Brought to you by

’Tis the season for more scams

Posted 12 months ago in Platform by Paul Macpherson
Posted by Paul Macpherson

While most of us are looking forward to the holiday season and spending time with our families, unfortunately cyber criminals may see it as another event they can exploit to take advantage of online users.

This time of year typically sees an increase in phishing emails and we all need to remain vigilant to avoid becoming a victim. A couple of phishing scams popular with the cyber criminals are:

  • the email saying you’ve missed a package delivery. With many people getting more packages at this time of year, it’s a good lure for phishing. But rather than a link to details of your shipment, you’ll probably get malicious software that infects your device.  
  • an e-card from a retailer or business you might use. You might even get an actual e-card, but under the cover, you also get the gift of adware, spyware or another malicious payload.    

Before clicking on any links or attachments, look for the telltale signs of phishing, such as spelling and grammatical errors, odd URLs and sender names. If there’s any doubt about the source of the email, don’t click. For more information about how to spot phishing, check out Xero’s security page. You should also run anti-malware (anti-virus) software and keep it up to date.

As the head of security at Xero, I see security threats from cyber attacks and hacking almost daily. Our security teams identify patterns of malicious activity and take the appropriate steps to notify users and guide them through safeguarding their accounts. Protecting our platform against cyber attacks is a top priority, and we partner with leading security vendors to ensure our systems are as robust as possible.

Here are some simple, easy-to-implement steps that will help you better protect your information, and that of your clients online, this holiday season and beyond.

Have strong, unique passwords

I cannot stress the importance of strong passwords enough. Over 80% of breaches occur due to stolen or weak passwords. Always use a strong, unique password for each site you log in to and don’t share passwords. While this may seem extreme, particularly in an age of multiple logins, different passwords help prevent a compromise of one login becoming a compromise of many. You can use password manager software to help you use your multiple logins, and to generate strong passwords for you. Password manager software securely stores all of your usernames and passwords, on your desktop or in the cloud, so you just need to remember the password for your password manager. You can also use your password manager to securely store other sensitive information, such as security questions and answers.

Use two-step authentication

2SA or two-step authentication is like having that extra deadbolt on the door. 2SA works by having two layers of security: first you enter your existing password, then another verification code is generated by an app on your smart device. Having 2SA enabled for your Xero account significantly reduces the risk of your account being taken over, because stealing your password isn’t enough to get access.

If your gifts this year include a shiny new smartphone, don’t forget to disable 2SA on your Xero account with your old phone before disposing of it or passing it on. You need to do this so you can set up the 2SA authenticator app on your new smartphone for uninterrupted access to Xero. If you’ve disposed of your old phone, you can disable 2SA using your security questions and answers.

Xero’s 2SA allows you to select a checkbox telling it to ‘remember me for 30 days’ when you log on to a device you’ll repeatedly use to access Xero. With this option enabled, you only have to enter the authentication code from your app on that device once every 30 days.

We’ve made it easier to access Xero if you lose your smart device and don’t have the authentication code or your security Q&A. You can specify an alternate email address when you set up 2SA to provide a fallback option if your authenticator app isn’t available. You’ll be able to recover access to your Xero account by having a single-use authentication code sent to your alternate email address.       

2SA (or 2FA, MFA or 2SV) is also important for your email account, which is generally how you reset the passwords for your online services. A compromised email account can also result in invoice fraud, with invoices sent and received by email being maliciously updated with fraudulent payment account details.  

Visit Xero Central for more information about 2SA in Xero.

Know what you’re logging into

Some phishing emails are the first step in attempting to steal your password. They ask you to verify your details, and often threaten to limit or terminate your service if you don’t do so immediately. Clicking the link takes you to a fake login page where any usernames and passwords you enter are harvested by the cyber criminal. A request for urgent action, or else, is often a sign of phishing.

Clicking a link in a phishing email will sometimes take you to a fake login page for an online service. Your username and password will be stolen when you type them in.

When you’re logging into Xero, make sure the URL displayed is one of these:

  • https://login.xero.com
  • https://login.xero.com/identity/user/login
  • https://practicemanager.xero.com

If you do enter your username and password to a fake login page, change your password immediately and contact your service provider.

You should also be wary of using public wifi to access online services, especially those that provide access to sensitive data or services, such as Xero or your bank account. Cyber criminals may be able to get access to unsecured devices on the same network. They may advertise a fake wifi access point, with a name similar to the real one, to trick you into connecting to their device. Once you’re connected they can intercept all of the information you send or distribute malware to your device. If you need to access any website that requires you to log in, consider connecting via your mobile phone instead. If you must use public wifi, take precautions to secure your data, such as:

  • verifying you are connecting to a legitimate wireless connection – check with an employee at the location providing the wifi to confirm details such as the connection name and IP address, and
  • using a VPN (virtual private network) – a VPN creates an encrypted ‘private tunnel’ to protect the confidentiality of your data as it passes through the network

Security is of the utmost importance for Xero and like every other online business we have to be constantly vigilant about phishing attacks and account takeovers. We’re all responsible for using security procedures and continually investing in online security. As an online community we need to work together to make sure we’re all protecting one another and keeping our data safe from cyber criminals.

For more information visit Xero’s security page, get updates on the latest security issues on Xero’s security noticeboard or forward suspicious, Xero branded emails to phishing@xero.com.

Leave a reply

Your email address will not be published. Required fields are marked *