When assessing cybersecurity risk in your organization, it is important to understand your users and their behavior. A new study by Keepnet sheds light on new hire behavior concerning phishing susceptibility. According to its recent survey, the 2025 New Hires Phishing Susceptibility Report, a whopping “71% of new hires click on phishing emails within 3 months” of starting their position. New hires are 44% more likely to fall for phishing and social media attacks than seasoned employees.
The survey is based on responses from 237 companies in various industries. The report’s findings reveal that new employees are at a significantly higher risk of becoming phishing and social engineering victims because they do not get enough security training during their onboarding process, and they are less experienced than veteran staff. The survey shows that new hires are unfamiliar with the organization’s protocols and are eager to respond to requests to make a good impression. Attacks that come from the CEO or HR are particularly effective against new hires. The research found that new employees were “45% more likely than experienced staff to click on phishing emails that impersonated the CEO, showing how vulnerable they are in their first few months.”
Another interesting statistic cited is that if a company provides “adaptive phishing simulations and behavior-based training” to employees, phishing risk fell 30% after onboarding.
The key lesson to take away here is to train new employees on cybersecurity protocols early and often. Understand that they are trying to impress their superiors and that they are more vulnerable to attacks. Give them the tools to feel comfortable identifying and reporting suspicious messages and instill in them with the confidence and understanding that they are an important team member for the security of the organization.