Seven Ways Hackers Get Into Business Accounts That Most People Don't Expect

Your office manager arrives at her desk at nine, opens her laptop, and logs into the practice management system as she does every morning. Nothing looks wrong. But somewhere in the background, a hacker who has been sitting in your systems for days has already exported a month of patient records. They didn't need her password. They used something far less obvious.

Most business owners think of cyber threats in simple terms: someone guesses a weak password, or a staff member clicks a dodgy link. Those are real risks, but they're not the only ones. Hackers have become considerably more sophisticated, and many of the methods they now use don't get nearly enough attention.

SIM swapping is one example. A hacker contacts your mobile provider, convinces them to transfer your phone number to a SIM card they control, and suddenly they're receiving the two-factor authentication codes that were supposed to protect your accounts. Port-out fraud works similarly - your number is transferred to a different provider without your knowledge, and account recovery messages start going to someone else.

Cookie hijacking is another. When you log into a website, your browser stores a small file that keeps you logged in. If a hacker can steal that file - through a malicious link or an unsecured network - they can access your account without ever knowing your password. Keylogging malware is quieter still. Once installed on a device, it records every keystroke made on that machine. Passwords, client notes, bank details - all of it captured silently in the background. These types of malware are catching businesses off guard more often than most people realise.

Then there are third-party apps. Most practices have their main systems connected to a handful of add-on tools - scheduling software, document signing, payment platforms. If one of those tools has weak security, it can become an entry point into everything it touches. And AI-powered phishing has made the old advice about spotting bad grammar largely obsolete. Modern phishing emails are well-written, correctly formatted, and designed to look exactly like a message from someone you trust. Deepfake audio and video are being used in the same way, particularly in social engineering attacks where someone poses as a colleague or supplier.

What good looks like in practice is this: your staff don't receive suspicious emails without a filter catching them first. Your accounts use authentication methods that don't rely solely on SMS codes. Your systems are monitored so that unusual behaviour - a login from an unfamiliar location, a large export of records - triggers an alert rather than going unnoticed for weeks. Third-party apps are reviewed and access is revoked when tools are no longer in use. Software is updated regularly so known vulnerabilities are closed before they can be exploited. Your team knows enough about current threats to pause before acting on an unexpected request, even one that looks legitimate.

That kind of layered protection doesn't happen by accident. It requires someone to set it up, maintain it, and adjust it as threats change. For most small practices, that means working with a managed IT provider who handles it for you rather than relying on your office manager to keep up with an ever-changing threat landscape.

If you're not confident your current setup covers all of this, ITstuffed's cybersecurity services for NZ businesses are worth a look. You can also report any suspected cyber incidents to CERT NZ, and serious incidents to the NCSC NZ. For anything involving personal information, the Office of the Privacy Commissioner has guidance on your obligations under the NZ Privacy Act 2020.

ITstuffed works with professional services businesses across Canterbury. A 15-minute IT Fit Check is a good place to start if you want to know where your gaps are.