71% of new hires click on phishing emails within 3 months

New hires are more likely to fall for phishing attacks and social engineering than longer-term employees, especially in their first 90 days, according to Keepnet.

Why new hires are easy targets for phishing attacks

Based on data from 237 companies across various industries, the 2025 New Hires Phishing Susceptibility Report found that new hires are 44% more likely to fall for phishing and social engineering scams than longer-term employees.

Many are unfamiliar with cybersecurity protocols and may mistake phishing emails for real requests. Onboarding can be overwhelming, making it easy to miss key security steps. New employees also tend to comply with suspicious requests to make a good impression, particularly if the message appears to come from someone in charge. Early security training is often delayed or too brief, leaving them unprepared.

Common attack methods included fake messages from the CEO, bogus HR portals, phony invoices, and fake tech support. These scams often take advantage of new employees’ willingness to follow instructions, their unfamiliarity with company processes, and limited early security training.

Credential harvesting via fake HR portal (Source: Keepnet)

Key findings from the report

71% of new hires fall for phishing: Many new employees are at higher risk because they lack experience and don’t get enough security training during onboarding.

44% more likely to click than experienced staff: New hires are nearly half again as likely to fall for phishing attempts compared to employees who’ve been with the company for more than 90 days.

30% drop in risk with targeted training: Companies that used adaptive phishing simulations and behavior-based training saw phishing risk fall by 30% after onboarding.

Researchers also found that new employees were 45% more likely than experienced staff to click on phishing emails that impersonated the CEO, showing how vulnerable they are in their first few months.