Nearly half of participants in a controlled study could not reliably distinguish AI-generated social media accounts from real human users - a result that challenges the widespread assumption that digital literacy alone offers meaningful protection against bot-driven deception. The experiment, conducted by cybersecurity company Surfshark in collaboration with a master's-level research cohort at Malmö University, tested 710 participants on their ability to tell automated accounts apart from genuine ones. Only 53 percent succeeded more often than they failed - a margin slim enough to be practically indistinguishable from chance.
What the Numbers Actually Mean
A 53 percent success rate sounds like a majority, but context collapses that comfort. When nearly half of a group - specifically, people engaged in postgraduate academic study and presumably comfortable with technology - cannot complete a basic identification task reliably, the finding stops being a curiosity and becomes a structural problem. The 47 percent who did not meet the threshold were not casual users scrolling in passing. They were motivated participants in a structured setting, which typically produces better-than-average performance. Real-world conditions, with faster scrolling, less scrutiny, and higher emotional engagement, are almost certainly worse.
The test also speaks to something more specific than general awareness. Knowing that bots exist and understanding, in the abstract, that AI can generate convincing text and profile behavior are not the same as being able to identify a specific account as artificial in real time. Conceptual knowledge does not translate automatically into perceptual skill, and that gap is precisely where manipulation campaigns operate.
Why AI Bots Have Become Genuinely Difficult to Detect
The detection problem has grown harder in direct proportion to advances in generative AI. Earlier generations of social media bots were relatively easy to flag: repetitive posting patterns, grammatically thin text, profile images with uncanny distortions, and suspiciously sparse account histories. Those signals have not disappeared, but they have become far less reliable as large language models now produce fluent, contextually appropriate text, and AI image generation supplies photorealistic profile pictures that pass casual visual inspection.
Modern bot operations also increasingly mimic organic social behavior - varying posting times, engaging with unrelated content, building out account histories over time before deploying the account for influence purposes. This technique, sometimes called "aging" an account, is designed specifically to defeat the heuristics that both humans and automated detection systems rely on. The result is that surface-level plausibility, once a useful filter, has been largely neutralized as a distinguishing tool.
Social platforms themselves bear some of the detection burden, but their incentives are not always aligned with aggressive bot removal. Engagement metrics - which drive advertising revenue - do not distinguish between human and automated interaction. That structural conflict has historically slowed platform-side action, leaving users to manage a threat they are ill-equipped to assess on their own.
The Broader Risk: Trust, Information, and Influence
The implications extend well beyond personal annoyance. Social media bots are routinely deployed to artificially amplify specific viewpoints, manufacture apparent consensus, suppress dissenting voices through coordinated reporting, and accelerate the spread of false or misleading content. When the accounts doing this work are indistinguishable from real participants, the informational environment becomes corrupted in ways that users cannot easily perceive or correct for.
This matters most in high-stakes contexts: elections, public health crises, financial markets, and geopolitical conflicts - precisely the domains where coordinated inauthentic behavior has been documented most extensively. The erosion of trust is a secondary but serious consequence. When users become aware that they cannot reliably identify bots, some respond by distrusting all online interaction more broadly. That generalized suspicion, while understandable, carries its own costs for legitimate civic and social discourse.
From a policy perspective, the Surfshark-Malmö findings add pressure to ongoing regulatory debates about platform transparency and AI disclosure requirements. Several jurisdictions are actively considering or have already implemented rules requiring some form of bot labeling or AI-origin disclosure. Whether such measures are enforceable against sophisticated state-level or well-resourced private actors remains an open question - one that technical detection alone has so far failed to answer.
What Users Can Realistically Do
There is no perceptual trick that reliably unmasks a well-constructed AI account, and it would be misleading to suggest otherwise. What users can do is shift from trying to authenticate individual accounts to evaluating claims and content independently of their apparent source. Scrutinizing the substance of what is being shared - checking primary sources, cross-referencing with credible reporting, and being especially cautious about content that produces a strong immediate emotional reaction - is more durable than attempting to judge the authenticity of the account posting it.
Awareness of the specific tactics bots use to build credibility, including account aging, selective engagement, and strategic timing around newsworthy events, can also raise the cost of deception even if it does not eliminate it. And pressure on platforms to invest meaningfully in detection infrastructure and to make their enforcement data publicly auditable remains one of the few systemic levers available. What the Malmö study makes clear is that expecting individual users to close this gap through digital literacy alone is not a realistic strategy.
