TikTok: Phishing and Child Risks

Criminals are now targeting TikTok’s ad tools while child skincare creators face a murky ruleset, putting brand deals on the platform under new strain. (pushsecurity.com) (theguardian.com) Push Security said on March 27 that it found adversary-in-the-middle phishing pages aimed at TikTok for Business accounts, the dashboards marketing teams use to run campaigns. The pages copied TikTok and Google prompts to steal credentials and session data in real time, which can let attackers bypass multi-factor authentication. (pushsecurity.com) International Security Journal reported on April 23 that KnowBe4’s Javvad Malik said TikTok for Business has become attractive to phishers because advertiser accounts can unlock ad spend, audience data and brand access in one place. KnowBe4’s 2025 phishing benchmark drew on 14.5 million users across 62,400 organizations and 67.7 million simulated phishing tests. (internationalsecurityjournal.com) (knowbe4.com) A phishing attack is a fake login or message built to trick someone into handing over access. In TikTok’s business system, one stolen session can hand over campaign controls, billing tools and the ability to post or buy ads from a trusted account. (knowbe4.com) (pushsecurity.com) At the same time, reporting by Business of Fashion and the Guardian found children promoting skincare on TikTok through ambassador programs, gifted products and brand events. Experts told those outlets that the work often falls between advertising law, child labor law and platform policy. (businessoffashion.com) (theguardian.com) The Federal Trade Commission says influencers must disclose any financial relationship with a brand, and that includes gifts and free products, not just cash. TikTok’s branded content rules, updated in July 2025, also require creators to disclose commercial content on the platform. (ftc.gov) (tiktok.com) The legal gap is wider for minors than for adult creators. A 2025 state-law review said Illinois, California and Minnesota had enacted protections for child content creators, while many other states were still considering bills on trust accounts, record-keeping and takedown rights. (multistate.us) (csgsouth.org) TikTok says branded content cannot promote some prohibited categories and must meet extra conditions in restricted ones, but those rules do not settle who is responsible when a child is the promoter. The Federal Trade Commission says advertisers, agencies and influencers can all face scrutiny over endorsements and reviews. (tiktok.com) (ftc.gov) For creators and brands, the result is a two-sided risk: the back end can be hijacked by phishing, and the front end can trigger disclosure, labor or child-safety questions. On TikTok, the same campaign can now be both a security target and a compliance test. (pushsecurity.com) (ftc.gov)