ISJ hears exclusively from Javvad Malik, Lead CISO Advisor from KnowBe4 about how cyber-criminals are exploiting the rapid growth of platforms like TikTok for Business.
There is a particular kind of corporate optimism that says: if we build a presence on a social media platform, good things will follow.
Brands have piled onto TikTok for Business with exactly that energy.
Ad budgets are flowing, marketing teams are scrambling to find their inner Gen Z and the results, in many cases, have been genuinely impressive.
Reach, engagement and conversion numbers that would have seemed implausible five years ago are now routine.
Cyber-criminals have noticed and unlike most people watching your brand’s latest campaign, they are not interested in your product.
They are interested in the access, the budget and the trust your business account represents.
This problem isn’t unique to TikTok.
It is a people and process problem that platforms like TikTok for Business happen to amplify.
Wherever trust, money and speed converge, phishing will follow.
Right now, few places in the modern business stack combine all three quite so effectively as a live advertising campaign on a major social platform.
Why attackers have found their way to your marketing stack
For years, the attacker’s playbook focused on finance teams and IT departments.
These were the people closest to the money and systems, so naturally, they were the targets.
The rest of the organisation was largely collateral damage, not the objective.
That has changed.
Attackers, like any sensible business, follow ROI and the ROI on targeting marketing and agency teams has improved considerably.
A TikTok for Business account is not just a channel for posting videos.
It is a door into advertising spend, billing information, audience data and a legitimate ad platform that can be turned against the very customers it was built to reach.
Compromising a brand’s account means access to real money and a ready-made audience predisposed to trust what appears in its feed.
The shift matters because it changes who needs to be paying attention.
Security teams have spent decades training finance and IT staff to be appropriately sceptical.
The social media manager running three campaigns simultaneously while fielding agency approvals and trying to hit a deadline?
They have historically received considerably less attention. Attackers have noticed that gap too.
The triple threat: Authority, urgency and people working at pace
Phishing works for a simple reason. It does not exploit software vulnerabilities, it exploits human ones.
Authority and urgency are its two most reliable tools and the environment surrounding a live ad campaign offers both in abundance.
Consider the context.
A marketing manager is coordinating with two agencies, approving creative, monitoring spend and receiving platform notifications in the same inbox where their direct email also lands.
They get a message flagged as urgent, apparently from the platform’s support team, warning that the account has been flagged for suspicious activity.
One click required to verify and avoid campaign suspension. The campaign goes live in six hours.
That is not carelessness.
That is exactly the conditions under which intelligent, capable people make mistakes.
The attacker has done nothing technically sophisticated, they have simply identified where the pressure is highest and applied a well-timed nudge.
A compromised business account is not just an IT inconvenience.
It can mean wasted ad spend directed at fraudulent destinations, reputational damage when customers interact with content your brand did not create, potential regulatory exposure if customer data is involved and the kind of headline that tends to follow a brand around for a while.
The financial and reputational blast radius extends well beyond a single stolen login.
It is also worth remembering that an attacker’s motivation is not always financial.
The entertainment value of embarrassing a well-known brand, disrupting a product launch or leaking confidential information has real appeal to certain categories of criminals.
The infamous leaking of private celebrity photos from compromised cloud accounts a decade ago was not primarily about money.
It was about humiliation and control. Business accounts are increasingly attractive for exactly the same reasons.
Practical protection: treating marketing teams as high-risk users
The starting point is a change in how organisations classify risk.
Every employee, but particularly those with access to ad platforms, campaign billing or social channels, should be treated with the same security scrutiny applied to finance and IT staff.
That means phishing-resistant multi-factor authentication as a baseline, not an afterthought.
It means admin rights are limited to the people who genuinely need them, with separate admin accounts kept distinct from day-to-day usage.
Device trust, login alerts and tighter approval controls around billing changes or campaign launches round out the technical picture.
Process matters at least as much as technology and often more.
Clear verification steps for urgent requests (particularly those involving account changes, new user additions or billing) remove the pressure that makes phishing effective.
If the process for handling a ‘your account is about to be suspended’ notification is clearly defined and genuinely easy to follow, the attacker’s window of opportunity closes considerably.
Simple escalation routes and regular audits of who still has access to business accounts are simple but robust safety measures.
Many brands rely heavily on external agencies and freelancers to run their campaigns, which introduces a further dimension of risk.
Third-party access to business accounts needs the same scrutiny as internal access: clear contractual obligations, defined access controls and a rigorous offboarding process that actually gets followed when an agency relationship ends. Inactive credentials are a gift to attackers and they accumulate quietly.
On the monitoring side, organisations should be watching for anomalies in their ad activity that do not fit normal campaign behaviour: unexpected billing changes, new users appearing without a corresponding internal request, unusual redirects or campaign destinations that were not in the brief.
These are the signals that an account is being used by someone who should not have access.
Catching them early limits the damage.
Training that reflects the actual risk, not the imagined one
Generic annual security awareness training has its place. That place is not ‘the only thing standing between your ad account and an attacker.’
The classic phishing simulation involving a fake invoice from ‘Microsoft Support’ does not prepare a social media manager for a convincing fake notification from a platform they use every day.
Security training needs to reflect the actual risks people face in their jobs.
For marketing and agency teams, that means examples drawn from ad platform lures, account recovery scams and fake billing alerts.
It means showing people what a phishing attempt targeting their specific workflow looks like, not what one targeting an accounts payable department looks like.
The psychology is the same; the costume is different.
The goal is not to make people paranoid. Paranoia does not scale and it tends to produce teams that freeze rather than teams that respond sensibly.
The goal is relevant awareness: an understanding of the specific lures, pressures and scenarios most likely to affect them, combined with clear and simple guidance on what to do when something feels wrong.
Securing the marketing business
Attackers operate like businesses.
They are not randomly targeting organisations; they are optimising for return on investment.
Where trust, money and operational speed converge (a live ad campaign, a deadline-driven agency relationship, a marketing manager juggling six platforms), phishing remains stubbornly effective, because the conditions that make campaigns work also make people vulnerable.
The solution is not to slow down or retreat from platforms like TikTok for Business.
The competitive pressure to be present, to move fast and to produce results is real.
The solution is to extend to the marketing stack the same security rigour that organisations already apply to their financial systems and IT infrastructure.
The people running those campaigns and the agencies supporting them, are handling genuinely sensitive access. It is time to treat them accordingly.
Phishing will always follow the money; if that means following your marketing spend, that’s where they’ll go.
The question is whether you’ve built a culture that makes it unattractive for an attacker to keep trying.
