Silver three-way fishing hook with blue Xero logo hooked on one

If your creditors issue you invoices via their Xero accounting software you will probably be familiar with the basic format of these emails.

What you should also be aware of is that scammers are exploiting the simplicity of Xero emails by sending convincing-looking scam emails replicating the content. They may look similar to this one, which was recently received by one of our clients:

Example of a Xero invoice phishing scam email

Xero have advised that genuine Xero emails will always come from a xero.com domain or sub-domain address, such as:

  • @xero.com

  • @post.xero.com

  • @send.xero.com

  • @sendnz.xero.com

  • @support.xero.com

Xero warns against taking any form of action on emails not originating from their xero.com domains, however this is not a fool-proof method of determining authenticity, as some phishing scams attempt to spoof (impersonate) the xero.com domain (as is the case in our example illustrated above). These emails will appear to legitimately originate from xero, but are in fact being sent from a different domain.

Just a few examples of emails/ domains which are NOT used by Xero (and are therefore definitely scams) include:

  • subscription.notifications@post.xerosys.com

  • subscription.notifications@post.xero.biz

  • subscription.notifications@xero.secpay.org

  • emailinvoice@xero.co.nz

  • accounts@post.xeros.com-au.tk

  • info@billingxero.co.nz

So what can I do to protect myself?

Some things to look out for when trying to spot malicious email:

  • incorrect grammar or spelling, especially very basic errors in sentence wording and construction (in our example above, note the "is" missing from the subject line - "Your xero invoice available now.")

  • the true URL's (web addresses) of links not matching what is being shown in the email (you can check this by hovering (DO NOT CLICK!) over the link with your mouse pointer - watch to see if the URL that pops up is different to the one it is claiming to be) (in our example above, the blue link to the invoice was in fact pointing to another URL, ie not https://in.xero.com/...)

  • the email is requesting information from you which should already be held by the legitimate organisation, or is asking for information which is not in any way relevant to your business with them

  • urgent calls to action, such as threats an account will be closed if you do not respond immediately by clicking this/ opening that. Scammers are trying to scare you into acting impulsively

  • unusual or unexpected presentation of information, eg: generic salutations such as "Dear Sirs" or "Hello" instead of your name or organisation name; the senders email address doesn't look right/ is unfamiliar; the email's content is worded or laid out differently to how you usually receive it (in our example above, note the absence of a name after "Hi", yet there was a space preceding the comma to indicate a name should go there)

  • the sender is not someone you have ever had dealings with. With Xero invoice scams it could mean a company name which is not known to you, or emails from, say, UPS (United Parcel Service) when you've not ordered anything, or someone claiming you've won a competition you never entered, and so on (in our example above, the client did not recognise NJW Ltd as a supplier)

Even if an email seemingly passes all of the above 'tests' but your instincts tell you to be wary, err on the side of caution and delete it, or follow up with the organisation concerned directly (ie not by following any links inside emails).

Xero recommends forwarding any Xero-branded scam emails to them at phishing@xero.com. Xero's Security Noticeboard is where they update their community members on known scams, along with recommendations on keeping yourself safe.

If you are concerned about any suspicious emails you have received, we strongly recommend contacting us before taking any action. We are only a phone call or email away.


Related articles - Here are some of our past blog posts we think you might also be interested in:

Close-up of digital screen show blue padlock icons, binary code lines, and words like 'protection', 'data', and 'security'

Scam alert from Inland Revenue, and tips on safeguarding your identity

Rustic wooden 'Gone Phishing' plaque mounted on a horizontal plank with twisted wire

Gone phishing - how to spot a scam before it spots you!