Security Onboarding: Protect New Hires From Day One

Elena Vasquez··7 min read
New employee being welcomed and onboarded on their first day in the office

Why the First 90 Days Are the Riskiest

A new hire wants to make a good impression. They do not yet know who normally emails them, what a routine request looks like, or whether the "CEO" asking for a quick favor is really the CEO. They are eager to be helpful and reluctant to question a senior name. For an attacker, that combination is close to ideal, and it is one that publicly visible hiring announcements on social media make trivially easy to find and target.

The data backs up the intuition. According to Keepnet's 2025 New Hires Phishing Susceptibility Report, drawing on data from 237 companies, 71% of new hires are at risk of falling for phishing or social-engineering attacks within their first 90 days, and new starters are roughly 44% more likely to be fooled than tenured colleagues. When the lure impersonates an executive, the report found new hires were about 45% more likely to take the bait. Help Net Security reported the same headline finding, that a large majority of new employees click on phishing within their first three months.

The riskiest window in an employee's entire tenure is the one most onboarding programs leave unprotected. Benefits enrollment and the office tour are covered on day one. The skill that stops a wire-fraud email often is not introduced until the next annual training cycle, months too late.

The Attacks Aimed Squarely at New Starters

New hires are not targeted randomly; specific scams are tuned to their situation.

  • Executive impersonation and gift-card requests. A message that appears to come from a manager or executive asks the new employee for an urgent, discreet favor, often to buy gift cards and send the codes. It is an old trick that persists because it works, and a new hire who does not yet know company norms is the perfect mark.
  • Business email compromise (BEC). More elaborate fraud redirects a payment or changes banking details by impersonating a vendor or leader. New finance and operations hires, still learning approval workflows, are especially exposed.
  • Off-channel impersonation. Attackers increasingly move to text and messaging apps, posing as a boss who "just got a new number." Without an established sense of how their manager actually communicates, a new starter has little basis to be suspicious.

Notice the common thread: none of these rely on technical sophistication. They exploit unfamiliarity and the desire to please, the two things every new hire has in abundance during their first weeks. That is also good news, because it means the defense is behavioral rather than technical, and behavior is something onboarding can shape directly from the very first day.

What Day-One Security Onboarding Looks Like

Security should be part of the welcome, not a delayed afterthought. The aim of day one is not to make a security expert; it is to install a few reflexes and remove the fear of asking.

  1. Set the norms explicitly. Tell new hires plainly: leadership will never ask you to buy gift cards, urgency is itself a warning sign, and we verify unusual money or data requests through a second channel, every time.
  2. Name the new-hire-specific scams. Forewarn them that attackers specifically target newcomers with fake executive requests. Knowing it is coming is one of the strongest defenses.
  3. Show the report button on day one. Make sure the one-click reporting tool is installed and demonstrated before the first real email arrives, so reporting is the default response from the start.
  4. Give explicit permission to verify. The single most valuable message is that questioning a suspicious request is encouraged, never seen as slow or insubordinate. Remove the social pressure that the scams depend on.
  5. Keep day-one content short. A focused briefing on the handful of threats they are most likely to face beats an exhaustive course nobody retains amid the rush of a first day.

Make Security a Shared Onboarding Responsibility

The riskiest gap is rarely the content; it is ownership. Security awareness often sits with the security team, while onboarding sits with HR and the hiring manager. New hires fall through the seam between them, learning about benefits and building access on day one but not meeting a single security reflex until much later.

Closing that seam takes a small amount of coordination:

  • Bake security into the onboarding checklist. Treat the security briefing, report-button install, and baseline simulation enrolment as standard onboarding tasks, owned alongside the laptop and the email account, not as optional extras.
  • Brief the manager too. A new hire's manager is their reference point for what is normal. Managers who tell a newcomer "I will never ask you to buy gift cards or move money over text" inoculate them against the exact scams aimed their way.
  • Pair every new starter with a go-to contact. Knowing precisely who to ask "is this email real?" removes the hesitation attackers exploit, and it makes verifying a request feel routine rather than awkward.

When HR, managers, and security share the onboarding handoff, the protective message arrives from every direction at once, which is exactly how it sticks.

From Baseline to 90 Days: Where Simulation Fits

A briefing introduces the ideas. Practice embeds them, and the new-hire window is exactly where practice pays off most. A structured arc through the first 90 days turns awareness into behavior.

  • Establish a baseline early. Within the first week or two, an initial phishing simulation reveals how this person actually responds before any real attacker tests them. It is a private, blameless measurement, not a judgment, and it tells you who needs more support.
  • Reinforce through the window. Short, spaced simulations and micro-lessons across the 90 days keep the threats top of mind during the period of greatest exposure, rather than front-loading everything on day one and hoping it sticks.
  • Make every miss a teachable moment. When a new hire interacts with a simulation, an immediate, supportive debrief delivers the lesson at the exact moment it lands hardest. Early, low-stakes mistakes in a simulation are far cheaper than the same mistake against a real BEC email.
  • Track the trend, supportively. Behavior-based reporting lets you see new-hire risk fall over the 90 days and flag anyone who needs extra help, turning onboarding into a measurable risk-reduction process rather than a checkbox.

Organizations that run onboarding-specific simulations and behavior-focused programs have seen new-hire phishing risk drop meaningfully during this window, per the same Keepnet research. empowsec is built to run that arc: a baseline phishing simulation on entry, spaced reinforcement and teachable-moment debriefs through the probation period, and reporting that proves the risk curve is bending down before the new hire becomes a tenured one.

Key Takeaways

  • The first 90 days are the highest-risk window. Industry research finds most new hires are susceptible to phishing during onboarding, and markedly more so to executive impersonation.
  • Know the scams aimed at newcomers. Gift-card requests, BEC, and off-channel impersonation all exploit unfamiliarity and eagerness to please.
  • Start on day one. Set norms, name the threats, show the report button, and give explicit permission to verify, all before the first real email lands.
  • Baseline early, then reinforce. An initial phishing simulation measures real behavior; spaced practice and teachable-moment debriefs embed the habits across 90 days.
  • Measure the curve. Behavior-based reporting turns onboarding into a tracked risk-reduction process and surfaces who needs more support.
Share: