As organizations increasingly rely on AI assistants for research and decision-making, attackers may have a new way to influence AI-generated answers without compromising the underlying models.
New research from Lasso Security demonstrates that generative engine optimization (GEO) — the practice of optimizing content for inclusion in AI-generated responses — can be manipulated to promote false or harmful information through publicly available web content.
Key Takeaways from the GEO Poisoning Research
- Researchers demonstrated that attackers can manipulate AI-generated answers using generative engine optimization (GEO) without compromising the underlying AI model.
- The attack relies on publicly available web content, using techniques such as fake editorial endorsements and corroborating sources to influence AI responses.
- Among five AI models tested, Llama-4-Maverick and GPT-4o-mini were the most susceptible, while Grok and Claude Haiku showed strong resistance.
- Fake editorial endorsements proved the most effective technique, causing Llama-4-Maverick to promote false claims in up to 98% of test runs.
- Organizations can reduce risk by validating retrieved content, verifying source credibility, and implementing strong AI governance and content verification controls.
GEO Expands the AI Attack Surface
GEO is the AI equivalent of traditional search engine optimization (SEO).
Instead of trying to rank highly in search results, GEO aims to increase the likelihood that AI assistants such as ChatGPT, Gemini, Perplexity, or Claude will cite and summarize specific content within their generated responses.
As AI assistants increasingly retrieve information from the web to answer user questions, the content they retrieve can significantly influence their responses.
The researchers explored whether legitimate GEO techniques could also be weaponized to increase the visibility of false information.
Unlike prompt injection attacks or model compromise, the attack requires only publicly accessible web pages optimized using common GEO practices, with no access to the AI model or application itself.
Testing AI Models Against GEO Manipulation
To evaluate the risk, researchers created a legitimate-looking website about gluten-free recipes that contained one intentionally false medical claim — that colloidal silver could heal celiac disease.
The claim was then enhanced using standard GEO techniques such as structured formatting, fabricated statistics, fake expert endorsements, and corroborating editorial content.
The experiment included 5,525 test runs across five production AI models: GPT-4o-mini, Llama-4-Maverick, DeepSeek-R1, Grok, and Claude Haiku 4.5.
Researchers measured whether the models cited the malicious content and whether they promoted the false medical claim in their responses.
Results varied considerably. Llama-4-Maverick proved the most susceptible, while GPT-4o-mini also showed significant vulnerability.
DeepSeek demonstrated partial resistance, whereas Grok and Claude Haiku consistently resisted the manipulation attempts.
Editorial Endorsements Had the Greatest Impact
Among the 24 GEO techniques evaluated, fabricated editorial endorsements proved the most effective.
When researchers surrounded the malicious webpage with multiple fake editorial articles that repeated the same claim, Llama-4-Maverick promoted the false information in 92% of test runs.
Combining editorial endorsements with a listicle format increased the success rate to 98%.
GPT-4o-mini also showed elevated susceptibility, promoting the false claim in 84% of runs using the same combination.
The researchers found that AI models frequently treated repeated claims across multiple sources as evidence of credibility, even when the supporting content originated from attacker-controlled websites.
Why the Findings Matter
The study highlights a growing security challenge as organizations and consumers increasingly trust AI-generated responses.
Unlike traditional cyberattacks, GEO manipulation does not require exploiting vulnerabilities or compromising systems.
Instead, attackers can influence AI-generated content simply by publishing optimized web pages and creating the appearance of independent corroboration.
The researchers note that the technique aligns with OWASP’s guidance on overreliance risks, where users may trust AI-generated information without verifying its accuracy.
How Organizations Can Reduce Risk
Lasso Security recommends treating retrieved web content as untrusted input rather than automatically accepting it as authoritative.
Organizations building AI applications should implement content verification and filtering before retrieved information is incorporated into AI reasoning or automated workflows.
AI systems should also provide transparent source attribution so users can independently evaluate the credibility of cited information.
Finally, users should verify important claims — particularly those involving health, financial, or legal advice — against trusted primary sources instead of relying solely on AI-generated responses.
Bottom Line
The research demonstrates that the same optimization techniques organizations use to improve AI visibility can also be exploited to manipulate AI-generated answers.
Reducing AI content manipulation requires stronger validation of retrieved information and greater transparency into trusted sources.
As organizations expand their use of AI, strong AI governance is becoming essential to ensure AI systems produce trustworthy, transparent, and reliable outputs.