Skip to content

Is this invoice or account email from Xero a scam?

Researched & maintained by Scam ScannerLast updated 2 July 2026

No. Xero is a legitimate cloud accounting platform, founded in New Zealand and relied on by a large share of Australian small businesses. Because so many businesses see Xero emails daily, scammers hide behind the brand with fake billing-failed alerts, lookalike login pages and malware attachments dressed up as invoices. The good news: a few quick checks almost always tell a real Xero message from a fake.

Genuine Xero links lead to xero.com — but a link can be made to look real, so don't go by the link alone. Below is exactly what a real Xero message looks like, the scams currently circulating in its name, the red flags that give a fake away, and a real example to compare against. Got a message in front of you? Check it now for an instant verdict.

What a real Xero message looks like

Genuine messages from Xero link to xero.com. Treat a link to any other address as a warning sign.

  • Genuine Xero emails come from a xero.com address (such as @xero.com, @post.xero.com or @support.xero.com) — but a sender address can be spoofed, so judge the message, not just the sender
  • Don't act on an unexpected invoice, billing or 'verify your account' email by clicking its link — sign in by typing xero.com yourself or using a saved bookmark or the Xero app
  • Turning on multi-factor authentication (MFA) protects your Xero account even if your password is phished — genuine prompts don't ask you to confirm your login through an emailed link
  • If a Xero email seems off, check it against the guidance on Xero's official security page before acting

What Xero will never do

  • Ask you to confirm your login through an emailed link (genuine prompts don't; sign in by typing xero.com yourself, using a saved bookmark or the Xero app)
  • Need you to open an attachment, often a zipped file, to 'view an invoice' or 'update' something
  • Ask for your password, MFA code or banking details by email or SMS (no legitimate accounting platform does)
  • Hide a genuine billing problem from your account; if a 'failed payment' email is real, the same status shows when you sign in at xero.com directly

Common Xero scams

  • Fake 'invoice', 'billing failed' or 'subscription expired' emails using Xero branding that link to a lookalike Xero login page to steal your credentials
  • 'Verify your account' or 'unusual sign-in' emails that pressure you to log in through a link
  • Emails carrying attachments — often zipped files — that install malware when opened
  • Scams timed to EOFY, when businesses are working in Xero daily and a billing or invoice email looks routine

Red flags to watch for

  • An unexpected email asking you to log in to Xero or 'verify' your account through a link
  • A sender address that isn't a xero.com address — though a matching address doesn't prove it's genuine, since the domain can be spoofed
  • An attachment you're asked to open or run to 'view an invoice' or 'update' something
  • Urgent wording about a failed payment, expired subscription or suspended account
  • A link that, when you hover over it, points to a domain that isn't xero.com

Xero scam examples

These composed examples show how scams impersonating Xero typically read, with the tells that give each one away. Compare them against anything you've received.

Example scam emailExample only. Not a real message.

Subject: Action required: Xero subscription payment declined. Your latest payment could not be processed and your organisation will be moved to read-only access tonight. Restore full access now at xero-billing-portal[.]example.

What gives it away:

  • Hovering the link shows a domain that isn't xero.com; lookalike login pages exist purely to steal your credentials
  • Same-day 'read-only tonight' pressure is manufactured; a real billing problem is still there, calmly, when you sign in at xero.com yourself
  • Genuine prompts never ask you to confirm your login through an emailed link
Example scam emailExample only. Not a real message.

Subject: New invoice from your supplier via Xero. A new invoice has been shared with you. Download the attached file (Xero_Invoice_8834[.]zip) to review the details and remit payment this week.

What gives it away:

  • The zipped attachment is the danger: Xero-branded emails carrying zipped files that install malware are a known campaign pattern
  • Real invoices are viewed by signing in to Xero, not by running a downloaded archive
  • The email names no supplier and no amount; the vagueness lets one template target thousands of businesses at once

Not sure about your message?

Paste the suspicious Xero text or email and get an instant scam verdict, free.

