May 2026 | Qual IT Managed IT | Engineering Firms | Cybersecurity
Spring hiring at engineering firms tends to follow project backlog. When new infrastructure contracts, DOT project awards, or commercial development projects land, firms staff up — bringing on new project engineers, CAD technicians, structural designers, and project coordinators. The first weeks for these new hires are intensive: learning the firm's software stack, getting access to project environments in Newforma and AutoCAD Civil 3D, absorbing the firm's documentation standards. That orientation window, when a new employee is information-saturated and eager to respond correctly to everything, is when phishing attacks are most effective. And attackers plan for it.
The Research Is Clear: New Employees Are High-Value Targets
Keepnet's 2025 phishing research found that CEO impersonation attacks are 45% more effective against new employees than against experienced staff. A separate study found that new hires are 44% more susceptible to phishing overall. The mechanism is simple: new employees lack the pattern recognition to distinguish legitimate requests from impersonations. They do not yet know whether project principals typically send DocuSign requests through a particular workflow, or whether IT sends software license emails from a specific internal address, or whether a request to 'verify your Newforma access' before a project kickoff is routine or a social engineering attempt.
Engineering firms are a particularly attractive target because new hires are granted access to high-value project data quickly. A compromised credential on day three of onboarding may provide access to structural calculations, infrastructure drawings, or government project documentation that the attacker can monetize immediately.
What This Looks Like in an Engineering Firm
A new civil engineer joins your Salt Lake City firm. It is their first week. They receive an email that appears to be from IT, asking them to log into the firm's SharePoint environment via the provided link to confirm their project file access before a project coordination meeting. The link leads to a convincing fake SharePoint login page. They enter their credentials. The attacker now has access to the firm's SharePoint environment and every engineering document it contains.
Variations of this scenario use spoofed Newforma notifications, fake Deltek Vantagepoint login requests, or emails impersonating the firm's accounting department asking a new hire to verify banking information for expense reimbursement. Each version is tuned to the first-week context: a new employee who wants to respond promptly, follow instructions correctly, and avoid looking incompetent by asking too many questions.
The Chaotic First Day Creates Security Gaps
Engineering firms typically have more complex IT environments than comparably-sized businesses in other industries — multiple CAD platforms, project management systems, simulation software, and potentially government portal access. Onboarding a new engineer into that environment often takes the full first week and involves multiple people handling pieces of the setup. In that scramble, security awareness briefings get deprioritized.
By the time a new hire has their AutoCAD Civil 3D environment configured and their Newforma access established, they may already have broad access to project files but no clear understanding of what legitimate IT or management requests look like at your firm. That gap is the attack surface.
Three Fixes That Reduce New Hire Phishing Risk
1. Configure Access Before the First Day — Not During
New engineers should arrive with accounts already provisioned, permissions scoped to what they need for their initial project assignments, and MFA already enrolled on their devices. Pre-arrival provisioning eliminates the first-day scramble and ensures access is granted deliberately rather than broadly. It also creates a documented record of who has access to what from the start — important for audit purposes on government and DOT projects.
2. Define What 'Normal' Looks Like at Your Firm
Give new hires a short briefing on communication norms specific to your firm. Does the principal-in-charge typically send project access requests directly, or does that come through a project manager? Does IT communicate via a specific internal address? Does Deltek send automated notifications from a particular domain? Setting these expectations in advance — before new engineers have had a chance to develop their own assumptions — is one of the most cost-effective phishing defenses available.
For firms working on government or DOT projects, this briefing should also cover the specific security expectations for those projects, since attackers sometimes tailor phishing attempts to project-specific contexts they have researched in advance.
3. Give New Hires a Named Point of Contact for Suspicious Requests
The single most effective phishing defense for new employees is making it easy to ask. New engineers who receive a request that seems unusual need to know immediately who to contact and what to do while they wait for a response. Designate a point of contact — your IT partner, a senior engineer, or both — and make sure every new hire has that contact information from day one. If asking feels easy and low-risk, new employees will ask. If it feels complicated or like it might reflect badly on them, they will not.
Spring Hiring Season Is the Right Time to Review Your Onboarding Process
If your firm is adding engineering staff ahead of summer project launches, the time to review your onboarding security process is now — before the new hires arrive. The changes required are practical and achievable: structured provisioning, a communication norms briefing, and a clear escalation path. Together they close a meaningful risk window that attackers actively target.
We work with Salt Lake City engineering firms to protect project data and support technical workflows. That includes making sure every new team member is set up securely from their first day.
Schedule a free discovery call with Qual IT to review your firm's onboarding security process.
Frequently Asked Questions
Q: New project engineers need access to AutoCAD Civil 3D and Newforma right away. How do we scope access without slowing them down?
Role-based access templates are the practical solution. Work with your IT partner to define standard access packages for each engineering role — project engineer, CAD technician, project coordinator — covering the specific platforms and file areas needed for typical first-assignment work. Access can be expanded as the role develops, but starting with a defined scope is far safer than granting blanket access and ensures a cleaner audit trail for project records.
Q: What is the exposure if a new engineer's credentials are compromised in a phishing attack?
Exposure depends on what the account could access. For an engineer in their first week with access to active project files, a compromised credential may expose structural calculations, CAD drawings, client correspondence, and project schedules. For firms working on government or DOT projects, there may be breach notification obligations under contract terms. MFA limits the damage significantly — stolen credentials alone are not enough to log in — which is why MFA enrollment on the first day matters.
Q: Can we run phishing simulation tests on new hires?
Yes, and it is one of the most effective training tools available. A simulated phishing test in the first 60 days — after an initial security briefing — gives new engineers a low-stakes experience of what a phishing attempt looks like and reinforces the lesson more effectively than reading a policy document. Follow up with a brief debrief for anyone who interacts with the simulated email, focused on what to look for next time rather than on any punitive outcome.
