Starting a new job means a full inbox from day one. HR systems. IT setup instructions. Benefits enrollment. Policy acknowledgments. For most new employees, the first few weeks are spent clicking through a steady stream of onboarding emails from names and platforms they have never seen before.
Attackers know this. And they are taking advantage of it.
The onboarding window is an open door
New employees are in a uniquely vulnerable position. They do not yet know which tools their company uses, which email addresses are legitimate, or which requests are normal. They are conditioned from the start to expect unfamiliar emails asking them to register for something, complete a form, or set up an account.
That environment makes it easy to slip in something that does not belong.
The approach is straightforward. A threat actor sends a phishing campaign timed to coincide with a new hire’s first few weeks. The email is branded to look like it came from the company. It references a plausible HR platform or onboarding tool. It asks the employee to complete registration or verify their credentials. The email came from an outside address, but nothing about it signals that immediately to someone who is still learning what legitimate looks like at their new organization.
The employee clicks through, enters the credentials they were just assigned, and hands them directly to an attacker.
AI is making these attacks harder to spot
The messages that used to give phishing attempts away, awkward phrasing, inconsistent formatting, obvious translation errors, are becoming less common. AI is being used to produce clean, professional, contextually appropriate content that reads exactly like what a new employee would expect to receive.
The same tools are showing up on the other side of the hiring process as well. Fraudulent job applicants are using AI-generated profile photos, AI-assisted resume writing, and language refinement tools to present polished, credible applications. In some cases, deepfake video technology is being used during interviews to misrepresent who is actually on the call.
The result is that the people gaining access to your organization, whether as employees or through compromised credentials, may not be who they appear to be.
Who is behind these attacks and why
Most of this activity is financially motivated. Cybercriminals use new hire phishing campaigns to harvest credentials that can be used for business email compromise, fraudulent fund transfers, or access to systems they can exploit or sell.
A smaller but consistent share comes from hacktivists. Their motivation is not financial. They want to damage reputation, disrupt operations, or make an ideological point. Industries like oil and gas and tobacco are frequent targets, but any organization that draws public criticism can find itself in the crosshairs. A bad thread on Reddit has escalated into coordinated attacks more than once.
The tactics vary by motivation, but the entry point is often the same. A person who did not know what to look for clicked something they should not have.
What organizations can do about it
Awareness is the starting point. New employees should know before they start that the onboarding window is a period of heightened risk, and they should have a clear way to verify whether a communication is legitimate before acting on it.
Process matters too. Establish which platforms your organization actually uses for onboarding and communicate that list clearly and early. Give new hires a direct contact they can reach when something feels off. Make it easy to ask before clicking rather than the other way around.
The threat is real, but it is also predictable. Attackers target new hires because it works. Organizations that close that window with clear communication and simple verification steps take away one of the more reliable entry points attackers rely on.
Talk with our team
If you want to look at how your onboarding process and employee security awareness hold up against this kind of threat, we are happy to start that conversation.
