Security Market Segment LS
Friday, 29 December 2017 18:10

Scammers again circulate fake Xero invoice Featured


A second scam email pretending to contain an invoice from accounting software provider Xero has recently surfaced, according to security company MailGuard.

Circulation of this latest email follows a similar scam email containing the same fake Xero invoice which previously hit the market.

MailGuard says the criminals behind the scam are leveraging the trust users place in the Xero brand to try and get people to open a malware file attachment.

“Xero is a popular cloud-based accounting software and this is the second time this month that it has been impersonated by scammers,” the security firm says.

“Scams of this type hinge on the brand recognition and reputation of the company they are impersonating. Because Xero is widely used, there are a large number of potential recipients of this email who might click on the attachment without checking its legitimacy.”

As MailGuard points out, you can see from the screenshot that although the sender display name on the email is "Xero Billing Notifications" the actual sender address behind it is subscription[dot]notifications[at]xerohost[dot]net, which is not an authentic Xero domain.

In fact, MailGuard says this domain — xerohost[dot]net — was only registered on a Chinese domain registry the day before it discovered the scam.

So, here’s other observations about this latest scam from MailGuard:

Harmful macros

The attachment on this email is a Word document, which seems like a harmless format to most people. Unfortunately, it’s possible to conceal malicious code in .doc macros.

Macros are small software fragments that are embedded in .doc files. Macros are designed to automate tasks in documents, but because they can work in the background without a user’s knowledge they make useful malware vehicles for cyber crime.

Scammers can hide a trojan or a dropper in macro code, which will download and activate other malicious software. The code in the macro itself may not be particularly harmful, but the malware it covertly installs could be a virus, spyware or ransomware.

Microsoft has disabled dangerous macros by default in newer editions of Office. There’s no legitimate reason for a company to be sending you an invoice document with macros in it, so they’re a red flag for scams.

Self defence

To avoid being tricked by one of these scams, you should immediately delete any emails that look suspicious or ask you to open or download files that you weren’t expecting.

The rule of thumb is that any attachment to an email has the potential to be harmful. If the message originates from an unknown source, there’s no way of knowing what sort of damaging malware it might be carrying.

This fake Xero email was prevented from reaching the inboxes of MailGuard clients, but there are thousands of these messages going out today, so please keep an eye out for them and share this warning with your network.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).



Recent Comments