This website uses cookies to ensure you get the best experience on our website. Learn more
A Guide to Secure Employee Onboarding in 2026
Table of Contents
Security teams have spent years strengthening their defenses against software vulnerabilities and malware. Yet some of the most significant cyberattacks in recent years have succeeded by exploiting something much harder to patch: trust.
Recent attacks have demonstrated how attackers can achieve devastating results by targeting the service desk rather than technical weaknesses. The 2025 ransomware attack on Marks & Spencer cost the retailer around £300 million in operating profit. Two years earlier, the attack on MGM Resorts resulted in more than $100 million in losses following widespread disruption across its Las Vegas properties.
In both cases, social engineering at the service desk played a central role. By manipulating legitimate support processes, attackers were able to compromise user accounts and gain access to critical systems. As phishing, vishing and artificial intelligence (AI)-generated impersonation become more convincing, distinguishing genuine requests from malicious ones is becoming increasingly difficult, even for experienced service desk staff.
The onboarding process is one of the most exposed parts of this evolving threat landscape. Against these challenges, security teams need robust measures that establish trust before access is granted.
The security challenges facing employee onboarding in 2026
Employee onboarding has always relied on the service desk to get new starters up and running. But today, that role carries far more security responsibility. Every password reset, multi-factor authentication (MFA) enrolment, account unlock and onboarding request requires analysts to answer a critical question: can this person be trusted with access?
Several trends are making that question harder to answer.
AI-powered attacks
The UK National Cyber Security Centre (NCSC) has published a warning on how AI will evolve and accelerate cyber risks, highlighting how models lower the barrier for entry for threat actors.
The specific risk to the service desk is AI-enabled social engineering. Phishing emails and cloned voices are now easier to create and harder to detect. For service desk teams, that means every identity-related request demands greater scrutiny.
Remote and hybrid work
Hybrid working has transformed how organizations onboard employees and contractors. New starters often create accounts without ever meeting someone from HR or IT in person.
At the same time, global hiring and outsourced support models have increased the number of identity-related interactions that take place remotely. Service desk analysts are expected to establish trust with far less context than they once had, while still getting new employees up and running quickly.
Attackers targeting identity workflows
Organizations have invested heavily in strengthening identity security. As such, attackers are increasingly looking for easier routes to compromise accounts, leading them to exploit the people and processes that surround those controls.
Identity verification, password resets, account recovery, and onboarding all involve high-trust actions. Rather than trying to bypass technical defenses, attackers can sometimes achieve the same outcome by manipulating legitimate support processes.
This is the key tactic of the hacking collective Scattered Spider. The group has become known for using social engineering to impersonate employees and persuade IT or help desk teams to reset passwords, share sensitive information or transfer MFA to attacker-controlled devices. In the cases of M&S and MGM Resorts, the result was ransomware deployment, but both attacks started with a convincing request to the service desk.
The onboarding process itself
The employee onboarding process brings all of these challenges together. New starters need access before they have established a trusted identity within the organization.
The pressure to make employees productive from day one means these requests are expected to be completed quickly, which can lead to workarounds. IT might share temporary passwords by email, or managers may verbally pass on access details. Service desk teams might handle first-day access calls without a meaningful identity check because the request appears routine or urgent.
Without robust identity verification and approval workflows, onboarding can become an attractive target for attackers looking to gain an initial foothold.
The three trust problems every organization must solve
Before a new employee can access corporate resources, the organization needs confidence that the right person is receiving the right credentials, devices, and permissions. For security teams and service desk leaders, that comes down to three practical questions.
1. How do we securely deliver first-day credentials?
Whether an organization uses passwords, Temporary Access Passes, or passwordless authentication, there is still a point where the new starter needs a secure way to access their account for the first time.
However, if credentials are sent to the wrong person, shared through an insecure channel or intercepted before the employee logs in, an attacker could gain access before the real user has even started work.
2. How do we know if the person requesting access is genuinely the new hire?
Traditional security questions, such as a mother’s maiden name or first pet, are no longer a reliable way to verify identity. Many answers can be found through public records or social media. Alternatively, attackers can gather information through social engineering.
Organizations need stronger ways to verify identity before credentials are issued, or access is changed. That means moving away from knowledge-based checks and using verification methods that are harder for attackers to research, guess, or manipulate.
3. How do we protect service desk interactions from social engineering?
The service desk is often the first place users turn when something goes wrong with access. That makes it a valuable target for attackers, particularly during onboarding when requests for credentials, MFA enrolment and account support are expected.
If identity verification is weak or inconsistent, a routine support interaction can become a way to bypass security controls. As Scattered Spider has demonstrated against major enterprises, attackers don’t always need to defeat account protections directly if they can persuade the service desk to reset a password or issue temporary access.
Secure onboarding therefore depends on repeatable service desk processes. Analysts need clear verification steps, escalation paths for suspicious requests, and enough context to challenge unusual activity without creating unnecessary friction for genuine new starters.
Securing the modern onboarding process
Secure employee onboarding requires a layered approach that combines secure credential delivery, strong identity verification, and resilient service desk processes. Together, these controls help organizations establish trust before access is granted, reducing the risk of social engineering without creating unnecessary friction for new starters.
Specops Secure Onboarding supports this approach by helping organizations verify new hire identities, eliminate insecure credential distribution, and ensure service desk actions are only completed once a user’s identity has been confirmed.
Before day one
The first challenge is making sure initial credentials reach the intended recipient. Many organizations still rely on email, SMS, or manual handoffs to distribute temporary passwords, despite the risk of interception or simple human error.
A more secure approach is to avoid issuing a temporary password altogether. Instead, Specops Secure Onboarding enables organizations to send new starters a secure enrollment link that allows them to verify their identity and create their own Active Directory password. Because IT never generates or shares a password, there’s no credential to intercept or accidentally expose.
On the first day
Once the initial credential has been generated, organizations also need confidence that the person activating the account is the individual who was hired.
Biometric liveness detection offers a stronger alternative to knowledge-based identity verification by ensuring that a user attempting access is real and present. That biometric sample can then be compared against a government-issued identity document to confirm identity before credentials are activated or access is granted.
With Specops Secure Onboarding, organizations can verify a new starter’s identity before first login, reducing the risk of impersonation while creating a smoother onboarding experience for legitimate employees.
When new hires need help
Even after onboarding is complete, the service desk remains a target. Protecting high-risk actions requires consistent identity verification before a password reset or MFA recovery is completed. Analysts should have clear verification processes that reduce guesswork and give them the confidence to challenge suspicious requests.
Specops Secure Onboarding helps enforce these controls by preventing service desk agents from completing sensitive actions until a caller’s identity has been verified through secure challenge processes. This enables support teams to make trust decisions with greater confidence while delivering a smoother experience for genuine users.
Strengthen employee onboarding with Specops
Identity-based attacks will continue to evolve, enabled by more powerful AI models. Against that threat landscape, securing processes like onboarding are crucial for robust identity security.
Specops Secure Onboarding helps organizations secure onboarding by placing identity verification at the center of the process, delivering stronger protections against identity-based attacks, a consistent onboarding process and reduced service desk risk.
If you’re interested in seeing how Specops Secure Onboarding can help your service desk defend against sophisticated social engineering attacks, contact us today or book a demo.
Last updated on July 8, 2026