Keepnet Reveals 71% of New Hires Fall for Phishing in Their First 90 Days

LONDON, UK  —Keepnet, a cybersecurity company that provides Human Risk Management solutions,  has uncovered a startling risk: 71% of new hires fall for phishing attacks within their first 90 days of employment, making onboarding one of the most critical periods for cybersecurity. The 2025 New Hires Phishing Susceptibility Report reveals a pressing need for organisations to rethink how they protect their human layer during onboarding.

Drawing on data from 237 companies across diverse industries, the study found that new employees are 44% more susceptible to phishing and social engineering attacks than their tenured counterparts. The most common attack vectors included CEO impersonation, fraudulent HR portals, fake invoices, and tech support scams, often exploiting new employees’ eagerness to comply, lack of familiarity with internal processes, and insufficient early-stage security training.

“New hires bring fresh energy—but they also face a steep cybersecurity learning curve. If we don’t clearly explain how things work and why they matter, we leave new starters to figure it out on their own. That’s not just unfair, it’s risky.”

— Ant Davis, Security Engagement Manager, Tesco

Key Findings from the Report

• 71% Phishing Susceptibility: New hires are exposed to high cyber risks due to limited experience and lack of structured onboarding security education.
• 44% More Vulnerable than Tenured Staff: Calculated using comparative phishing risk levels between new hires and employees past the 90-day mark.
• 30% Risk Reduction Achieved: Organisations implementing adaptive simulations and behavior-focused security programs saw phishing risk drop by 30% after onboarding.

The report also highlights that CEO impersonation emails resulted in a 45% higher phishing susceptibility rate among new hires than experienced staff — meaning new employees were significantly more likely to engage with the phishing attempt during onboarding.

“Even seasoned staff must stay alert, especially as scams and AI threats evolve. A gut feeling that something’s off can be the difference between catching a phish and causing an incident.”

— Michelle Brown, Cyber Security Training & Awareness Program Manager, Staples

Strategic Response: AI, Gamification, and Culture-Driven Security

The report recommends a multi-pronged strategy built on Keepnet’s Unified Human Risk Management Platform. The platform reduces new hire risks through:

• AI-Powered Phishing Simulations and Hyper-Personalised Training
• Gamification Dashboards to encourage engagement and secure behavior
• Security Behavior & Culture Program (SBCP) metrics like phishing dwell time and repeat offender rates
• Automated Segmentation of high-risk employee groups for tailored intervention

These features contribute to measurable business outcomes: an 85% drop in incidents linked to target behaviors and a potential annual cost saving of $1 million per organisation.

“Phishing attacks don’t wait for your employees to feel ready. Our research shows that organisations must invest in onboarding-specific cybersecurity awareness training. We’re proud to offer adaptive, scalable solutions that protect businesses from day one.”

— Ozan Uçar, CEO, Keepnet