Gen Z is emerging as a surprisingly vulnerable demographic in the realm of cybersecurity, falling victim to online scams at twice the rate of older generations, a trend with significant implications for employers.
Contrary to the assumption that older individuals are more susceptible to online fraud due to a lack of technological familiarity, recent data indicates that younger individuals are at greater risk, largely owing to their online habits and the economic pressures they face.
A CyberArk survey, shared with Dark Reading earlier this spring, revealed that only 20% of Gen Z respondents claimed to have never been hacked, a stark contrast to the 41% reported by baby boomers, despite the latter having had fewer years of potential exposure.
These findings were corroborated by a Cint survey, conducted on behalf of NordVPN, which identified Gen Z and millennials as the most vulnerable age groups to cyber scams, with Gen Z experiencing a wider variety of scams.
Prior to this, Deloitte’s research indicated that Gen Z respondents were more than twice as likely to report falling victim to online scams (17%) compared to boomers (7%). They also reported higher rates of social media account takeovers (29% to 12%), stolen identities or credentials (13% to 6%), and device compromises (12% to 4%).
Experts attribute this trend to two primary factors: the ways in which young people interact with the internet, and the unique pressures they encounter in the workplace. Young people’s familiarity with technology, stemming from growing up with it, having ample free time to spend online, and peer pressure to stay current with the latest trends, ironically makes them more vulnerable.
Anne Cutler, cybersecurity evangelist at Keeper Security, explains, “Gen Z is typically highly fluent in digital tools, but that fluency can lead to riskier behaviors like faster click habits, password reuse, and using personal devices for professional work. Gen Zers were practically born with iPads in their hands, and an inherent trust that popular platforms and devices are safe, whereas older generations have more skepticism toward technology. Attackers know this and are tailoring phishing campaigns to mimic platforms that younger employees use every day.”
Furthermore, younger individuals are exposed to a greater volume of online threats due to spending more time online. Some studies suggest they spend twice as much time online as older generations. They are also more likely to experiment with emerging technologies, which often have less established cybersecurity standards. Survey data might also be skewed if younger people are better at identifying and remembering times when they got hacked.
Kaspersky Lab researchers highlighted in a July 31 blog post that Gen Z is particularly vulnerable to workplace-related scams due to having more employers. The increasing wealth inequality in the United States, which has doubled during Gen Z’s lifetime, has led many to take on multiple jobs or side hustles to make ends meet. This, in turn, increases their exposure to cyber risks, as well as their employers.
According to Kaspersky, managing multiple online accounts across various software-as-a-service (SaaS) platforms increases the risk of account compromise. The psychological impact of balancing multiple jobs can also impair young people’s ability to identify phishing attacks. Evgeny Kuskov, a Kaspersky security expert, notes, “Gen Z’s work-life-tech overlap creates a unique kind of cognitive overload. This constant multitasking increases the risk of mistakes: sending a wrong file to a wrong client, overlooking a phishing email, misconfiguring access permissions.”
A significant risk arises from the increased likelihood of falling victim to phishing emails impersonating various SaaS brands. Kaspersky recorded six million attempted cyberattacks impersonating known collaboration platforms, such as Zoom, Microsoft Excel, and Outlook, between mid-2024 and mid-2025.
Scammers also impersonate employers, particularly targeting younger individuals who often have multiple employers, especially freelancers. Even legitimate job postings on freelance sites can exhibit characteristics of scams, such as excessive use of capital letters and urgent language, making it easier for actual scams to blend in. Freelancers often have limited experience with potential clients, making them easier to impersonate. The hiring process, which typically involves one-on-one conversations and file sharing, further increases the risk.
Some scammers post seemingly legitimate offers with professional language on freelance or job sites. A NordVPN study found that a quarter of Gen Z survey respondents have fallen for such scams.
Attacks targeting young employees can have repercussions for their employers. Victims may inadvertently cross-contaminate sensitive data between online platforms or provide it to impersonators. A compromised credential from one account can also be used to compromise others.
Regardless of their employment status, younger individuals are more likely to work from home (WFH), increasing remote risks. David Matalon, CEO at Venn, explains, “Unlike previous generations which mostly used company-issued devices on corporate networks, Gen Z is working from coffee shops, managing freelance clients on WhatsApp, and clicking into tens of different apps a day, all from the same laptop they use for YouTube and online shopping. That blending of personal and work life is where the real risk comes in. One phishing email or fake software update doesn’t just put them at risk; it can expose their employer, too.”
Kuskov also points out that “in some cases, polyworkers also install unauthorized software or browser extensions to streamline their multitasking — a practice known as shadow IT. While helpful in the short term, these unauthorized apps may have vulnerabilities or operate with unclear data-sharing policies, increasing the attack surface across all jobs.”
He adds that “the danger here isn’t limited to freelancers. One compromised account or an email phishing incident tied to a side project can cascade into much larger breaches if the same credentials are reused for corporate systems. For organizations hiring remote contractors or allowing BYOD [bring your own device] practices this raises serious questions about endpoint security and credential management.”
