It’s that time of the year when online shopping ramps up to its peak. With Thanksgiving on the horizon, Black Friday and Cyber Monday are looming into view. And after that, we’re headfirst into the holiday period, with no sign of slowing down.
With all that online shopping comes scams, and they come from all angles, ramping up as we try to find bargains. However, according to new research from 1Password’s 2025 Phishing Report, one generation is falling prey more than any other—and that has to change.
82% of Americans have been phished
It happens even if you think you know what to look for
There were a few interesting stats in the phishing research 1Password shared with me. But the most troubling one was actually, for once, the headline: some 82 percent of Americans have been phished (or come dangerously close to it). That’s a startling figure and illustrates just how hard it is to remain secure online in the modern age.
Because while that stat is startling, it really shows how much more spam and phishing we have to contend with every day. At some point, you’re going to fall for something, even if you know how to spot the signs of phishing. In that, 66 percent of respondents have noticed a significant uptick in the amount of “scammy messages, phone calls, and ads,” noting that AI has definitely had an impact on this.
In part, that’s true. One of the most common ways to spot a phishing email or fake message is shoddy spelling and grammar. But now that every scammer and his dog has access to a powerful free AI chatbot, spelling mistakes in scams are basically in the past.
That sophistication means traditional gut feeling doesn’t work as well. Given that in 2024 the FBI warned that AI-driven phishing attacks are spreading at breakneck volume and able to “craft convincing messages tailored to specific recipients and containing proper grammar and spelling,” and 1Password’s data backs that up.
Gen Z is falling for scams the fastest
There is a general overconfidence in our ability to spot scams
Perhaps the biggest surprise from the report is who’s falling for scams. Gen Z (70%) and Millennials (67%) were far more likely to be phished than Gen X (57%) or Boomers (46%).
This stat is striking. The younger generation grew up entirely online and is meant to understand apps, passwords, and privacy settings better than anyone. Yet that digital confidence may be part of the problem. Gen Z and younger millennials are far more exposed to scams through social-media DMs, fake ads, influencer posts, and job offers that look authentic.
The level of exposure is also really interesting. As Gen Z spends more time on social media apps, they’re more likely to encounter scams to begin with. Boomers tend to steer clear of Snapchat, Instagram, etc., and miss out on some of these scams.
It’s not just fake ads and phishing emails, though. We’ve seen numerous examples of scams being sent through stolen accounts, specifically designed to exploit the trust between friends. You’re more likely to click a link sent by a friend or family member, right? So hackers target those accounts, then use them to send scams directly to your inbox.
1Password’s research suggests that a big part of the problem for all generations is that we’re overconfident in our ability to spot scams. 95 percent of respondents claim they can spot common scammer red flags—a super high figure. But consider the original number of people who have fallen for a scam at 82 percent. Something isn’t right.
There are ways to learn how to spot phishing scams, but as it’s an evolving threat, it requires a little knowledge to keep up with the latest issues.
Worst of all: people keep reusing passwords
Just stop, please
Last but by no means least is the stat that 76 percent of Americans who fell victim to a phishing scam still use the same password. This astounding figure is difficult to stomach for a couple of reasons.
One is that changing your password is typically your first move after a data breach, and one way to secure your account again. Two is that there are heaps of brilliant free password managers, such as Bitwarden, that make it ridiculously easy to swap a password once it is breached.
Even the more basic browser password managers have breach detection features these days. So while you should probably avoid your browser password manager, it’s still a darn sight more secure than using nothing (or reusing the same password across accounts!).
It just goes to show that merely “being good” at tech isn’t enough these days. Slowing down, questioning urgency, and using proper password tools may be the only ways to stay one step ahead this holiday season.