How Cybercriminals Target New Hires

Starting a new job is an exciting time—there’s the thrill of new opportunities, meeting new colleagues, and, of course, figuring out how to hit the ground running! But it’s also a time when cybercriminals may be lurking, ready to exploit the unfamiliarity that comes with your fresh start. As you get settled into your new role, it's crucial to be aware of the specific threats that can target you during this transitional period.

A Welcome You Didn’t Ask For

Imagine this, you’ve just accepted an offer for your dream job. You’re eager to hit the ground running, so you update your LinkedIn profile and start receiving congratulatory messages. But within a few hours, you get an email to your personal address. It looks official—it’s from the IT department of your new employer, complete with the company logo and a friendly message. They’re just “helping you get set up,” asking you to log in with temporary credentials and create a new, strong password. They even include a link to download the necessary software for accessing work email and tools like Slack and Teams.

Sounds legit, right? But hold on—this could be the start of a cyberattack designed to steal your credentials or compromise your personal device before you even step foot in the office.

A quote from our Fortitude Re case study with struck a chord with me:

Every time we get a new hire, within an hour or two of them changing their LinkedIn profile, they’ll get a phishing email or a text posing as our CEO.

All the risks and vulnerabilities that new hires (and their employers) face during this period never really dawned on me until I read that. It’s a stark reminder of how quickly and easily cybercriminals can strike.

The Attack Vector. How It Works.

Cybercriminals are creative, and new hires are prime targets for several reasons:

• Phishing Emails to Personal Addresses
  Attackers send emails that seem to come from your new employer’s IT or HR department, asking you to log in or set up accounts. They might even ask for your phone number to make the process seem more legitimate.
• Fake Software Installation
  You’re instructed to download software that’s supposedly necessary for your new job, but it’s actually malware.
• HR and 401(k) Setup Scams
  Emails posing as HR might ask you to set up payroll or benefits, or even your 401(k). The links lead to fake portals designed to harvest your personal and financial information.

More Than Just Inconvenience

Falling for one of these scams can have serious consequences:

• Credential Theft
  If attackers get your login credentials, they can gain unauthorized access to your new employer’s systems, leading to potential data breaches or other security incidents.
• Malware Infection
  Installing malicious software could compromise not only your personal device but also your new employer’s network once you connect to it.
• Identity Theft and Financial Fraud
  Sharing personal information through fake HR portals can lead to identity theft, financial fraud, and long-term damage to your credit.

Protection Tips

So, what can you do to protect yourself as a new hire? And what should employers do to shield their newest team members from these threats? Here’s a rundown:

Tips For New Hires

• Be Skeptical of Personal Email Communications
  Any communication regarding your new job that arrives in your personal email—especially if it’s about setting up accounts or installing software—should be treated with caution.
• Use Official Channels
  Always verify onboarding instructions directly with your employer through known channels before taking any action. If you’re unsure, pick up the phone and call your HR contact.
• Check with IT
  Reach out to your company’s IT department using a trusted contact to confirm the legitimacy of any requests.
• Delay Social Media Updates
  Consider holding off on updating your LinkedIn profile or other social media platforms until after you’ve settled into your new role. This reduces the window of opportunity for attackers who might target you based on your new position.

Tips For Employers

• Set Communication Expectations
  Before your new hire starts, give them a call to set the expectation for how and when official communications will occur. Julia Frament, our Global Head of HR, recommends including an “HR code word” in your communications—a simple yet effective way to help new hires confidently identify legitimate messages.
• Minimize Pre-Start Communication
  Consolidate pre-start communications into one or two secure messages. Once your new hire officially begins, move all communication to their work email and walk them through any necessary onboarding processes in person.
• Use Code Words for Third-Party Vendors
  Julia also suggests using code words for communications from third-party vendors, such as benefits enrollment or payroll setup, to prevent phishing attempts that impersonate these services.
• Educate Early and Often
  Provide new hires with a basic cybersecurity guide before their first day, emphasizing common phishing tactics and how to avoid them. Make sure they know what to expect and whom to contact if they receive something suspicious.

The best way to avoid falling victim to these kinds of scams is to stay informed and vigilant. Whether you’re a new hire or an employer, understanding the risks and taking proactive steps to mitigate them can make all the difference. Remember, cybercriminals thrive on confusion and hesitation—by setting clear expectations and arming yourself with knowledge, you can outsmart them before they have a chance to strike.

Your new job should be an exciting start, not a security headache. Stay sharp, ask questions, and never hesitate to verify before you act. After all, it’s better to be safe than sorry.