Gen Z Phishing Risk: Trust-Building Content for UK Startups

Gen Z interacts with phishing nearly three times as often as Baby Boomers—62% vs 23%—according to Yubico’s latest Global State of Authentication findings reported during Data Privacy Week (Feb 2026). If you market to Gen Z (customers, candidates, creators, community members), that stat isn’t just a cybersecurity headline. It’s a brand problem waiting to happen.

Here’s why: phishing doesn’t only drain bank accounts. It hijacks identities, locks people out of services, and spreads scams through “trusted” social channels. When that happens on or around your brand—fake job ads, fake discount codes, fake delivery messages—Gen Z doesn’t separate “criminals” from “companies”. They remember who made them feel unsafe.

This post is part of our Climate Change & Net Zero Transition series, because trust is now a core climate capability. Net-zero products rely on digital adoption—smart meters, EV charging apps, mobility platforms, green finance, carbon tracking tools. If younger users don’t feel safe using climate tech, progress slows. The good news: startups can respond with cybersecurity-aware content marketing that builds credibility, reduces support burden, and protects conversion.

What the Gen Z phishing statistic really means for your startup

The headline number (62% interacting with phishing) points to something more specific: Gen Z is exposed to more “actionable” attacks—messages designed to get a click, a download, a reply, or a credential entry.

Yubico’s data also undercuts a common assumption: tech confidence doesn’t equal cyber resilience. Gen Z reports higher adoption of Multi-Factor Authentication (71%) than Boomers (51%), yet still falls for more scams.

If you’re building a UK startup—especially in climate, fintech, mobility, or hiring-heavy sectors—this matters in three practical ways:

1. Your brand will be impersonated. Scammers follow attention. If you run paid social campaigns, influencer partnerships, or job ads, you’ve created surfaces that can be cloned.
2. Your funnel is part of the threat landscape. “Valuable opportunity” scams often mimic acquisition tactics: urgent offers, limited-time perks, early-access invites.
3. Trust becomes a growth constraint. When users fear fraud, they hesitate to sign up, link accounts, connect banking, or share data—exactly what many net-zero and sustainability products require.

A useful one-liner to internalise: Every marketing channel you scale is also a channel criminals can counterfeit.

Why Gen Z falls for phishing (and why Boomers fall for different scams)

Gen Z’s vulnerability isn’t about being “naïve”. It’s about context and cadence.

Niall McConachie (UK & Ireland regional director at Yubico) describes a generational cyber gap: Gen Z uses the right tools, but their comfort with digital communication makes them prime targets for social engineering.

The Gen Z trigger: speed + opportunity

The report highlights two reasons Gen Z gets tricked most often:

• They’re in a rush
• The message promises a valuable opportunity (job, prize, exclusive offer)

That maps uncomfortably well to how startups market:

• “Apply in 60 seconds”
• “Last chance” countdowns
• “You’ve been selected” early access
• “DM us for details” creator campaigns

Gen Z lives in high-frequency channels where quick actions are normal—Instagram DMs, TikTok comments, WhatsApp groups, Slack communities, Discord servers. Scammers don’t need to invent behaviour; they copy it.

The Boomer trigger: trusted source

Boomers are less likely to be lured by “opportunities” but more likely to trust messages that look like they come from a legitimate authority—a bank, a government service, a known brand.

For startups, that means your older audience might respond to impersonation that uses:

• Official-looking templates
• Familiar logos
• “Account security” warnings

So the real takeaway isn’t “Gen Z is worse”. It’s this:

Different generations fall for different narratives—and your customer comms can accidentally resemble those narratives.

The workplace gap: why phishing becomes a scaling tax

The report also points to organisational weaknesses that make phishing more successful:

• 4 in 10 employees don’t receive cybersecurity training
• 44% wait 3–5 months to upgrade policies
• 62% of organisations still rely on username + password as standard
• 44% use SMS one-time passcodes (OTPs) despite known risks

Even more worrying: people’s confidence is misaligned with reality. Many respondents believe SMS OTPs or even passwords alone are the most secure options.

This becomes a marketing problem in two ways:

1. Brand damage scales faster than security fixes. One convincing phishing wave can flood Trustpilot, tank paid performance (refunds/chargebacks), and overwhelm support.
2. Your team becomes the weakest link in outbound growth. Sales and partnerships rely on email. A single compromised mailbox can send “invoice” or “contract” scams to prospects—your reputation gets hit while criminals cash out.

