- Most phishing incidents happen before new employees even understand how internal systems work, report claims
- Security awareness should begin on day one, before the first email is even opened
- Hackers target uncertainty, and onboarding is full of it for eager, confused new hires
The first few months of employment are now one of the riskiest periods for enterprise cybersecurity, new research has claimed,
Keepnet’s 2025 New Hires Phishing Susceptibility Report found nearly three-quarters (71%) of new hires fall for phishing or social engineering attacks within their first 90 days on the job.
Often overlooked in onboarding workflows, this shortcoming suggests many organizations are not doing enough to prepare new staff for the reality of modern cyber threats.
You may like
Inexperience, urgency, and confusion drive early mistakes
The report, based on data from 237 companies, reveals new employees are 44% more likely to be deceived by phishing attempts than their longer-tenured colleagues.
Most incidents stem from a combination of inexperience, lack of familiarity with internal processes, and a desire to comply with instructions.
Common attack types include CEO impersonation, fraudulent HR portals, fake invoice requests, and technical support scams, many of which exploit this period of onboarding confusion.
The study also found phishing emails impersonating executives led to a 45% higher success rate among new hires compared to tenured staff.
This gap demonstrates how even basic social engineering tactics can be disproportionately effective against employees who are still navigating organizational systems and norms.
Without dedicated and structured training, these early errors can create long-lasting security risks.
To tackle this issue, Keepnet recommends that organizations adopt a layered defense strategy tailored specifically for onboarding periods.
Organizations that adopted adaptive simulations and behavior-based training programs saw phishing risk drop by 30% after onboarding.
Traditional tools like the best endpoint protection, best FWAAS, and best FWAAS solution remain essential, but they are not enough on their own.
“Phishing attacks don’t wait for your employees to feel ready. Our research shows that organizations must invest in onboarding-specific cybersecurity awareness training. We’re proud to offer adaptive, scalable solutions that protect businesses from day one,” said Ozan Uçar, CEO, Keepnet.
