If your law firm has brought on a new paralegal, associate, or admin in the past three months, you may have unknowingly increased your cybersecurity risk.
According to Keepnet’s 2025 New Hires Phishing Susceptibility Report, a staggering 71% of new employees fall for phishing or social engineering attacks during their first 90 days on the job. That’s nearly double the rate of seasoned team members.
This is more than a risk that becomes an IT issue.
The stakes are your reputation, client trust, and bottom line.
Why New Hires Are the #1 Target for Phishing
New employees walk into your firm with good intentions and blank slates. That combination makes them vulnerable.
Here’s why:
- They’re eager to please. When a new staffer gets an email from someone claiming to be a managing partner asking for a wire transfer, they may respond without hesitation. After all, they don’t yet know what’s normal.
- They’re overwhelmed. Onboarding is packed with names, passwords, policies, and procedures. Cybersecurity details are often buried or delayed.
- They don’t know what “weird” looks like yet. A fake HR portal? An urgent invoice from a known vendor? These traps work because new hires don’t yet have the internal radar that experienced staff do.
These human factors are what threat actors count on, and they know exactly how to exploit them.
The Real-World Consequences
In law firms, the stakes are higher than in most industries.
A single wrong click can:
- Compromise confidential case files
- Trigger compliance violations
- Lead to costly data breaches
- Delay hearings or filings due to ransomware lockdowns
For managing partners already juggling court dates, staff issues, and client demands, a phishing incident is more than an inconvenience. It’s a liability.
The First 90 Days Are the Danger Zone
Keepnet’s research found that new hires are 44% more likely to fall for phishing scams than tenured employees.
Thankfully it also revealed a hopeful stat: when organizations used adaptive cybersecurity training and simulations during onboarding, that risk dropped by 30% in just three months.
So, what’s the takeaway?
You don’t have to wait for someone to click the wrong link. You can build protection in from day one.
What Law Firms Can Do Today
Here’s how to protect your firm and your new team members:
1. Automate Cybersecurity Onboarding
Make phishing prevention part of the Day One checklist—just like payroll and benefits. Use role-based simulations that mirror real-life scenarios your team might face (e.g., a court notice, a vendor invoice, a fake client inquiry).
2. Use Hyper-Personalized Training
Generic PowerPoint slides won’t cut it. Today’s best tools adjust the training based on the user’s behavior, department, and risk level. It’s not just smart, it’s scalable.
3. Create a Culture of “Think Twice”
Build muscle memory early. Encourage staff to pause before clicking anything that feels off. Reinforce this through short, frequent reminders, not once-a-year workshops.
4. Make Reporting Easy and Rewarded
Phishing simulations should include built-in “Report This Email” functions. Add gamification with badges or friendly competitions to boost participation and engagement.
5. Use Metrics That Actually Matter
Track things like Phishing Susceptibility Score and Repeat Clicker Rate, not just training completion. These behavioral metrics help you spot and support your riskiest users.
Why It Matters to Firms Like Yours
Your law firm can’t afford slow support or vague policies. Between fast-paced litigation calendars and strict compliance obligations, there’s no wiggle room for digital mistakes.
A phishing email doesn’t just threaten data, it threatens the trust you’ve built with clients and the professionalism your firm is known for.
This isn’t about fear. It’s about foresight.
Let’s Make This Simple
If you’re onboarding staff without cybersecurity baked in, you’re rolling the dice. But the solution doesn’t have to be complicated.
You need IT partners who:
- Understand legal workflows
- Proactively protect your firm
- Provide training that actually works
That’s what we do.
Because at the end of the day, it’s not just about stopping scams. It’s about giving you the confidence that nothing (and no one) is slipping through the cracks.