Check how does your business rate

Take the Quiz
Call Us

Xero users: How to stay safe online

Xero’s Head of Security, Paul Macpherson, gives some tips to help all Xero users stay safe online. If at any time you have concerns about your security, contact us immediately, or email phishing@xero.com.

We’ve recently noticed an increase in the volume of phishing attacks and malware scams. This is an industry-wide problem for business software, online banking and other websites.

Our security team has been tracking a small number of incidents—the result of phishing attacks, where a handful of Xero usernames and passwords have been obtained—we recommend that Xero users update their anti-malware (anti-virus, anti-spyware), and change their passwords.

Security is a key focus for us at Xero. We’ll continue to share our security updates and best practices with you.

Our team is continuously looking for patterns of malicious activity and will notify users when we believe there to be a problem – much like when your bank contacts you if they believe your card has been used fraudulently.

We have been building in additional system controls to give our customers further protection against such incidents. For example, on your Xero dashboard you can check when you last logged in, and the location of those logins, including IP address. If you don’t recognize the location or date of the last login, please contact customer support: phishing@xero.com.

It is critical that you maintain best practices inside your business. Staying safe online will protect not just your data, but your customers and employees.

Following are just a few of the things to watch out for, and if you ever suspect your Xero account has been compromised you can get in touch with our Security Response Team at phishing@xero.com.


Passwords are first line defence

  • When you’re trying to protect information from intruders, it’s crucial you pick strong passwords that can’t be easily cracked.
  • Use a complex password made up of numbers, letters and special characters ($,#,%,&, etc). The longer your password is, the harder it is to guess.
  • Change passwords regularly – the more often the better. This helps maintain a strong security status.
  • Don’t stay logged in to financial programs (don’t check the ‘remember me’ box).
  • Use different passwords for different applications because if a hacker figures out one, they haven’t got the master key and any damage can be limited. This means the password you use for your online banking shouldn’t be the same as your Facebook or Xero login.
  • Never share your account details with anyone. Not even really good friends or close colleagues. They can unknowingly pass it on or maybe even use it themselves. Best bet is to keep your password to yourself.


You can find further tips here to ensure your sensitive data remains secure.


Make sure your computer is secure

You can have the most complicated password in the world, but if a hacker is already inside your computer, it’s no good.

Use reputable anti-malware (anti-virus, anti-spyware) software on all of the devices you use and keep this updated with the latest signatures to stop keyboard loggers or malicious software from snooping on you and stealing your information.  Also ensure your operating system and applications are kept up to date with the latest security patches, to minimise the risk of vulnerabilities that can be exploited.


Phishing and malicious emails

Phishing is an email that looks like it comes from a trusted source, like Xero or your Bank, but doesn’t. The email will attempt to trick you into providing passwords and other important data.

You can protect yourself and your business by being aware of these scams, and by knowing what to look for that may help you identify a malicious email.

If an email looks even in the slightest bit unusual – don’t click it. Check with us first before clicking on any links you are unsure about.

Here are six phishing warnings to watch out for:

  • Incorrect spelling or grammar. Legitimate organizations don’t always get it 100% right, but be suspicious of emails with basic errors.
  • The actual linked URL is different from the one displayed – hover your mouse over any links in an email (DON’T CLICK) to see if the actual URL is different.
  • The email asks for personal information that they should already have, or information that isn’t relevant to your business with them.
  • The email calls for urgent action. For example, “Your bank account will be closed if you don’t respond right away”. If you are not sure and want to check, then go directly to the bank’s website via the URL you would normally use, or phone them. Don’t click on the link in the email.
  • The email says you’ve won a competition you didn’t enter, have a parcel waiting that you didn’t order, or promises huge rewards for your help. On the internet, if it sounds too good to be true then it probably is.
  • There are changes to how information is usually presented, for example an email is addressed to “Dear Sirs” or “Hello” instead of to you by name, the sending email address looks different or complex, or the content is not what you would usually expect.


If you suspect you’ve received a phishing or malicious email, which purports to be from Xero or uses Xero’s logo, do not click on anything in the email – please report it by forwarding the email to phishing@xero.com.