MailGuard Editor 12 September 2016 17:04:00 AEST 4 MIN READ

Cybercriminals launch fake Xero invoice attack, delivering malware

 Scam emails leveraging the familiar brand of cloud accounting company Xero have delivered malware to inboxes across Australia, New Zealand and beyond.

The scam looks similar to legitimate invoice emails coming from users of Xero. The ‘from’ address is just a single character different to Xero’s legitimate invoice-generation email address ( which is very similar to the email address Xero uses to send out legitimate invoices (

The danger of this scam is anyone can fall prey, whether a Xero customer or not.

The email, sent to thousands of inboxes, contains a link to a malicious webpage where zero-day JavaScript malware is automatically downloaded to the victim’s computer.

This type of malware can be crippling. Scams of this nature are typically attempting to steal valuable data like usernames and passwords, sensitive banking and financial information, or in some cases the Trojan will lay dormant allowing the attacker access to data at a future date.

Accountants, bookkeepers and financial professionals are particularly attractive to cybercriminals who know that they hold access to valuable financial information for company payrolls, invoicing, and the like.

MailGuard was first to detect this scam, with 67 other vendors failing to flag the attack as malicious earlier today.

Here’s how the scam email looks:

Xero2_Trojan_Malware_Fake_Invoice_Scam_Sample_Email_12_September_2016.jpgAnd here’s how a legitimate Xero invoice email appears. 


The scam email tells recipients they have an outstanding invoice that can be viewed by clicking the link. The obfuscated link appears to point to a webpage but instead directs victims to a malicious site that automatically downloads malware.

The JavaScript malware appears to be a generic Trojan which is designed to install itself in the background and steal vital information from the user.



Eagle-eyed recipients will notice that real Xero invoices commonly use a PDF attachment rather than a link to an external website.

Another easy way to check potentially-suspicious emails is to hover your mouse over the sender’s address. This will reveal more about the real sending domain – in this case it’s nothing like the real invoicing address used by Xero.

Xero takes security seriously

According to the Xero blog: “Data security is an industry-wide issue and it is our number one priority. Phishing scams that attempt to steal account names and passwords are an ongoing issue for all online and financial services, so it’s vital that businesses everywhere who use these services ensure they have strong security practices and keep their information secure. Security is an issue that everyone needs to take seriously."

"On the back of recent security updates, Xero has released Two-Step Authentication for all Xero customers, providing an additional layer of security for all Xero user accounts. Two-step authentication can help keep your Xero account from being compromised by phishing and malware.

"Two-Step Authentication verifies the identity of a customer logging into the Xero dashboard by requiring them to use their existing password and a second, unique code randomly generated by the Google Authenticator app on their smartphone, each time they log in.

"Based on security best practice, Two-Step Authentication means only the Xero user with access to that trusted device will be able to log in, making it more difficult for unauthorised people to access their data."

Why Trojans pose a massive risk to businesses large and small

Trojans sit quietly in the background, and will take actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

This type of malware is most dangerous because the user may not notice it running in the background until such time they are made aware – this can sometimes be weeks or even months after the event.

Xero’s blog has advice on how to avoid being phished. That blog post advises:

“Phishing scams can also show a legitimate email address, like, but really they’re spoofing it. The message is actually coming from an entirely different email address.

“These emails are designed to trick you to enter your email and password that they can use to log in to the original site or use your password for another site. Whenever you enter your username and password online you should check that you’re actually on the right site.”

For a few dollars per staff member per month, add MailGuard's cloud-based email and web filtering solution to your business security. You’ll significantly reduce the risk of new variants of malicious email from entering your network. 

Our benchmarking shows that MailGuard is consistently 2-48 hours ahead of the market in preventing new attacks.

Find more tips on identifying email scams by subscribing to MailGuard’s blog.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top