I don’t smash doors. I wait for the welcome pack
If I want in fast, I don’t look for a blackout. I look for a welcome pack.
You hire someone and, for a few days, the world around them becomes a to-do list. Forms. IT setup. “One more thing” from HR. That blur is my playground. I don’t need to be clever. I need plausibility, timing and a tiny ask that fits the flow of their first week.
I start with a message that sounds like work
This is always my first move. New starters are swamped — HR forms, IT instructions, manager check-ins, payroll details. Their inbox fills with little jobs that all look the same: routine, professional, urgent enough to act on but boring enough not to question. That’s when my message lands.
It doesn’t scream “click me.” It blends. The subject line is plain, the wording clipped, the signature neat. It might say things like:
“Please complete your security induction form” “Final step: activate your employee account” “HR needs confirmation of your bank details” “IT setup — confirm login before access expires”
To them, it feels like one more box to tick on a long list. And because it looks official, the chances are they’ll click before they think.
The reason it works is simple psychology. In their first week, people want to prove they belong. They don’t want to be the one holding things up. So when an instruction comes through that looks like part of onboarding, they act fast. No challenge, no delay — just action. And in that moment, I don’t look suspicious; I look helpful.
If that doesn’t land, I use familiarity
If the first message slips past, I switch to something that feels even safer — the things people already know. A page that looks like a company login, a form that mirrors HR templates, or a shared doc that feels like it came from the team. The design, the logo, even the button placement — all close enough to pass at a glance.
It might be framed as a password reset, a welcome pack in SharePoint, a mandatory checklist, or a team schedule. Nothing about it feels out of place because it matches what they expect to see in their first week. To the new employee, it’s just another piece of the onboarding puzzle, sitting neatly alongside the rest of their tasks.
And that’s exactly why it works. People are wired to trust what looks familiar. Recognition beats analysis. If something resembles the tools they’ve used yesterday, their brain files it under “safe” before they’ve even thought about it. For a new starter, that instinct is even stronger because they’re desperate to get things right. They won’t slow down to question it — they’ll just click and move on.
I live in the places you already trust
If the inbox trick doesn’t bite, I don’t give up. I move into the places your people already trust without question — the shared drives, the collaboration tools, the team folders where documents are dropped in daily. These are goldmines because once I’ve got a single set of login details, or I’ve tricked someone into accepting an invite, I’m inside the same space as everyone else. From there, I don’t need to break anything — I just blend.
All I do is follow the patterns your team already uses. I copy file names, use the same folder structure, and drop in something that looks routine. A project plan saved alongside the real ones. A rota that appears to match the format of the others. A client pack that looks like it came from a colleague. At a glance, it all looks exactly where it should be. And at a glance is all most people ever give it.
That’s why this works so well. Shared spaces carry an aura of safety. People assume if a file lives there, it’s already been vetted. The environment itself becomes the signal of trust. So when I slip something in, no one questions it. They just open it, confident it’s another piece of everyday business. And that false confidence is all I need.
Curiosity and convenience are my allies
I don’t have to be clever if I can be useful. People click things that promise to save time or look a bit interesting. So I dress my bait as helpfulness: a template that “will save you an hour,” a little tool that “converts files fast,” or a neat example CV when a team is hiring. It’s not glamorous — it’s useful. And usefulness is disarming.
The moment something offers convenience, caution drops. New starters are especially primed for that: they want to get work done, impress their team, and clear the list of niggling tasks. A tidy, time-saving file or a short, pleasing interaction is exactly the small reward their brain reaches for. They click because it feels like progress, not because they’ve abandoned caution.
Curiosity does the rest. A quirky title, a “look what I found” tone in a chat, or a snorkel of novelty in a busy day is all it takes to nudge someone into opening a file or following a link. People are social creatures; if a colleague shares something framed as useful or fun, the implicit endorsement makes it easier to act without the usual checks.
This combination — convenience plus curiosity — is why my lures work so reliably. It’s not about tricking people into being reckless; it’s about fitting into the natural rhythm of how teams get things done. When the path looks faster and friendlier than the alternative, most people will take it. And that momentary choice is the doorway I walk through.
If direct routes stall, I let the intranet do my legwork
If inboxes and shared folders aren’t opening doors, the intranet is my favourite fallback. New starters are told to “check the intranet” for everything: onboarding packs, IT how-tos, payroll links, training modules, and the quick-start checklist that supposedly makes day one calmer. That concentrated noise is perfect — lots of official-looking pages, menus full of “useful links,” and a search bar staff use when they’re frantic and short on time.
I don’t need to shout. I slip a page or a link into a place people already expect to find help: a “new starter resources” page, the HR documents library, the training portal, or the list of approved downloads. The entry looks like every other intranet item — same header, same breadcrumb trail, the same tidy author name at the bottom — so it doesn’t trigger a second thought. People follow the breadcrumbs the way they always do, find the “helpful” item, and treat it as part of the official kit.
