When this blog was originally posted, we gave you firstname.lastname@example.org as an example of a phishing email. We would like to clarify. That is the email address we use for most of our legitimate communications to our customers. Thousands of legitimate emails are sent from this email every day. However, a recent phishing scam has been pretending to be from this email address.
This email has an attached .zip file which had malicious content. This email is pretending to be to be from our email@example.com email address.
This is what makes dealing with phishing emails challenging, the spammers will be doing everything they can to make it look like a legitimate email.
If the email looks impersonal, comes from an organization that you’re not familiar with, or contains a .zip file as an attachment, you may be dealing with spam.
If you’ve received one, don’t open it – and if you do open it, don’t click any links or attachments. Delete the email. If you’re ever concerned you’ve received a phishing email or one that pretends to come from Xero please forward it to: firstname.lastname@example.org.
Keeping you safe online is very important to Xero. We’re aware that there’s an increasing number of phishing scams targeting the customers of banks and large corporations.
What is a phishing scam
A phishing scam is when malicious emails target a company’s customers by pretending to be from a legitimate email address. They will typically use the company name, but with an extra word or character slipped in. Phishing scams can also show a legitimate email address, like email@example.com, but really they’re spoofing it. The message is actually coming from an entirely different email address.
These emails are designed to trick you to enter your email and password that they can use to login to the original site or use your password for another site. Whenever you enter your username and password online you should check that you’re actually on the right site.
As online fraud continues to grow, we’ve put together some advice to help you stay safe online.
How to avoid being phished
1. Verify the email
If you receive an email address prompting you to login or send personal details, always check the email address it’s coming from. Make sure it matches the other emails you’ve received from that company. This includes the wording in the email and any imagery used.
2. Don’t click on a suspicious link
Always check the login link they provide in the email. Usually a quick look at the URL will tell you if something is off. Large companies and banks will have secured websites – this means their URL will say “https” instead of “http”. This is an important difference as it means you’re on a secure site. You can always skip the link and navigate to the login site on your own. That way you know you’re logging in to the correct site.
3. Reach out and ask
If all else fails, send the email to the customer service department of the company in question and ask if it is legitimate. Your vigilance could alert them to a problem affecting multiple customers. At Xero we have an email address set-up for just such events: firstname.lastname@example.org. We will always verify if an email was from us.
If you think you’ve been phished for any site, login and change your passwords immediately. You should also contact the company to let them know your account may have been compromised. It’s better to let them know before any damage has been done.
For further guidance about how to identify phishing emails you can go to our security page.
Good advice Paul.
Is Xero working on anything like 2 Factor Authentication to help improve security of the login process?
Can you provide the facility for multi factor authentication please?
This is useful – but the email I received today with the subject line “An important update from Xero about keeping safe online” came from the address “email@example.com”.
How am I supposed to know that “firstname.lastname@example.org” is a legitimate Xero address, while “email@example.com” is not?
They look pretty similar to me..
Hi Julian – Sorry that our email and blog were confusing! firstname.lastname@example.org is actually an email address we use all the time. However, some of our customers have reported that scammers have “spoofed” it. That means you could get an email that looks like it’s from that address, but really it’s from a spam address. This is quite common lately and you’ve probably already seen a few in your inbox from contacts you email regularly.
Viewing the original source of email can be a good idea if you’re unsure. In Gmail you can find this under the down arrow on the right hand side of the screen – it will say “Show original”. Other email providers you can right click to view the source. You will want to look for the Return Path or something similar to see if the address shown and the address listed are the same.
Typically there are other ways to spot a scam email as well. Misspellings, zip files attached, logos or graphics that looks incorrect. The more you pay attention the easier they are to spot.
And just how easy would it be for you to hide behind invented scammers to then conduct your one phishing operation.
1. You protest too much
2. This site has no security
3. The HTML is very basic
Please make 2FA a priority for Xero.
While this is good, common sense advice, it’s far from being a robust way of protecting yourself. It’s easy to spoof a ‘from address’ (how many people look at all the mail headers to see where an email actually came from?), and it’s not hard to make a devious link look superficially like a real one. Scammers get more and more devious – all it takes is a well crafted phishing mail and a moment of less than perfect attention to the details of a phishing mail to be caught.
Two factor authentication is a robust way of protecting yourself – even if I am caught by a phish, the login information the scammer can gather is of limited or no immediate value.
When is Xero going to support two factor authentication?
I appreciate the warning on phishing BUT
Xero does not provide a way of backing up, uploaded invoice files all at once. You have to do it one by one.
Can you also advise whether files uploaded to Xero could be targeted by ransomware ?
Good advice, thank you
If they’re sending out emails purporting to be invoices and the like (based on the sample subject lines you supplied in your email), are you sure that they aren’t also (or just?) trying to defraud customers of organisations who use Xero?
