Gen Z Phishing Risk: What UK Startups Must Fix

Data Privacy Week always produces a few uncomfortable truths. This year’s is simple: being “tech-savvy” doesn’t make people phishing-resistant.

Yubico’s 2026 Global State of Authentication findings (reported by TechRound) land hard for anyone building products, campaigns, or communities that skew young. 62% of Gen Z respondents said they interacted with a phishing message in the last year—opening a link, an attachment, or replying. For Baby Boomers, the figure was 23%.

If you’re a UK startup targeting Gen Z, this isn’t just an IT problem. It’s a brand trust problem, a conversion problem, and—because security failures create rework, downtime, and wasted spend—a sustainability problem too. In a net zero transition economy, resilience matters: the cleanest operation is the one that doesn’t have to redo work after an avoidable incident.

Gen Z is more vulnerable to phishing (and it’s not because they’re “bad at tech”)

Answer first: Gen Z falls for phishing more often because they move faster in digital spaces, trust modern communication channels, and get targeted with “high-reward” hooks (jobs, prizes, opportunities).

The instinct is to assume older users are the easy targets. The data says otherwise. Gen Z is adopting protective tools more frequently—71% use multi-factor authentication (MFA) compared to 51% of Baby Boomers—yet they still report far more phishing interaction.

That mismatch happens because phishing isn’t mainly a technology contest. It’s a behavioural contest.

Speed beats scepticism

According to Yubico’s UK & Ireland regional director, Gen Z is often tricked because they’re “in a rush” or because a message presents a “valuable opportunity” (think: a job offer, a limited-time discount, an invite-only community). That maps perfectly to how many Gen Z-focused marketing funnels are designed: fast, mobile-first, urgency-led.

If your growth engine relies on urgency, you’ve got to assume attackers will borrow the same playbook.

AI has made “looks legit” a weak test

The report also highlights an AI-shaped gap: 38% of Gen Z believed an AI-generated message was human-written, versus 1% of Boomers.

That’s not because Gen Z can’t spot typos. It’s because modern phishing doesn’t need typos. It needs:

• believable tone
• correct formatting
• brand-like language
• a realistic “next step” (log in, verify, download, pay)

In 2026, the attack is often a well-written message plus a perfectly normal-looking link.

Why this matters for UK startups (especially those marketing to Gen Z)

Answer first: When Gen Z gets phished, your startup pays twice—first in fraud/support costs, then in lost trust and higher acquisition costs.

Startups love Gen Z for good reasons: they influence household buying, adopt new tools quickly, and shape public perception online. But that same comfort with digital communication creates exposure. Here’s where the risk shows up in real startup operations.

Your marketing channels are also your attack surface

If you run campaigns across email, SMS, WhatsApp, Instagram DMs, TikTok, or community platforms, you’re training users to click and respond quickly. Attackers don’t need to hack you to hurt you. They can:

• impersonate your brand with lookalike domains
• spoof support requests (“verify your account”)
• run fake giveaways using your creatives
• target your customers with “invoice” or “refund” scams

The result is predictable: customers blame the brand they recognise, even if the brand wasn’t breached.

Security incidents are anti-net-zero (practically, not politically)

This post sits in our Climate Change & Net Zero Transition series for a reason: operational resilience is part of sustainable growth.

A phishing incident creates avoidable waste:

• duplicated work to restore accounts and rebuild systems
• increased cloud usage during incident response (logs, backups, scans)
• hardware replacements or new devices issued in a panic
• travel and onsite recovery for teams that could have stayed remote

Net zero commitments depend on efficient systems. Phishing makes systems inefficient.

The workplace gap: training is missing, and confidence is misplaced

Answer first: Many organisations are behind on training and still rely on phishable login methods—while believing they’re secure.

The same research points to a broader issue in workplaces:

• 4 in 10 employees don’t receive cybersecurity training
• 44% wait 3–5 months to upgrade security policies
• 62% of organisations still rely on username + password alone
• 44% use SMS one-time passcodes (OTPs), which can be intercepted or socially engineered

Even more worrying is the belief gap:

• 41% think SMS OTP is the most secure method
• 33% think app-based OTP is most secure
• 26% think passwords alone are most secure

That’s not a minor misunderstanding. It shapes budget decisions, product decisions, and onboarding decisions.

Passkeys and phishing-resistant MFA aren’t “nice to have” anymore

People perceive passkeys as most secure in the survey (30%), and they’re closer to reality than the OTP options. Passkeys (FIDO2/WebAuthn) and hardware security keys are designed to resist the most common phishing flows because they bind authentication to the legitimate site/app.