For climate and net-zero startups, reputational risk is even sharper. If you handle energy bills, EV payments, green loans, or carbon reporting, you’re already asking users to trust you with sensitive data.

Three trust-building content plays UK startups should run now

The fastest way to build trust isn’t a glossy “Security” page nobody reads. It’s repeated, channel-native education that matches how Gen Z communicates.

1) Publish a “How to spot our real messages” playbook

Make it simple, specific, and easy to screenshot.

Include:

• Exactly which domains you email from (and which you don’t)
• Your official social handles
• Whether you ever send links by DM
• What your job offers look like (and what you’ll never ask for)
• How to verify a promotion code

Keep it blunt:

• “We never ask for passwords.”
• “We never ask you to move to Telegram.”
• “We never request payment to secure a job interview.”

If you’re in a net-zero space—say EV charging or green home upgrades—add specifics:

• “We don’t send ‘missed delivery’ links for chargers.”
• “We don’t request bank details over WhatsApp.”

This kind of content ranks well for long-tail searches like “is [brand] message real” and reduces support tickets.

2) Turn security into a conversion asset (not a compliance chore)

Most startups hide security behind legal language. I’d do the opposite: put security reassurance directly in the moments where users hesitate.

Practical examples:

• On sign-up pages: a short block explaining MFA/passkeys and how you protect accounts
• In onboarding emails: “Here’s how to recognise phishing pretending to be us”
• On job listings: a verification note and a link to your hiring process

Then back it up with modern authentication choices. The source content notes that passkeys are perceived as most secure by 30% of respondents—and they are significantly more phishing-resistant than passwords and many OTP flows.

You don’t need to claim perfection. You need to show you’re thoughtful:

A startup that explains its security habits plainly looks more credible than a startup that promises it’s ‘secure’.

3) Build “scam resilience” into your community marketing

If you run communities (Discord/Slack/WhatsApp groups), you’re operating a high-trust environment—exactly what social engineering exploits.

Add lightweight controls:

• Pin a monthly “Known scams” post
• Use a verification step for moderators and partner accounts
• Create a single channel for “Is this legit?” checks
• Encourage members to report suspicious DMs without embarrassment

This is especially relevant for climate communities—local retrofit groups, EV owner clubs, net-zero founders networks—where people share recommendations and referrals. Scammers love referral culture.

A practical phishing-resistant checklist for startups (marketing included)

You don’t need an enterprise budget to reduce risk. You need consistent basics.

Marketing & comms

• Maintain a public list of official domains and social accounts
• Use consistent sender names and avoid weird “reply-to” addresses
• Don’t run campaigns that mimic scam patterns (fake urgency, vague “selected” claims)
• Create a single verification page for promotions and hiring

Customer experience

• Offer passkeys where possible; at minimum, support app-based MFA
• Add in-app banners for known phishing waves (“We’re aware of fake job messages…”)
• Provide a one-tap way to report suspicious messages

Internal ops

• Train everyone who sends external emails (sales, hiring, partnerships)
• Enforce MFA for email and admin tools; reduce reliance on SMS OTP
• Update security policies monthly—not quarterly—if you’re scaling fast

If you want one metric to track: time-to-warning. How quickly can you detect a scam impersonating you and publish a user-facing warning across channels?

Where this fits in the net-zero transition

The net-zero transition isn’t just wind farms and rail electrification. It’s millions of people adopting new digital services: green tariffs, EV charging subscriptions, home retrofit financing, carbon-footprint dashboards, circular economy marketplaces.

That adoption depends on trust. When Gen Z gets phished, they don’t only lose money—they lose confidence in digital systems. And that creates friction for climate solutions that rely on data sharing, identity verification, and online payments.

So if you’re a UK startup building in climate, mobility, sustainable finance, or green jobs: treating phishing education as part of your brand isn’t a “nice-to-have”. It’s part of delivering your product promise.

Net zero needs digital trust. Digital trust needs clear communication.

If you’re currently scaling awareness campaigns, add one more campaign to the mix: the one that teaches your audience how not to get scammed while interacting with you.

What would change in your funnel if every Gen Z prospect knew exactly how to verify your real messages?