The email arrives on a Tuesday morning.
It appears to be from the Executive Director. The name matches. The tone is familiar. Even the sign-off looks right.
"Hey, can you help me with something quickly? I'm in back-to-back meetings. I need you to handle a vendor payment. I'll explain more later."
The new staff member pauses. They have been with the organization for four days. They are still figuring out how things work, who to ask, what is normal, what is not. They do not want to be the person who questions the Executive Director in their first week.
So they help. And just like that, the damage is done.
Why New Staff Are the Most Targeted Group
Every spring, health and social services organizations bring on new team members: recent graduates entering direct service roles, seasonal hires, interns stepping into their first professional environment. For your organization, it is onboarding season. For attackers, it is something else.
According to Keepnet Lab's 2025 New Hires Phishing Susceptibility Report, CEO impersonation emails are 45% more likely to succeed with new hires than with experienced staff. New employees are also 44% more susceptible to phishing overall.
Attackers do not go after your experienced people. They go after the ones who are still learning what normal looks like. That window of uncertainty is exactly where social engineering works.
The new staff member is not the problem. The person trying hardest to make a good impression is often the one at risk.
The most dangerous employee is not careless. It is the one trying to be helpful.
The Real Gap Is the System, Not the Person
Think back to the last time someone started at your organization.
Their credentials were not quite ready. They borrowed a login to access a shared drive. They saved a file locally because the system was not set up yet. They used a personal phone to look up a contact because it was faster.
None of that felt risky. It felt resourceful. It felt like doing what needed to be done.
But in those first few days, before everything is properly in place, a few things quietly happen: shared credentials create accounts no one tracks, files end up outside your backup systems, a personal device connects to organizational data, and no one explains what to do when something feels off.
The Keepnet data confirms it: the vulnerability gap between new and experienced staff does not come from carelessness. It comes from chaos. When onboarding is unstructured, security becomes optional. That is exactly the environment a phishing email walks into.
What a Prepared First Day Requires
Fixing this does not require a lengthy security training on day one. It requires three things to be ready before the person walks in the door:
- Access is configured, not improvised. Credentials created, permissions clearly defined, equipment ready. No shared logins, no workarounds, no "we'll sort that out later this week."
- They know what a normal request looks like. A 10-minute conversation on day one: Does the ED ever email about payments? What should they do if something feels off? This is not formal training — it is basic orientation.
- They have someone to ask without feeling foolish. Many first-week mistakes happen quietly because new staff do not want to appear inexperienced. Give them a clear contact. Give them a process.
Protect Your Organization Before That First Email Arrives
If your onboarding process is already structured, you are in better shape than many.
But if your last new hire improvised through their first week, or if you are bringing someone on this spring without a security-aware onboarding process, it is worth a conversation before that Tuesday email shows up.
Schedule a 10-minute discovery call to review your onboarding process and close the gaps before your next hire starts. Call us at 866-934-4534 or book a quick discovery call.