See all free scam checker tools →

How to verify a message from Xero

Xero's real website is xero.com and the official app is the Xero app. Reach Xero through those channels, never through the details inside a message you're unsure about.

  1. Don't click the link or open the attachment in the message itself
  2. Sign in by typing xero.com into your browser, using a saved bookmark or the Xero app, and check whether the billing alert or invoice actually exists there
  3. If you're still unsure, contact Xero support through xero.com rather than any address in the email
  4. Compare the message against the guidance on Xero's security page (linked below)

If you have been scammed in Xero's name

Clicked the link, paid, or shared details? Act now. The first hour matters more than anything else you do later.

  1. Change your Xero password immediately by going to xero.com directly, and change it anywhere else you reused it
  2. Turn on multi-factor authentication if you haven't already, so a phished password alone can't open your account
  3. If you opened an attachment, run a full security scan before using the device for payroll or banking, and if banking details were entered, call your bank to block the card and dispute charges
  4. If payroll or identity data may be exposed, contact IDCARE (idcare.org) for free identity support
  5. Report the scam to Scamwatch and ReportCyber using the links below, and forward any scam SMS to 7226

Where to report a scam impersonating Xero

Received — or fell for — a message impersonating Xero? Report it. It helps authorities and carriers shut the campaign down for everyone who gets the next one.

  • Xero scam alerts Xero's own page on current scams and how to report one.
  • ScamwatchReport the scam to the ACCC's national scam service.
  • ReportCyberReport cybercrime and financial loss to the police.
  • ACMAComplain about scam texts and spam SMS, email or calls.
  • Forward to 7226 (SCAM)Forward the scam SMS to short code 7226 so carriers can block the source.
  • IDCAREFree identity and cyber support if your details were taken.

Latest Xero scams in 2026

Current Xero impersonation rides the platform's own rhythm: businesses expect Xero emails constantly, so a 'billing failed', 'subscription expired' or shared-invoice message slips past tired eyes, particularly through EOFY when Xero is open all day. Recent waves alternate between credential theft, a link to a pixel-perfect fake login page, and malware, a zipped 'invoice' attachment. The tell that survives every redesign is the destination: hover the link and it isn't xero.com. The defence that survives too: sign in only by typing xero.com, a saved bookmark or the Xero app, keep MFA on, and let any real billing issue prove itself inside your account.

Frequently asked questions

How do I know if a Xero email is genuine?

Genuine Xero emails come from a xero.com address, but a sender address can be spoofed — so don't rely on the sender alone. Don't click links in the message; sign in by typing xero.com yourself or using the Xero app, and check whether the prompt is really there. You can report a suspicious email through Xero's security page.

I got a Xero 'invoice' or 'billing failed' email with a link — is it a scam?

Treat it as suspicious. Scammers send Xero-branded invoice and billing emails that link to fake login pages or carry malicious attachments. Don't tap the link or open the attachment — log in at xero.com yourself to check your real billing status.

What should I do if I entered my Xero login on a fake page?

Change your Xero password immediately by going to xero.com directly, turn on multi-factor authentication if you haven't already, and contact Xero support. If business banking or payroll data may be exposed, also contact your bank and IDCARE.

What is Xero's real website?

Xero's only official website is xero.com, and genuine emails come from xero.com addresses such as post.xero.com and support.xero.com. Sign in by typing xero.com, using a saved bookmark or the Xero app rather than an emailed link. If a login page's address is anything other than xero.com, it is a fake.

How do I report a Xero phishing email?

Report it through Xero's security page at xero.com/au/security/ so Xero can act on the campaign, and to Scamwatch at scamwatch.gov.au so the National Anti-Scam Centre can track it. If money was lost or your account was accessed, also report to ReportCyber at cyber.gov.au. Scam texts can be forwarded to 7226 (spells SCAM).

Related scam types

Scams impersonating Xero usually fit one of these patterns. Learn how each works:

Related brands

Other accounting names scammers impersonate — check a message from one:

Sources

This guide is general information, not legal or financial advice — always verify with Xero through an official channel.