It’s a fairly common (and extremely old) scam to send bogus invoices with payment details that credit the fraudster in the hope that the receiving company’s accounts payable department will simply pay without further question.
When will Xero support two factor authentication?
We have a development team working on two factor authentication (2FA) as we speak.
The initial release will allow individual users to enable 2FA for logging in to Xero and we expect to have this solution available by the end of the year. There are a lot of moving parts here, and we want it to undergo extensive testing, both internally and by external security specialists, before we’ll be happy to release.
Ransomware such as Cryptolocker encrypts files on your local or network attached drives. I’m not aware of any ransomware that is able to encrypt files in cloud storage services, such as those uploaded to Xero.
The file would have to be encrypted by ransomware on your machine before being uploaded to cloud storage. This might be a risk if you use a cloud backup service that scans in real-time or on a set schedule. But hopefully your backup service also offers file versioning, so you can always download an older version of the file to recover.
*wishes PGP email signing and encryption was universal*
While I understand the phishing issue is a buzz word at present
I see the email sent the other day as more of a scam or attempt to infect people with a virus, or put the zero invoice sending email on block lists of large companies
This in effect is a denial of service to both Xero and Zero customers.
If I send out a invoice by email what protection do I have that my customer has not received such a spam type email and then blocked that email address
He will no longer receive my invoice
Wild be much safer if emails originated from a email address that the sender owned, would it not be possible to to use a verified email address of my own choosing
This would prevent this type of attack from working at all
Hi David – Unfortunately, due to the way email works, we are unable to “spoof” our customers’ email address and send email on their behalf. Sending email this way would be less reliable and more prone to being marked as spam than the way we currently send email.
We have had several malware attacks masquerading as xero.com emails culminating in a mass attack (100 emails in 5 minutes) in November 2015, upon which I blocked all emails from your domain. I’ve had to remove the block today as many of our suppliers use your software and we were not getting their invoices. This leaves us open to malware attack once again. We do have AV but definitions always lag behind live malware especially with the constantly morphing office document based attacks.
Here’s an idea you can have for free: Instead of using the trivially spoofed email@example.com address for all emails that come via your software, why not use a unique ‘from’ address for each of your customers. Change the part before the @ to be their business name or some other unique identifier – for example ABCflooring@post.xero.com, XYZwidgets@post.xero.com etc.
That way I can white list the addresses of the suppliers I actually use and consign all email from the generic spoofed malware distributing message-service@ address to the bin where it belongs.
I find it remarkable that either you have not thought of this solution already, or, if you have thought of it, that you have nobody on your staff capable of implementing it.
My consultant rates are £75 an hour or part thereof if you need further clarification.
As you correctly pointed out, the spam emails spoofed our firstname.lastname@example.org address. Organisations that had properly implemented SPF, DKIM and/or DMARC on their mail exchangers were not affected by this spam campaign as the spoofed emails were detected and rejected.
I recommend that you configure DMARC on your mail servers to detect and reject spoofed emails, rather than blocking the spoofed domain. This will be a one time change rather than having to react to every spam campaign that spoofs the sender’s address.
We are continually evaluating ways to improve the security and delivery of our email. Thank you for your offer but we do not require any additional consulting services.
Xero’s own SPF record requires more than 10 DNS Lookups to be performed to determine valid sender IPs. The number of “include” mechanisms and chained “redirect’ modifiers should be kept to a minimum.
According to RFC 7208, ‘SPF implementations MUST limit the number of mechanisms and modifiers that do DNS Lookups to at most 10 per SPF check, including any lookups caused by the use of the “include” mechanism or the “redirect” modifier”‘. The mechanisms of: “include”, “mx”, “a”, “ptr”, and “exists” count against the limit of 10 lookups.
Hi Grant – We’ve recently addressed the SPF issue that you raised above so we now have just 10 DNS entries, which is within the SPF limit. We are also investigating other options to further reduce the number of DNS Lookups required to determine valid sender IPs for Xero domains.
Sadly we cannot implement DMARC in our legacy infrastructure without incurring considerable cost. Even sadder that you choose to blame the victim rather than implementing what should be an easy fix at your end.
Hi Bob – It was not my intention to blame anybody. I was simply recommending industry standard controls for preventing spoofed email from being received.
I like the valuable information you provide to your articles.
I’ll bookmark your blog and take a look at again right here
frequently. I am relatively sure I’ll learn plenty of new
stuff proper here! Best of luck for the following!
Thanks for your feedback.
I’d also recommend that you regularly check our Security Noticeboard for details of the latest scams attempting to exploit Xero’s brand.
As I advise all organisations suffering from domain spoofing: look into setting up a DMARC policy in addition to SPF & DKIM at domain ownership level. It only takes a few minutes to add a DMARC configuration to instruct the majority of mail transport to quarantine or destroy spoofed email.