It works because the intranet is an authority by design. If something sits there, employees assume it’s been through someone’s approval and is safe to use. The site’s very purpose is to reduce friction — to make answers obvious and fast. That rush-to-solve mindset combined with institutional trust is the gap I step through.
Once I’m inside, I become background noise
If I get in through a new starter, I don’t make noise. Why would I? They’ve already given me a foothold. All I have to do is act like them. I open the same files, click the same links, use the same systems. Nothing dramatic. Nothing that screams “intruder.” Just small, ordinary actions that blend into the chaos of a first week.
That’s the real danger of new employees: they create cover. If something odd shows up on their account — a strange login, a file in the wrong place, a few failed password attempts — it doesn’t raise alarms. People shrug and say, “They’re new, they’re still learning.” And while everyone writes it off as teething problems, I’m quietly mapping where the valuable stuff lives.
I wait for the right moment to move: the payroll run, the invoice approval window, the manager being out of the office, month-end processing — any routine time when decisions happen fast and checks slow down. That’s when small, quiet actions suddenly become useful.
Why onboarding is such an easy target
Because onboarding is built to hurry people into work. You want someone up and useful fast: accounts created, access granted, checkboxes ticked. That rush makes predictable patterns — same-day requests, templated emails, shared drives opened — and predictable patterns are what I exploit.
New starters are also a mirror of organisational trust. HR, IT and managers all send benign signals: “Here’s how we do things,” “Here’s your welcome pack,” “Here’s the link you need.” Those signals are social proof. If the company itself points someone at a page or a file, most people assume it’s safe. I lean on that assumption; it does a lot of my convincing for me.
There’s also the emotional side: newcomers want to belong. They prioritise action over caution because they think speed equals competence. They’ll follow a tidy instruction to avoid slowing the team down. That impulse — helpfulness + haste — gives me reliable windows of opportunity.
Operationally, onboarding creates a lot of one-off changes: new accounts, temporary permissions, device setup, and a flood of legitimate admin activity. That noise buries the small, slow things I do. A new account poking around is usually written off as “they’re finding their feet.” A file in a core folder gets shrugged at because it “looks like the others.” That organisational patience is my camouflage.
In short: onboarding is my perfect storm — trust handed out freely, pressure to prove yourself, and enough noise to bury my tracks. It’s everything I need wrapped into your welcome process.
But here’s the thing: it only works if no one interrupts me. The moment onboarding training steps in, my playbook starts to fall apart.
How onboarding training breaks my playbook
So how does onboarding training wreck my playbook? Not with fear. With a quick, practical interruption at the right moment.
If, in their first two days, you show new people the kinds of messages and pages they will see — not to terrify them but to familiarise them — that tiny familiarity becomes defensive instead of dangerous. Practise one ritual once: stop, check who asked, and report if it smells odd. Make that three minutes of practice, and it becomes the instinct that overrides the “just get it done” reflex.
Make account setup boring. Give people the minimum access they need to start. If the ladder isn’t there, I can’t climb it. Limit shared shortcuts, make temporary escalation obvious and time-limited. When privilege is deliberate and visible, I lose the comfortable path I rely on.
Treat devices as part of the job. If personal devices connect to business systems without a small posture check, they become risk by default. A quick enforced step — nothing scary, just a thing people do before they touch critical systems — pushes awkwardness into a controlled place. When joining the network is deliberate, opportunistic shortcuts stop working.
Teach people the feel of a lure, not the mechanics. Show a few real examples of the sort of tidy, believable messages I use and explain why they look right. Let new starters practise reporting one. Make the reporting route easy and immediate so someone doesn’t sit on doubt and then try to fix it themselves.
Finally, make the right path faster than the wrong one. Shadow IT is a behaviour not a tech gap: people “just get on” when the official path is slow. If your approved route is quick and sensible, people will use it. Remove the temptation to improvise and my simple, ordinary tricks stop paying.
I’ll adapt, of course. I always do. But I prefer the easy wins. Make your onboarding noisy enough to interrupt plausibility and quick enough to be useful, and I’ll go find someone softer.
Director of Training and Development, Cyber Rebels.
Andy Longhurst is the founder of Cyber Rebels and a cybersecurity practitioner and educator focused on how risk actually shows up in real organisations. His work sits at the intersection of digital safety, education, and practical risk management — helping teams understand not just what policies say, but what happens in the moments where decisions are made under pressure.
With a background spanning adult education, web development, and technical consultancy, Andy specialises in translating complex security concepts into clear, usable understanding. Rather than focusing solely on tools or compliance frameworks, his approach centres on human behaviour, judgement, and the systems that shape everyday choices.
He delivers live, interactive cyber awareness training for organisations of all sizes, from small businesses and education providers to public-sector teams and larger organisations operating in complex risk environments.
Outside of delivery, Andy spends his time analysing emerging attack patterns, refining training design, and exploring how organisations can build resilience that holds up in the real world — usually with a strategically sized cup of tea close to hand.
