The email lands on a Tuesday morning.
It looks like it’s from the CEO. The name is right. The tone is familiar. The signature matches what they’ve seen in the company handbook.
“Hey — quick favor. I’m back-to-back all morning. Can you help me get a vendor payment handled? I’ll explain when I’m free.”
The new employee pauses. They’ve been on the job for four days. They’re still learning where the bathrooms are, still figuring out which Slack channels to join, still working out who actually makes decisions around here.
They don’t want to be the person who questions the CEO in week one. So they help.
And just like that, the damage is done.
The window attackers are waiting for
Every spring, businesses across the Baltimore and DC area bring on new staff — recent graduates, interns, lateral hires, contractors starting new engagements. For companies, it’s onboarding season. For attackers, it’s something else entirely.
According to Keepnet Lab’s 2025 New Hires Phishing Susceptibility Report, CEO impersonation emails are 45% more likely to succeed with new hires than with experienced employees. And new hires overall are 44% more susceptible to phishing than tenured staff.
That gap isn’t about carelessness. It’s about uncertainty.
A new employee doesn’t know what a normal request looks like. They haven’t had time to build instincts. They don’t know whether the CFO ever asks for vendor payments over email, or whether the CEO communicates that way at all. They only know they’ve been there four days and they don’t want to make waves.
Attackers understand that. They engineer for it.
The real problem starts on day one
Here’s what I’ve seen over 20 years of doing this work: the phishing email is usually not where the vulnerability is created. It’s where it’s exploited.
Think about a typical first day. The laptop isn’t ready. Credentials are still being provisioned. Someone says, “Just use this login for now, we’ll get yours sorted out tomorrow.” A file gets saved locally because the shared drive isn’t accessible yet. A personal phone gets used to look something up quickly.
None of that feels dangerous. It feels like being resourceful on a busy day.
But here’s what happened quietly: a shared credential created an account that nobody tracks. A file landed outside your backup systems. A personal device touched your business data. And nobody explained what to do if something feels off — because who explains that in the chaos of onboarding week?
When security setup is improvised, security awareness can’t compensate.
What a prepared first week actually looks like
This doesn’t require a full security awareness program on day one. It requires three things to be ready before the person walks in the door.
Their access is configured, not improvised. Laptop ready. Credentials created. Permissions clearly defined. No borrowed logins, no “we’ll sort that out later.” The first-day improvisation creates shadow accounts and access paths that are genuinely difficult to clean up later.
They know what normal looks like in your organization. This is a ten-minute conversation — not a training module. Does your leadership ever request payments over email? What’s the process if something seems off? Who do they call? That conversation takes almost no time and closes the single biggest gap attackers exploit.
They have someone to ask without feeling foolish. The employee who hesitated before clicking that email would probably have asked someone, if they’d known who. Most first-week mistakes happen quietly because new hires don’t want to look inexperienced. Give them a person. Give them a process.
The question worth asking before your next hire starts
Maybe your onboarding is already solid. Maybe you’re a small operation where first days feel personal rather than procedural.
But if you’ve ever had a new hire improvise their way through week one — sharing credentials, using personal devices, figuring things out as they go — there’s a window open that you may not know about.
The attack didn’t create the vulnerability. The first day did.
If you’re bringing someone on this spring and want to make sure your setup is actually protecting you, that’s a conversation worth having before the Tuesday email arrives.
At RushIT, we work with businesses across Baltimore and the DC metro area to close the gaps that show up long before a cyberattack does — starting with the ones built into your onboarding process.
(410) 684-4405
