The Business Advisory Blog

The Business Advisory Blog

Insight, news and updates from Alliott NZ Chartered Accountants, Auckland New Zealand. The views expressed here are the views of the author and should be discussed in further detail should an article be relevant to your individual circumstances.

While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents. Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.

Paul Macpherson, Head of Security at Xero
Published on

How to protect yourself and your business from email fraud

iphone inside screen-87Exploitation of email invoices to commit fraud and extortion is a growing problem and no one is immune. We have seen them targeting businesses – big and small – all over the world.

There are a number of ways you may be targeted:

  • via hacked email accounts, which are then used to send out fraudulent invoices that look just like the real thing, but with a fraudulent payment bank account number;
  • with a phishing email to gain access to information like your usernames and passwords, credit card details, and bank account numbers;
  • Or a bogus invoice email containing links and/or documents that deliver malicious software to your PC, such as ransom-ware or password stealers.

The latter has been reported to be on the rise in New Zealand. However, there are ways to protect yourself and your business from scams like these.

How it works:

  • A fraudster will send an email that looks like it’s come from a trustworthy source but is, in fact, attempting to trick you by getting you to click on a link that will infect your computer; follow a link to a fake but convincing looking website that will steal your login details; or open an attachment that will infect your computer.

If you’ve fallen for the scam, the cyber criminal may be able to steal or extort money from you, or use the information they gain access to for other attacks.

To better protect yourself and your business, it’s important to not only be aware of these scams, but understand how to combat them.

Be on the look-out for:

  1. Incorrect spelling or grammar. Emails with basic errors can be a dead giveaway (however, keep in mind that some organisations don’t always get it 100% correct).
  2. The email you’ve received comes from an address that isn’t the same as usual. For example, the difference may be as small as a change in email domain from, to
  3. The actual linked URL is different from the one displayed — hover your mouse over any links in an email (but DO NOT click it) to see if the actual URL is different.  The real URL will be displayed at the bottom of your browser window.
  4. The email asks for personal information that they should already have, or information that isn’t relevant to your business with them.
  5. The email calls for urgent action. For example, “Your bank account will be closed if you don’t respond right away”. If you are not sure and want to check, then go directly to the bank’s website via the URL you would normally use, or phone them. Don’t click on the link in the email.
  6. The email says you’ve got an invoice from a company you don’t deal with, or have a parcel waiting that you didn’t order.   They’re just trying to get you to click on the link or attachment to infect your computer.
  7. The email promises huge rewards for your help, you’ve inherited money from a relative you didn’t know you had, or won a competition you didn’t enter. Often this will be advance fee fraud, asking you to pay money to get more money, which you’ll never get.  On the internet, if it sounds too good to be true then it probably isn’t true.
  8. There are changes to how information is usually presented. For example: an email is addressed to “Dear Sirs” or “Hello” instead of to you by name; the sending email address looks different or complex; or the content is not what you would usually expect.
If you suspect you’ve received a phishing or malicious email, and it says it’s from Xero or uses Xero’s logo, do not click on anything in the email – please report it by forwarding the email to You can also read more security advice on Xero’s dedicated Security Page.