May 2026 | Cybersecurity for Financial Advisors | New Employee Security & Phishing Prevention
Spring is hiring season for financial advisory firms. New paraplanners, client service associates, and operations staff are onboarding — learning Redtail or Wealthbox, getting set up in ShareFile, figuring out the compliance workflows in Smarsh. The first weeks are chaotic. There are passwords to set, portals to access, and a constant stream of new people to meet. That chaos is exactly what cybercriminals are counting on. Research shows that new employees are 44% more susceptible to phishing attacks than their experienced colleagues — and CEO impersonation attacks are 45% more effective on employees who have been with a firm for less than a year.
Why New Hires Are Targeted
A new client service associate at your firm doesn't yet know what 'normal' looks like. They don't know whether the managing partner typically sends wire instructions by email, whether compliance requests usually come through a specific channel, or whether it's unusual to receive an urgent DocuSign request on a Friday afternoon. They haven't built the pattern recognition that experienced employees develop over time.
Attackers know this. They time phishing campaigns around hiring cycles, monitor LinkedIn for new hires at targeted firms, and craft impersonation emails that exploit the new employee's eagerness to be helpful and their uncertainty about firm norms. A message that says 'Hi — this is [Partner Name]. I'm in a client meeting and need you to handle something urgent' is far more likely to succeed on someone who joined last week than on someone who has worked with that partner for three years.
The Spring Hiring Window Is Open Right Now
May is peak onboarding season across the financial services industry. Firms that grew through Q1 are bringing new staff up to speed. Training is compressed. IT access is being provisioned quickly. Compliance onboarding is happening alongside everything else. This creates a window — typically 30 to 90 days — when new employees are at their most vulnerable.
For advisory firms, the stakes are particularly high. New hires get access to client financial data in Orion, Black Diamond, or eMoney almost immediately. They're added to ShareFile environments that contain sensitive documents. They're set up on email platforms with access to client communications that are archived in Smarsh. A successful phishing attack on a new employee isn't just a nuisance — it's a potential Reg S-P incident.
What These Attacks Look Like in an Advisory Context
Here are three scenarios that have played out at financial services firms:
The Urgent Wire Request
A new operations associate receives an email that appears to come from the firm's principal. The email says a client needs an emergency wire processed before market close and asks the associate to initiate the transfer using instructions in the attached document. The associate, not yet certain what the normal wire initiation process looks like and not wanting to slow down something urgent, follows the instructions.
The Compliance 'Audit' Phish
A new compliance coordinator receives what appears to be a FINRA audit request asking them to log into a portal and upload client account documentation. The login page looks legitimate. The employee enters their credentials, which are harvested by attackers who now have access to whatever that employee can access in your firm's systems.
The IT Setup Email
During the first week, a new hire gets an email that looks like it's from your IT provider or internal IT team, asking them to 'complete account setup' by clicking a link and entering their credentials. On a chaotic first day, this seems routine.
Three Fixes That Work
1. Configure Access Before Day One
New employees should never be setting up their own access in an ad hoc way. Credentials should be provisioned, MFA enrolled, and access rights configured before a new hire's first day. When employees aren't scrambling to get set up, they're less likely to respond to phishing emails that mimic setup or IT communications.
For advisory firms, this means coordinating between HR, compliance, and IT (or your managed IT provider) to have Redtail, Orion, ShareFile, and Smarsh access ready — and properly scoped — from day one.
2. Teach New Hires What Normal Looks Like
Security awareness training for new hires should go beyond generic phishing examples. It should specifically cover how your firm communicates. Does the principal ever send wire instructions by email? Is there a process for urgent client requests? How does compliance typically reach staff? What does an IT request actually look like?
When employees know the firm's actual communication patterns, they have a baseline for detecting anomalies. The message that doesn't match how things normally work becomes a red flag rather than a routine request.
3. Give New Hires a Clear Point of Contact
New employees need to know who to call when something seems off. This sounds basic, but many firms don't make it explicit. If a new associate receives a suspicious email and isn't sure whether to act on it, they need a person — a specific name and contact method — they can go to without fear of looking incompetent or slowing something down.
That person might be your office manager, your compliance officer, or your managed IT provider's helpdesk. The key is that it's designated, communicated, and easy to reach.
The Compliance Dimension
Under FINRA's supervisory rules and the SEC's Reg S-P framework, your firm is responsible for ensuring that all personnel — including new hires — are properly trained on information security policies. A phishing incident traced to a new employee who received no security training is not just an operational problem. It's a supervision deficiency.
Documenting your new hire security onboarding process — what training is provided, when, and by whom — is part of demonstrating the written policies and procedures that examiners look for.
What to Do This Month
- Review your new hire onboarding checklist and confirm security training is included in the first week
- Designate a specific security contact for new employees and communicate it explicitly during onboarding
- Audit what systems new hires can access on day one — is access appropriately scoped or overly broad?
- Run a tabletop exercise: what would a new employee actually do if they received an urgent wire request by email?
- Confirm that your onboarding security training is documented for compliance purposes
Qual IT Works With Salt Lake City Financial Advisors
We work with Salt Lake City financial advisors to meet SEC/FINRA requirements and protect client data. If you'd like to talk through how to structure your new hire security onboarding, schedule a free discovery call with Qual IT.
Frequently Asked Questions
Are we required to provide cybersecurity training to new hires under SEC or FINRA rules?
FINRA's supervisory framework and the SEC's Reg S-P both require firms to have written policies and procedures that all personnel follow. Regulators interpret this to include training employees on those policies. A new hire who hasn't been trained on your information security procedures represents a supervision gap — particularly if they're involved in a phishing incident. Documenting your training program and delivery is part of your exam-ready compliance posture.
How long are new employees typically at elevated risk for phishing?
Research suggests the highest-risk window is the first 30 to 90 days of employment. During this period, employees are still learning firm norms, are frequently receiving legitimate setup and onboarding communications, and may be less confident about questioning unusual requests. Targeted training during onboarding — rather than waiting for the annual security training cycle — substantially reduces this risk.
What should we do if a new employee clicks a phishing link?
First, don't wait. Contact your IT provider immediately to assess what the employee accessed and whether credentials were compromised. Change passwords and review MFA enrollment for any accounts the employee can access. Evaluate whether any client data may have been exposed — if so, you have notification obligations under applicable state and federal rules. Document the incident and your response thoroughly for your compliance records.