For startups, the strategic point is this: if your customers are Gen Z, and your internal team includes Gen Z, your default security posture should assume high phishing exposure.

A phishing-resistant startup culture: 3 steps that actually work

Answer first: Combine modern authentication, tighter marketing operations, and behavioural training built around real scenarios.

Here’s what I’ve found works best in startups: don’t treat phishing as a one-off “training session.” Treat it like product quality—measurable, repeatable, and designed into workflows.

1) Upgrade authentication where it matters most

Start with the highest-impact accounts. In most startups, that’s:

• Google Workspace / Microsoft 365
• payroll and banking
• CRM and marketing automation
• cloud console (AWS/Azure/GCP)
• ad accounts (Meta, Google, TikTok)

Minimum standard for 2026:

• Passkeys where supported
• phishing-resistant MFA (FIDO2/WebAuthn) for admin and finance roles
• remove SMS OTP wherever possible
• enforce device-based login for privileged accounts

Practical policy: “No finance changes over email.” Bank detail changes, refunds, supplier onboarding—force a second channel (verified call-back, ticketing system, or in-app workflow).

2) Treat “opportunity bait” as a threat model (especially with Gen Z)

Gen Z is more likely to click when the message offers something valuable—jobs, prizes, partnerships. That’s exactly what your brand campaigns may promote.

So build a public-facing anti-phishing pattern into your marketing:

• publish a simple “How we contact you” page (channels you use, domains you own)
• standardise your transactional sender names (reduce confusion)
• avoid asking for credentials via email/SMS—ever
• put scam-reporting in your customer support flow (“Forward suspicious messages here”)

This is content marketing with teeth: it protects customers and reduces support load.

3) Train for behaviour, not trivia

Most phishing training fails because it’s built like a compliance quiz. Gen Z doesn’t need a lecture on what phishing is. They need reps in the moments where mistakes happen.

Run short, scenario-based drills every month:

• “You’re about to miss a deadline” invoice scam
• fake HR doc share link
• “Your ad account is suspended” urgent login
• “Creator partnership contract” PDF attachment

Then reinforce one habit:

Pause, verify, then act. Speed is the enemy of security.

Make verification easy:

• one internal Slack/Teams channel for “is this legit?”
• a rule: no one gets punished for asking, only for hiding mistakes
• a 60-second checklist by the login screen (or in the password manager notes)

How to protect your brand and customers without slowing growth

Answer first: Build trust signals into your funnels so customers can tell your real messages from fakes—while keeping conversion friction low.

Phishing protection doesn’t have to kill performance marketing. The trick is to be deliberate about where you add friction.

Where you can keep it fast

• top-of-funnel content and landing pages
• newsletter signups
• product education flows

Where you must slow it down

• account recovery
• payment changes
• payout/withdrawal features
• admin permissions
• high-risk settings (API keys, webhooks, integrations)

A good rule: make risky actions slower, not everything slower.

And if you’re building for the net zero transition—energy, mobility, carbon accounting, circular economy—security becomes even more central. These platforms increasingly touch invoices, procurement, compliance reporting, and supply chain partners. Phishing doesn’t just steal credentials; it can poison the data that sustainability decisions depend on.

Quick Q&A: the questions founders ask after reading this

Is Gen Z actually less secure even though they use MFA more?

Yes. Tool adoption isn’t the same as safe behaviour. Gen Z uses MFA more (71% vs 51%), but interacts with phishing far more (62% vs 23%). Social engineering is beating tooling.

Is SMS OTP really that bad?

It’s better than passwords alone, but it’s still phishable and vulnerable to SIM swap/social engineering. If passkeys or FIDO2 are an option, use them.

What’s the fastest win for a 10–50 person startup?

Lock down:

1. email suite + cloud console with phishing-resistant MFA
2. finance workflows (no changes via email)
3. ad accounts (often overlooked, expensive when compromised)

Your next step: build “Gen Z-ready” cybersecurity into your growth

Gen Z’s phishing risk is nearly 3x Boomers’ in this dataset, and the “why” matters: speed, opportunity bait, and AI-polished messages. If your startup is targeting Gen Z customers—or hiring Gen Z talent—your security approach has to match that reality.

Treat phishing resistance as part of brand building. Make it visible, make it easy, and make it routine. You’ll protect customers, protect campaigns, and keep operations lean—exactly what a serious net zero transition demands.

What would change in your funnel if you assumed every urgent message could be fake—and designed your customer experience around verification instead of trust-by-default?