Every great company knows that onboarding new talent is a moment of growth, momentum, and fresh ideas. But there’s a hidden cost lurking beneath the surface—new hires are 44% more likely to fall for phishing scams than their seasoned colleagues, according to Keepnet, a Human Risk Management Company.
And this isn’t just about clicking the wrong link. It’s about a real and measurable threat to your company’s data, finances, and reputation. In the first 90 days on the job, new employees are in a vulnerable position—eager to comply, unfamiliar with internal processes, and often overwhelmed. That’s exactly the kind of employee cybercriminals love.
The risk isn’t theoretical or abstract – it’s happening now, across industries, and costing organizations more than they realize. This isn’t theoretical—it’s backed by data. In many companies, onboarding doesn’t include cybersecurity readiness, leaving new employees to navigate digital threats alone.
The Risk You Didn’t Know You Were Taking
According to research by Keepnet, 71% of new hires fail phishing during onboarding, compared to just 49% of tenured employees. Why?
Because new hires often:
- Don’t recognize suspicious behavior (like CEO impersonation or fake HR portals),
- Haven’t internalized the company’s security culture, and
- Are bombarded with information from Day One.
Attackers exploit this confusion using sophisticated, tailored phishing emails. One common scenario? A fake message from the “HR department” asking the new hire to log in and access onboarding documents—just one click, and credentials are compromised.
These aren’t edge cases – they are patterns. Attackers know what new hires expect and disguise their tactics accordingly.
A successful phishing attack can have serious consequences. It can compromise sensitive personal and financial information and more:
- Ransomware infections
- Stolen customer data
- Wire transfer fraud
- Reputational damage
- Compliance violations
Even with advanced security infrastructure in place, humans remain the primary entry point for cyberattacks. Your IT team can’t monitor every inbox or action – this is a human problem, not just a software one.
Ignoring this risk doesn’t just threaten security – it jeopardizes compliance, business continuity, and customer trust.
New Employees, New Attack Surface
New hires face the highest risk of cyber threats during their onboarding period. They’re learning new systems, trying to make a good impression, and haven’t yet learned what normal communication looks like.
Attackers take advantage of this. They send fake emails that look like HR messages, payment requests, or instructions from company leaders, knowing that new employees are more likely to trust and act quickly.
Without training or context, it’s easy for them to make mistakes. That’s why the first few weeks on the job have beco hu me a favorite target window for cybercriminals.
This critical phase is often overlooked in security strategies, but it’s where proactive defense can have the biggest impact.
The Good News? This Risk Is Preventable.
Using a multi-layered strategy to cut phishing susceptibility by 30% after 90 days . Here’s how:
1. Automated Risk Segmentation
New hires are automatically identified and grouped based on risk level, role, and behavior. No more one-size-fits-all training.
2. AI-Powered Simulations & Adaptive Training
Simulations are personalized to the user’s department, seniority, and even language. For example, finance staff get simulated invoice scams, while IT receives credential theft attempts.
3. Real-Time Phishing Response Tools
Employees can report phishing attempts with a single click, while security teams get real-time dashboards to respond and contain the threat.
4. Gamification
Leaderboards, points, and badges turn cybersecurity training into a game employees actually want to play. Behavioral nudges encourage smart choices.
5. Outcome-Driven Reporting
Executive dashboards tie phishing risk directly to business KPIs like data breach reduction, downtime saved, and training completion rates. Together, these strategies create a dynamic and measurable security program that scales with your workforce.
Why It Matters for Your Bottom Line
Implementing a Security Behavior and Culture Program (SBCP) with Keepnet has been shown to:
- Deliver 100% training completion on core awareness modules
- Reduce phishing-related incidents by 85%
- Avoid up to $1 million in losses annually
- Prevent negative PR from security breaches
In short, building a cyber-aware culture isn’t just good security – it’s smart business. It helps prevent costly breaches, equips employees to recognize real threats, and turns onboarding into a strategic line of cyber defense.
It’s Time to Rethink Onboarding
New hires shouldn’t be your weakest link. With smart onboarding protocols, they can become your first line of defense. By integrating human-centric cybersecurity into onboarding workflows, organizations can reduce risk, empower employees, and reinforce a culture of vigilance from Day One.
It’s not enough to have a firewall. You need a human firewall, and it starts with your newest team members.
Cybersecurity isn’t something you build after onboarding – it’s something you build into it.
Download the full report: https://keepnetlabs.com/reports/new-hires-phishing-susceptibility-report.
