Security Market Segment LS
Friday, 29 December 2017 18:10

Scammers again circulate fake Xero invoice Featured


A second scam email pretending to contain an invoice from accounting software provider Xero has recently surfaced, according to security company MailGuard.

Circulation of this latest email follows a similar scam email containing the same fake Xero invoice which previously hit the market.

MailGuard says the criminals behind the scam are leveraging the trust users place in the Xero brand to try and get people to open a malware file attachment.

“Xero is a popular cloud-based accounting software and this is the second time this month that it has been impersonated by scammers,” the security firm says.

“Scams of this type hinge on the brand recognition and reputation of the company they are impersonating. Because Xero is widely used, there are a large number of potential recipients of this email who might click on the attachment without checking its legitimacy.”

As MailGuard points out, you can see from the screenshot that although the sender display name on the email is "Xero Billing Notifications" the actual sender address behind it is subscription[dot]notifications[at]xerohost[dot]net, which is not an authentic Xero domain.

In fact, MailGuard says this domain — xerohost[dot]net — was only registered on a Chinese domain registry the day before it discovered the scam.

So, here’s other observations about this latest scam from MailGuard:

Harmful macros

The attachment on this email is a Word document, which seems like a harmless format to most people. Unfortunately, it’s possible to conceal malicious code in .doc macros.

Macros are small software fragments that are embedded in .doc files. Macros are designed to automate tasks in documents, but because they can work in the background without a user’s knowledge they make useful malware vehicles for cyber crime.

Scammers can hide a trojan or a dropper in macro code, which will download and activate other malicious software. The code in the macro itself may not be particularly harmful, but the malware it covertly installs could be a virus, spyware or ransomware.

Microsoft has disabled dangerous macros by default in newer editions of Office. There’s no legitimate reason for a company to be sending you an invoice document with macros in it, so they’re a red flag for scams.

Self defence

To avoid being tricked by one of these scams, you should immediately delete any emails that look suspicious or ask you to open or download files that you weren’t expecting.

The rule of thumb is that any attachment to an email has the potential to be harmful. If the message originates from an unknown source, there’s no way of knowing what sort of damaging malware it might be carrying.

This fake Xero email was prevented from reaching the inboxes of MailGuard clients, but there are thousands of these messages going out today, so please keep an eye out for them and share this warning with your network.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Peter Dinham

Peter Dinham is a co-founder of iTWire and a 35-year veteran journalist and corporate communications consultant. He has worked as a journalist in all forms of media – newspapers/magazines, radio, television, press agency and now, online – including with the Canberra Times, The Examiner (Tasmania), the ABC and AAP-Reuters. As a freelance journalist he also had articles published in Australian and overseas magazines. He worked in the corporate communications/public relations sector, in-house with an airline, and as a senior executive in Australia of the world’s largest communications consultancy, Burson-Marsteller. He also ran his own communications consultancy and was a co-founder in Australia of the global photographic agency, the Image Bank (now Getty Images).



Recent Comments