New starters are prime targets. In the first 90 days, 71% fall for phishing or social engineering and are 44% more likely to slip up than long tenured colleagues. The good news: with targeted training and realistic simulations during onboarding, businesses have seen phishing risk drop by ~30%.
Why new hires are a top cyber security risk
A few years ago, a brand-new apprentice at one of our suppliers received an email from what appeared to be her manager.
The tone was friendly. The request felt urgent, but reasonable.
Could she quickly step out and pick up some gift cards for client gifts?
Wanting to make a good impression, she headed straight to the high street.
Thirty minutes later, her phone rang.
“Where are you?” her actual manager asked.
That’s when the alarm bells went off.
Phishing attacks: what the data shows us
New research shows just how risky those early days are
• 71% of new hires fail phishing or social engineering tests in their first 90 days.
• They’re 44% more likely to be duped than colleagues who’ve been around a while.
• When scammers impersonate executives, new starters are 45% more likely to take the bait.
• Organizations running tailored onboarding training and simulations saw risk drop by ~30%.
Why this happens (and how Cyber criminals
exploit it)
Starting a new job means unknown processes, new faces, and a healthy desire to help. Attackers lean into that uncertainty with believable messages that look like they’re from the boss, HR or IT:
• “Please update your details on the HR portal.” (It’s a spoofed site.)
• “Urgent invoice, can you pay this today?” (It’s fabricated but looks genuine.)
• “I’m in a meeting; can you do me a quick favor?” (Buy gift cards, share the codes.)
Authority + urgency + unfamiliar routines = the perfect social‑engineering recipe.
It’s not just theory, the numbers are clear
Simple steps to protect your new starters
A first 90 days playbook you can run now
1. Pre boarding nudge – Send a short “How we handle email & approvals” primer before day one. List approved domains, sign off patterns, and what you’ll never ask (e.g., “We will never ask you to buy gift cards or share MFA codes.”).
2. Week one training – Ten minute modules using your real comms (HR portals, IT tickets, expenses). Include one realistic simulation they’re likely to see.
3. Safe escalation paths – One click email reporting, plus a clear “If in doubt, call…” policy. Reward reporting, even false alarms. A no blame culture improves resilience.
4. Simulations – A light cadence of impersonation, fake vendor, and tech support simulations (ask for their MFA). Track improvement; recognize areas of improvement. Expect meaningful risk reduction (~30%) as they onboard.
Cyber essentials still count
Email security, endpoint protection and filtering are non negotiable. But people make the difference. Set your newest people up to win on day one, and you shrink your largest early tenure risk window dramatically.
Need a hand? We can work with you and all your employees (not just new hires) to improve their cybersecurity awareness and, therefore, the security of your business.
Author Name: Bobby Goel