New hires are far more likely to fall victim to phishing attacks, according to a recent study, highlighting the need for more robust security training during onboarding.
Figures from Keepnet’s 2025 New Hires Phishing Susceptibility Report show new team members are 44% more likely to click on malicious links compared to more seasoned colleagues.
Indeed, the study noted that nearly three-quarters (71%) of new hires are duped by phishing scams or social engineering techniques within the first three months on the job.
“New hires pose a high cybersecurity risk during onboarding due to their lack of familiarity with cybersecurity processes and limited cybersecurity training, increasing their phishing susceptibility to social engineering attacks,” the study warned.
Among the most common attack types encountered by new hires were CEO impersonation, according to Keepnet, with threat actors specifically targeting inexperienced staff through this method.
The firm noted that in these instances, new hires typically receive an “urgent email” from a sender impersonating the chief executive requesting they transfer money or divulge sensitive information.
“They may comply without question because they are unfamiliar with international communications norms,” the study noted.
These particular types of attacks had a far higher success rate among new hires compared to experienced colleagues.
Elsewhere, vendor invoicing scams are another common tactic employed against inexperienced members of staff. These once again include requests for payment, except from what appears to be a recognized vendor.
“New hires in finance or procurement roles who are unfamiliar with standard vendor interactions might approve such payments,” the study warned.
Security awareness training is critical
The risks faced by new employees, and by default their employers, highlights the need for more robust training during the onboarding process, experts told ITPro.
Greg Crowley, CISO at eSentire, noted that training “needs to start from day one”.
“Security awareness should be a core part of onboarding, not an afterthought or something we expect employees to ‘catch up on’ later,” he explained.
Crowley added that the onboarding process at eSentire focuses heavily on running new hires through the threats they face, as well as company-specific tools and policies.
In doing so, they become far more comfortable reporting issues and navigating their early days at the company.
“Employers need to let them know that it is very common for new hires, just like them, to be targeted by threat actors,” he explained.
“Tell them specific things to watch out for, such as unexpected text messages claiming to be the CEO or someone senior in the company asking for a favor.”
Crucially, security awareness training should be “ongoing and engaging” and not a one-time affair, Crowley said.
“People forget, threats evolve, and attackers get smarter,” he said. “So we ensure that there is recurring security training, we push simulated phishing campaigns, and communicate timely, real-world threats to the company with reminders on what to look out for and how to report.”
Masha Sedova, VP, Human Risk Strategy at Mimecast, echoed Crowley’s comments on continuous training strategies - which is a practice she noted often falls flat at enterprises.
“These findings point to a broader issue with how many organizations approach cybersecurity training,” Sedova said. “For years, awareness efforts have relied on annual modules and phishing simulations that create a false sense of progress.”
“They often treat all employees the same, regardless of role, exposure or previous behavior and that one-size-fits-all approach rarely delivers lasting impact,” Sedova added.
“Training completion rates may tick the compliance box, but they don’t reflect whether employees are actually making better decisions in the moments that matter.”
Keepnet advised organizations to implement dedicated security behavior and culture programs for onboarding processes in order to protect new hires. These, the company noted, can reduce risks by up to 30%, at least according to its own offering on this front.
However, Crowley said that senior employees play an equally important role in helping new hires. This, he told ITPro, is “one of the most underused resources in any organization.”.
“The influence they have is huge. When senior team members model good security habits — like using password managers, reporting phishing attempts, or being cautious about links — others notice and follow,” he said.
“Especially for new hires, it's not just the training they remember; it's how their manager or team lead handles this stuff in practice.”
In fostering a culture of collaboration between new hires and senior staff, Crowley said this helps alleviate the pressure placed on the latter and reduces the “fear of messing up”.
“We want people to report issues immediately, and seasoned employees who are comfortable saying, ‘hey, I once clicked something bad too — just report it quickly’ help create that psychological safety,” Crowley explained.
“That culture matters more than any tech control you can put in place.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
Europol takes down SIM farm network that scammed thousands of victimsNews The sophisticated operation led to crimes from simple phishing to investment fraud
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
