New hire phishing | Insurance agency cybersecurity | CEO impersonation | Onboarding security | Salt Lake City
Every spring, independent insurance agencies across Salt Lake City bring on new producers, CSRs, and support staff ahead of summer policy renewal season. New hires are eager, energetic, and ready to learn — and that enthusiasm makes them significantly more vulnerable to phishing attacks than your seasoned team. Research from Keepnet in 2025 found that CEO impersonation emails are 45% more effective against new employees than against established staff. A separate study found that new employees are 44% more susceptible to phishing overall. For agencies where a single email click can expose an entire book of policyholder data, that's a risk worth taking seriously.
Why New Agency Staff Are Prime Phishing Targets
Think about what your new hire's first week looks like. They're learning Applied Epic or AMS360. They're getting set up on carrier portals. They're meeting clients for the first time. They're receiving a flood of onboarding emails from HR, from IT, from their manager, and from platforms they're being added to all at once. In that chaos, it's almost impossible to confidently distinguish a legitimate email from a malicious one — because everything looks unfamiliar.
Attackers know this. They monitor LinkedIn for new job announcements and time phishing campaigns specifically to hit new employees in their first two to four weeks. A spoofed email appearing to come from your agency owner or principal asking for a wire transfer authorization, or a fake carrier portal login page sent 'just to verify your new account credentials,' are both attacks that have worked against agencies like yours.
The spring hiring surge amplifies this risk. When multiple people are onboarding simultaneously, your experienced team is stretched thin with training. Nobody has time to double-check whether that email from 'the boss' about an urgent premium payment really came from the right address.
The Chaotic First Day Creates Security Gaps
Security gaps don't just come from a new hire clicking a bad link. They come from the structural confusion of onboarding itself. When a new producer joins your agency, how long does it take for them to get proper access configured in Applied Epic or AMS360? If the answer is 'they use someone else's login temporarily,' you've already created an audit trail problem and a credential security problem before the first phishing attempt even arrives.
New hires who aren't sure what 'normal' looks like in your agency have no baseline to compare suspicious activity against. They don't know that your principal never sends urgent wire requests by email. They don't know that your IT support would never ask for a password over chat. They don't know that DocuSign requests always come from a specific email domain. Without that context, they can't spot the fakes.
And critically, new hires often don't know who to ask when something seems off. If they're unsure whether an email is legitimate, do they have a clear, named person they can check with? If not, many will click first and ask questions later — or simply convince themselves it's probably fine because they're still learning and don't want to look incompetent.
Three Fixes That Dramatically Reduce New-Hire Phishing Risk
1. Configure Access Properly From Day One
Every new hire should have their own individual credentials set up in all relevant systems before their first day — not shared logins, not temporary passwords, not 'use mine for now.' This applies to Applied Epic, your carrier portals, email, DocuSign, ShareFile, and any other platform they'll touch. Proper access configuration also means they're only given access to what they actually need for their role. A new CSR doesn't need admin rights in AMS360 on week one. Limiting access limits exposure.
MFA should be configured as part of initial setup, not added later as an afterthought. If a new hire's credentials are compromised before MFA is in place, you have a window of vulnerability that attackers are specifically trying to exploit.
2. Teach Them What Normal Looks Like
Before a new hire ever opens their first client file in Applied Epic, spend 20 minutes walking them through the communication norms of your agency. How does your principal typically contact staff? What does a legitimate carrier portal email look like versus a phishing attempt? What's the normal process for authorizing any kind of payment or transfer? What would IT support actually ask them to do (and never ask)?
This doesn't require a formal training program. It requires someone on your team to sit down and have the conversation explicitly. Agencies that do this see dramatically fewer successful phishing attempts against new staff because the new hire has a mental model of what's normal — and can therefore recognize what's abnormal.
3. Give Them a Named Point of Contact for Security Questions
One of the most effective phishing defenses for new employees is simple: know exactly who to call or message when something seems suspicious. Make it explicit. 'If you ever get an email that seems weird, text Sarah before you click anything.' That's it. A named person, a clear instruction, zero ambiguity.
New hires won't ask unless they know it's okay to ask. Normalize security questions. Tell them explicitly that there are no dumb questions when it comes to suspicious emails — and that asking is always the right move, even if it turns out the email was fine. The cost of one unnecessary check-in is zero. The cost of one successful phishing attack on your agency's policyholder data is not.
CEO Impersonation: The Attack Your New Producers Are Most Vulnerable To
The specific attack pattern that Keepnet flagged — CEO impersonation — is worth understanding in detail for insurance agencies. The attacker spoofs an email address to appear as if it came from the agency owner or principal. The message typically conveys urgency: 'I need you to process this wire transfer before the carrier deadline,' or 'Can you verify the policy document in Applied Epic and confirm the premium amount?' The new hire, not yet familiar with your principal's actual communication style, and eager to demonstrate competence, acts quickly.
These attacks have cost insurance agencies real money. Wire fraud — the interception or misdirection of premium payments — is a known threat vector for the industry. A new employee who doesn't yet know your payment authorization process is the easiest path in.
Defense is straightforward: establish a rule that no payment authorization or wire transfer request is ever processed based solely on an email — regardless of who it appears to come from. A quick phone confirmation with the actual person who supposedly sent the request breaks the attack every time.
Your Agency's Reputation Is the Product Your Clients Are Buying
Policyholders trust your agency because you're local, you know their situation, and you act in their interest. A phishing attack that exposes policyholder data — even if it originated from a new hire's mistake — damages that trust. So does an E&O claim that traces back to a compromised agency system. The spring hiring season is a natural time to build security awareness into your onboarding process, not as an afterthought, but as a core part of how you introduce new staff to your agency.
Want to make sure your next round of new hires doesn't become your next security incident?
We work with Salt Lake City insurance agencies to protect policyholder data and keep agency systems running. Schedule a free discovery call and let's talk about building security awareness into your onboarding process.
Frequently Asked Questions
Should new hires have restricted access to carrier portals during their first few weeks?
Yes — role-appropriate access is a core security principle. A new CSR or producer should only have access to the carrier portals and functions they actually need to do their job. Full access can be granted as their role expands and they demonstrate familiarity with security protocols. Limiting access during onboarding doesn't slow good people down — it limits the damage if their credentials are compromised before they're fully up to speed on your agency's security practices.
How do we train new hires on phishing without scaring them or making them paranoid?
Frame it as professional knowledge, not fear. Insurance professionals understand risk — that's the business. Explain that phishing awareness is a professional skill, the same way knowing policy language is a professional skill. Most new hires appreciate the context once they understand what's actually at stake. A quick 20-minute walk-through of real phishing examples and your agency's communication norms is enough to significantly reduce their vulnerability.
What should we do if a new hire clicks on a phishing link?
First, don't panic and don't blame — it happens to experienced people too. Immediately disconnect the affected device from your network if possible. Change the credentials for any accounts the device had access to. Alert your IT support team or managed services provider right away. Check whether any client data in Applied Epic, AMS360, or your carrier portals was accessed from that device or those credentials. Document what happened and when. The faster you respond, the better the outcome.
