Hackers Have Better Onboarding Than You Do

Written By Dami Eluyera

Dear CISO,

You’ve probably seen the warnings—“most breaches begin with social engineering,” “humans are the weakest link,” etc. But you’re not looking for another slogan. You’re trying to prevent $46.7 million of wire transfers because someone followed an email that said: “Because the boss asked.”

In 2015, Ubiquiti Networks disclosed such a scam: fraudulent emails impersonating executives,  14 wire transfers, $46.7 million gone. (Krebs on Security). Your teams can have the best firewalls—but hackers don’t always break the firewall. They break the mind behind the mouse.

Onboarding: The Hacker’s First Step

Let’s be brutally honest. Your onboarding process is a gift to attackers.

Here’s why:

  • Eager to belong. New employees want to prove themselves. They don’t want to slow things down.

  • Undefined authority. They don’t yet know who truly approves what. Which makes “the boss said do this” powerful.

  • No reference points. Their “weird” email is just odd to them—not obviously malicious.

  • Attackers know this. They use the same script: “Act now, don’t tell anyone, it’s important.”
    And the stats back it: new hires are far more likely to fall for phishing/social engineering. (Help Net Security)

Let’s Break Down the Gap

Authority Shout

If an email says “Your CEO asked me to do this,” ordinary logic shuts off. Because the culture says “boss = do.”

Speed Demand

“Urgent. Wire now. Don’t ask questions.”
Speed = panic. Panic = error.

Minimal Verification

On the first day of your job, you often haven’t learned how to validate change requests. Hackers exploit this.

Cold Culture

If one mistake feels like a hidden shame instead of a teachable moment, people hide. They don’t learn.

Real-World Fallout

  • Ubiquiti: $46.7 M in transfers. (SEC)

  • The business email compromise (BEC) category is widespread, and even large enterprises fall. (CSO Online)

  • Onboarding is a vulnerability: new hires are far more likely to click malicious links. (Keepnet Labs)

If you’re still treating “onboarding training” as a checkbox at day 30, you’re ignoring the window where you’re exposed the most.

What You Must Do
(Not Just What You Should)

  1. “Pause, verify, act” embedded on day 1

    Before a new joiner even sends their first email:
    “If you’re pulled into any request involving money, data, or access—stop. Verify with a second person by another channel.”

  2. Role-specific social engineering simulations from week 1

    Test not just: “Do you phish?”
    But: “Would you obey a fake executive request?”
    And track behavior.

  3. Tiered accountability & daily culture cues

    Day 1: Clear script for verification.

    Week 1: Coach on what “weird request” looks like.

    Month 1: Manager check-in: “We reviewed three requests. Did any seem off?”
    If your culture doesn’t treat mistakes as teaching points, your new people will keep clicking.

  4. Metrics that matter (beyond “click-rate”)

  • Percentage of new hires flagged for second-channel verification.

  • Time-to-report suspicious request by new starter.

  • Escalations arising from first 90 days.

  • Reduction in high-risk actions after reinforcement.
    If you’re still just reporting “% of people who clicked” — you’ve missed the story.

Your Role as CISO

You’re not just defending infrastructure. You’re defending behavior.
You set the tone:

  • “We’ll punish mistakes” culture → hiding and repeat errors.

  • “We’ll learn from mistakes” culture → fast recognition and resilience.

The hackers have better onboarding than you do: they make their recruits act, dispatch money, collect data.
Your task: build onboarding where recruits you would trust to ask the right question—before they get the malicious email.

Sincerely,

A fellow security leader who’s tired of blaming “human error.”

“Human error” isn’t random—it’s missed process + culture.
Hackers don’t fear your anti-virus. They fear your inability to make the person behind the keyboard ask one question:

“Should I really be doing this?”

Key Takeaways for You

  • Onboarding = prime attack surface.

  • New employees aren’t the weak link—they’re the untrained link.

  • Training alone isn’t enough. Onboarding culture + verification scripts + role-specific simulation = resilience.

  • Metrics matter: look beyond clicks to behavior, reporting, escalation.

  • Your culture is your real firewall.

You don’t need to stop every click. You need to stop the ones that matter.
By the time the wire leaves the company, the question “why did they click?” should already have an answer.

Dami Eluyera

Dami Eluyera is a strategist and storyteller helping bold ideas take shape—through culture, clarity, and trust-driven design.

Previous

The 7 Deadly Sins of Phishing Simulations
Next

The $10 Hack That Could Cost You $10 Million