Invoice email scam spoofing Xero attacks inboxes again

Posted by Akankasha Dewan on 17 May 2019 12:15:19 AEST

A new email scam detected by MailGuard is spoofing popular cloud accounting company Xero to try and gain the trust of potential victims.

First detected yesterday afternoon (16th of May 2019), the malicious emails appear using a display name of ‘Xero’ and state in the subject that an Overdue invoice is for 'Urban Clean Accounts'. The email actually comes from a large number of freshly registered domains, likely registered to use in scams such as this one.

The email body appears as a simple yet convincing Xero invoice message. The message is a 'friendly reminder' informing the recipient that their current invoice is now overdue. They appreciate if this can be attended to immediately. Here is a screenshot of the email:

Xero Scam 160519

Clicking on the link to "View Invoice" leads to what appears to be a Xero site for hosting invoice files. However, the page indicates that the file cannot be found and should be downloaded manually, as in the screenshot below:

Xero page

At this time, unsuspecting recipients who click on the link within the page are not led to either a phishing or payload download. However, we suspect that the owners of this site could change this at any time.


Eagle-eyed recipients will notice that real Xero invoices commonly use a PDF attachment rather than a link to an external website.

In addition, in this particular scam, the error message and lack of an actual file in the second screenshot is a clear red-flag that should rouse suspicions about the legitimacy of the email.

Another easy way to check potentially-suspicious emails is to hover your mouse over the sender’s address. This will reveal more about the real sending domain.

Accountants, bookkeepers and financial professionals are particularly attractive to cybercriminals who know that they hold access to valuable financial information for company payrolls, invoicing, and the like.

What to look out for

As a precaution, avoid clicking links in emails that:

  • Are not addressed to you by name, have poor English or omit personal details that a legitimate sender would include (e.g. – tracking ID).
  • Are from businesses you’re not expecting to hear from.
  • Ask you to download any files, especially with an .exe file extension.
  • Take you to a landing page or website that does not have the legitimate URL of the company the email is purporting to be sent from.

One email

Cybercriminals use email scams to infiltrate organisations with malware and attack them from the inside. 
All criminals need to break into your business is a cleverly worded message. If they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.


Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates



Topics: Xero

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all