Social Media Phishing Is Growing - Here Is How to Protect Your Business

It is a Tuesday morning and one of your staff gets a LinkedIn connection request from someone claiming to be a local business contact. They accept, exchange a few messages, and click a link the new connection sends over. Within minutes, your practice's login credentials are being harvested on a fake site that looks exactly like Microsoft 365. Nobody did anything obviously wrong. That is what makes social media phishing so effective.

Most business owners are alert to phishing emails now. That awareness has pushed attackers toward platforms where people are less guarded. Social media phishing has grown sharply over the past few years, with a significant rise in fraudulent accounts designed to impersonate real people and businesses. The mechanics are straightforward: someone clones a profile, connects with your staff, and sends a link that looks legitimate because it appears to come from a familiar name. Links on social platforms are often shortened, so there is no obvious way to tell where they lead until it is too late.

The information people share publicly on social media also makes it easy for attackers to personalise their approach. A public LinkedIn profile tells a scammer where you work, who your clients are, what services you offer, and who your colleagues are. That is enough to start a convincing conversation. Quizzes and surveys on platforms like Facebook have long been used to harvest personal data - the Cambridge Analytica case made that mainstream news, but similar data harvesting continues at a smaller scale every day. Attackers also use tactics like credential attacks that sweep across your whole team at once, often fuelled by exactly this kind of publicly available information.

The habits that reduce your exposure are not complicated. Set personal social media profiles to private where possible. Hide your connections list on both Facebook and LinkedIn - this prevents attackers from using your profile as a map to reach people who trust you. Before accepting a connection request, check whether the account has any history beyond a profile photo. A brand-new account with no posts and no activity is a red flag. If a contact sends you a link via direct message, go to their website directly rather than clicking through. The same applies to ads on Facebook or Instagram - if something looks worth buying, find the business independently rather than clicking the ad. It is also worth knowing the warning signs that your business devices may already be compromised, since a successful phishing click can install malware that goes undetected for weeks.

Staff behaviour matters, but it is not the only line of defence. Good security for a professional services business includes DNS filtering and managed antivirus that can intercept a phishing link even if someone clicks it. Email filtering catches a large proportion of phishing attempts before they reach an inbox. These layers matter because no amount of training eliminates human error entirely, and the attacks are becoming harder to spot. AI is making this worse — AI-generated phishing messages are now convincing enough to fool even cautious users.

If a breach does occur, New Zealand businesses should report it to CERT NZ. If client data is exposed, there may also be obligations under the NZ Privacy Act 2020 to notify affected individuals and the Office of the Privacy Commissioner.

The practical step is to review what protections your business currently has in place - not just staff awareness, but the technical controls that catch what awareness misses. Professional services firms across Canterbury work with ITstuffed on exactly this kind of layered security setup. A 15-minute IT Fit Check is a good place to start if you are not sure whether your current setup would hold up.