New hires are far more likely to fall victim to phishing attacks, according to a recent study, highlighting the need for more robust security training during onboarding.
Figures from Keepnet’s 2025 New Hires Phishing Susceptibility Report show new team members are 44% more likely to click on malicious links compared to more seasoned colleagues.
Indeed, the study noted that nearly three-quarters (71%) of new hires are duped by phishing scams or social engineering techniques within the first three months on the job.
“New hires pose a high cybersecurity risk during onboarding due to their lack of familiarity with cybersecurity processes and limited cybersecurity training, increasing their phishing susceptibility to social engineering attacks,” the study warned.
Among the most common attack types encountered by new hires were CEO impersonation, according to Keepnet, with threat actors specifically targeting inexperienced staff through this method.
The firm noted that in these instances, new hires typically receive an “urgent email” from a sender impersonating the chief executive requesting they transfer money or divulge sensitive information.
“They may comply without question because they are unfamiliar with international communications norms,” the study noted.
These particular types of attacks had a far higher success rate among new hires compared to experienced colleagues.
Elsewhere, vendor invoicing scams are another common tactic employed against inexperienced members of staff. These once again include requests for payment, except from what appears to be a recognized vendor.
“New hires in finance or procurement roles who are unfamiliar with standard vendor interactions might approve such payments,” the study warned.
Security awareness training is critical
The risks faced by new employees, and by default their employers, highlights the need for more robust training during the onboarding process, experts told ITPro.
Greg Crowley, CISO at eSentire, noted that training “needs to start from day one”.
“Security awareness should be a core part of onboarding, not an afterthought or something we expect employees to ‘catch up on’ later,” he explained.
Crowley added that the onboarding process at eSentire focuses heavily on running new hires through the threats they face, as well as company-specific tools and policies.
In doing so, they become far more comfortable reporting issues and navigating their early days at the company.
“Employers need to let them know that it is very common for new hires, just like them, to be targeted by threat actors,” he explained.
“Tell them specific things to watch out for, such as unexpected text messages claiming to be the CEO or someone senior in the company asking for a favor.”
Crucially, security awareness training should be “ongoing and engaging” and not a one-time affair, Crowley said.
“People forget, threats evolve, and attackers get smarter,” he said. “So we ensure that there is recurring security training, we push simulated phishing campaigns, and communicate timely, real-world threats to the company with reminders on what to look out for and how to report.”
Masha Sedova, VP, Human Risk Strategy at Mimecast, echoed Crowley’s comments on continuous training strategies - which is a practice she noted often falls flat at enterprises.
“These findings point to a broader issue with how many organizations approach cybersecurity training,” Sedova said. “For years, awareness efforts have relied on annual modules and phishing simulations that create a false sense of progress.”
“They often treat all employees the same, regardless of role, exposure or previous behavior and that one-size-fits-all approach rarely delivers lasting impact,” Sedova added.
“Training completion rates may tick the compliance box, but they don’t reflect whether employees are actually making better decisions in the moments that matter.”
Keepnet advised organizations to implement dedicated security behavior and culture programs for onboarding processes in order to protect new hires. These, the company noted, can reduce risks by up to 30%, at least according to its own offering on this front.
However, Crowley said that senior employees play an equally important role in helping new hires. This, he told ITPro, is “one of the most underused resources in any organization.”.
“The influence they have is huge. When senior team members model good security habits — like using password managers, reporting phishing attempts, or being cautious about links — others notice and follow,” he said.
“Especially for new hires, it's not just the training they remember; it's how their manager or team lead handles this stuff in practice.”
In fostering a culture of collaboration between new hires and senior staff, Crowley said this helps alleviate the pressure placed on the latter and reduces the “fear of messing up”.
“We want people to report issues immediately, and seasoned employees who are comfortable saying, ‘hey, I once clicked something bad too — just report it quickly’ help create that psychological safety,” Crowley explained.
“That culture matters more than any tech control you can put in place.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
