Staying safe online will protect not just your data, but your customers and employees. The two most important things you can do to stay safe online are:
First, maintain excellent password hygiene. Never share a password. Always use a long, complex password (or passphrase) and always use a unique password for each website or application you use.
Second, be aware. Phishing emails are a common way to trick you into disclosing data. If it looks even in the slightest bit unusual – don’t click it.
Here are a few tips to ensure your sensitive data remains secure.
Phishing and malicious emails
We’ve written before about “phishing” – it’s an email that looks like it comes from a trusted source, like Xero or your Bank, but doesn’t. The email will attempt to trick you into providing passwords or other important data, or it could just infect your computer with malware such as ransomware.
You can protect yourself and your business by being aware of these scams, and by knowing what to look for that may help you identify a malicious email.
Here are six things to keep a look out for:
- Incorrect spelling or grammar. Legitimate organizations don’t always get it 100% right, but be suspicious of emails with basic errors.
- The actual linked URL is different from the one displayed. Hover your mouse over any links in an email (DON’T CLICK) to see if the actual URL is different.
- The email asks for personal information that the supposed sender should already have, or information that isn’t relevant to your business with them.
- The email calls for urgent action. For example, “Your bank account will be closed if you don’t respond right away”. If you are not sure and want to check, then go directly to the bank’s website via the URL you would normally use, or phone them. Don’t click on the link in the email.
- The email says you’ve won a competition you didn’t enter, have a parcel waiting that you didn’t order, had an order cancelled that you didn’t order, or promises huge rewards for your help. On the internet, if it sounds too good to be true then it probably isn’t true.
- There are changes to how information is usually presented, for example an email is addressed to “Dear Sirs” or “Hello” instead of to you by name, the sending email address looks different or complex, or the content is not what you would usually expect.
If you suspect you’ve received a phishing or malicious email, and it says it’s from Xero or uses Xero’s logo, do not click on any links or attachments in the email. Instead please report it by forwarding the email to firstname.lastname@example.org.
Passwords are first line defence
- When you’re trying to protect information from intruders, it’s crucial you pick strong passwords that can’t be easily guessed or ‘cracked’ (cracking is recovering a password from data stored in or transmitted by a computer system).
- Use a long password made up of numbers, letters and special characters ($,#,%,&, etc). The longer your password is, the harder it is to guess and the longer it takes to crack.
- Use different passwords for different websites or applications. Then if a hacker figures out or cracks one password, they haven’t got the master key and any damage can be limited. This means the password you use for your online banking shouldn’t be the same as your Facebook, email or Xero login.
- Never share your account details with anyone. Not even really good friends or close colleagues. They can unknowingly pass it on or maybe even use it themselves. Best bet is to keep your password to yourself.
Using a password safe application is a good way to make managing your passwords easier, allowing you to generate unique, strong passwords for each application.
Make sure your computer is secure
You can have the most complicated password in the world, but if a hacker is already inside your computer, it’s no good. Always keep anti-malware up-to-date to stop keyboard loggers or malicious software from snooping on you and stealing your information. Keep your operating system and application software patched and up-to-date too, to minimise the risk of vulnerabilities that can be exploited.
These are just a few of the things to watch out for, and if you ever suspect your Xero account has been compromised visit our support page.
I see that you recommend changing passwords each month, do you just mean for Xero, or for everything we do online? I have about 30 regular online sites that I access so that would be 30 new passwords each month….
And if changing passwords monthly is more secure, is changing passwords weekly an even better idea?
Or should you perhaps introduce 2-step verification? That would solve the problem of email phishing completely for 500,000 of your customers.
I had an earlier discussion about this topic on your Facebook page in response to a similar post but it appears that post has now been deleted. can you link me back to that post because I got another terrible email about security from Xero today with an even more terrible link to a website called VirusTotal.com where you appear to be encouraging your customers to actually download dodgy attachments so they can then upload them to VirusTotal.com. This would seem to be a bad idea and I would like your comments.
When I did post a comment to the apparently now deleted Facebook post, it was suggested post my comments here. Which is what I am doing. I fear that almost nobody will actually see my comments which was probably the idea behind the suggestion! But I shall persist.
It is my view that the online security advice you are giving your 500,000 customers is incomplete at best, and dangerous at worst, especially if any of those suspicious attachments you are encouraging people to download actually get opened on their computer. Worst. Idea. Ever.
I look forward to a public response
Lincoln Computer Centre
I agree with Greg Williams that Xero should be offering two factor authentication. I would love to hear where it is on the road map.
Sorry about that. Our blog was meant to say change your password “regularly”, not “monthly”. We slipped up in copy editing. We’ve changed it so now it matches the rest of the blog and the email you received.
We don’t want our customers to download dodgy attachments so they can then upload them to VirusTotal.com. We were saying that if you’re not sure the anti-malware you’re downloading is authentic, you can always upload it to VirusTotal.com to have it checked. We use VirusTotal.com ourselves to check suspect files for malware. It’s very effective as the file is checked using over 50 different anti-malware solutions.
Introducing 2-step verification for Xero customers is a priority for us. We’ve recently added more people to the team that’s working on this. We’re planning on delivering a 2-step verification solution by the end of November.