brainstorming and drafting tool. Sources must be added manually. This is a slow process, but it protects the firm from repeating EY Canada’s mistake.
Frequently Asked Questions
How many citations in the EY Canada report turned out to be fabricated?
Most of the citations verified by researchers turned out to be fictitious — the cited reports did not exist in any database, and author names were generated. One in five surveyed individuals reports having been a victim of a cyberattack or online fraud (Radio ZET, 2025), showing the scale of the threat associated with fake content online.
How quickly were the fake sources in the report detected?
Researchers and journalists detected the problem within a few weeks of publication through random verification of citations in scientific databases. Over 80% of digital services sales revenue in EU countries goes to US-based companies (RP.pl, 2025), demonstrating how important reliable verification is in data-driven processes.
Do ChatGPT, Claude, and Gemini all hallucinate citations equally?
All language models generate fake citations because they don’t search databases but predict tokens based on patterns. No model is immune to citation hallucinations, regardless of the solution’s manufacturer.
What tools help detect fabricated sources?
Tools such as Google Scholar, CrossRef DOI Checker, and academic search engines allow quick verification of publication existence. During Q4 2025 — Q1 2026, cybercriminal group activity increased (TECHNOSenior, 2026), which means rigorous procedures for checking source authenticity are necessary.
Summary
The EY Canada case is a reminder that AI tools require human oversight. Every generated citation can be fiction. Every statistic can be made up.
- Language models hallucinate citations — this is their structural feature, not a bug to be fixed
- Fact-checking must be a mandatory step in every editorial process
- The consulting industry is introducing new quality control procedures after the EY Canada incident
- Cybercriminals also use AI to generate fake content, doubling the threat
- Trust takes years to build and can be lost with a single report containing fictitious sources
For more on how organizations can better manage analytical processes, read the article about software team economics and why most engineering organizations operate in the dark. Check it out before your team repeats EY Canada’s mistake.