Fake accounting software alerts (Xero, MYOB & more)
Accounting-software scams are fake emails, invoices and texts that impersonate platforms like Xero, MYOB, QuickBooks and Reckon — 'billing failed', 'account suspended', 'view your invoice' — to trick businesses into logging in on a fake page or opening a malware-laden attachment. They peak around EOFY, when invoices and account messages look routine.
This guide explains how the scam works, the warning signs to watch for, and what to do if you've been caught out. Got a specific message in front of you? Check it now and get an instant verdict.
How this scam works
A scammer sends a message branded as your accounting platform — an overdue invoice, a failed-payment or 'subscription expired' notice, an 'unusual sign-in', or an 'account suspended' warning — designed to make a busy business act without thinking. Clicking the link leads to a lookalike sign-in page that captures your username, password and any verification code; opening the attachment (often a zipped file) can install malware that steals banking logins. Because genuine platforms do email about invoices and billing, the fakes blend in — and scammers can spoof the real sender address, so the 'from' line alone proves nothing. Example — a scam email might read: "Your subscription payment failed. Update your billing details within 24 hours to avoid suspension: [link]". A genuine platform won't make you fix billing or 'verify' your account through a link in an unexpected message.
What the scam looks like
These composed examples show how the scam typically reads, with the tells that give each one away. Compare them against anything you've received.
Subject: Action required: your Xero subscription payment failed. We were unable to process your latest payment. Update your billing details within 24 hours at xero-billing-update[.]example to avoid suspension of your organisation's account.
What gives it away:
- A genuine platform won't make you fix billing or 'verify' your account through a link in an unexpected message; log in by typing the platform's address yourself and check billing there
- The link is a lookalike, not the platform's official domain
- The 24-hour suspension deadline is manufactured urgency; real billing problems come with grace periods, not countdowns
Subject: Overdue invoice attached. Please find attached your overdue invoice from MYOB. Download and open invoice_details[.]zip to review the amount owing before your account is referred to collections.
What gives it away:
- Accounting platforms don't send zipped attachments to open in order to 'view an invoice'; opening one can install malware that steals banking logins
- No business name, invoice number or account details: the vagueness lets one email target every recipient at once
- The collections threat exists to make you open the file before you think
QuickBooks alert: an unusual sign-in was detected on your account. Verify your identity now at quickbooks-verify[.]invalid or access will be suspended.
What gives it away:
- A link asking you to 'verify' your account is the classic credential harvest; a real sign-in alert is checked by opening the platform yourself
- The domain is not the platform's official site
- A sender name that looks right proves nothing; scammers can spoof it, so judge the request, not the sender
Who gets targeted, and when
Small and medium businesses, bookkeepers and accountants who live in these platforms daily. Anyone who receives invoices by email can be caught, because the fakes copy the routine billing messages a business expects to see. Sole traders doing their own books are especially exposed in busy periods, when an 'account suspended' notice feels like one more thing to clear quickly.
Activity climbs sharply around end of financial year, when businesses are reconciling accounts, chasing invoices and logging in to their accounting software constantly, so a billing or invoice email lands at a believable moment. Subscription-renewal and 'payment failed' lures also cluster around quarterly BAS periods, when logins to these platforms peak.
How to spot it
- An unexpected 'billing failed', 'subscription expired', 'account suspended' or 'unusual sign-in' email pushing you to act urgently
- A link asking you to log in or 'verify' your account — open the platform by typing its address yourself instead
- An attachment you're asked to open or run to 'view an invoice' or 'update' software
- A request to change or pay to new supplier bank details (invoice interception / business email compromise)
- A sender address that looks right but can't be trusted on its own — scammers spoof the real domain, so judge the message, not the sender
- A link that, when you hover over it, points to a domain that isn't the platform's official one
What to do if you have been targeted
- Don't click the link or open the attachment — close the message
- Open your accounting platform by typing its official address yourself (or using its app) and check your real billing and invoices there
- Before paying any invoice with new or changed bank details, phone the supplier on a number you already have to confirm
- If you entered your login, change your password immediately on the official site, turn on multi-factor authentication, and report it to the platform through its official security page (linked on each brand's page above)
- If you paid money or shared banking details, contact your bank straight away, and report it to Scamwatch
- Contact IDCARE for free support if business or identity data may be exposed
Where to report it
- Scamwatch — Report the scam to the ACCC's national scam service.
- ReportCyber — Report cybercrime and financial loss to the police.
- ACMA — Complain about scam texts and spam SMS, email or calls.
- Forward to 7226 (SCAM) — Forward the scam SMS to short code 7226 so carriers can block the source.
- IDCARE — Free identity and cyber support if your details were taken.
How to protect yourself
- Log in to your accounting platform only by typing its address yourself or using its official app; if a billing or invoice alert is real, it will be waiting there
- Never open attachments, especially zipped files, sent to 'view an invoice' from an unexpected email
- Phone suppliers on a number you already hold before paying any invoice with new or changed bank details
- Turn on multi-factor authentication for your accounting platform and your business email
- Slow down around EOFY and BAS time; that is exactly when scammers expect you to click without checking
Fake accounting software alerts in 2026
Fake accounting-platform emails remain a steady presence in Australian business inboxes, and the lure rotates with the calendar: 'subscription payment failed' and 'unusual sign-in' notices for most of the year, then a surge of invoice and billing themes around EOFY when the real platforms are busiest. Campaigns swap the brand name freely between Xero, MYOB, QuickBooks and Reckon while reusing the same lookalike sign-in page underneath, and some pair the email with a follow-up text to look more convincing. The habit that defeats them has not changed: never log in or pay through a link in an unexpected message; open the platform yourself and check your real billing there.
Related brands targeted by this scam
Scammers often impersonate these names in fake accounting software alerts (xero, myob & more). Here's how to tell a genuine message from a fake:
Check a suspicious message now
Paste the text or email you're unsure about and get an instant verdict — fake accounting software alerts (xero, myob & more) included, free.
Frequently asked questions
Why do accounting software scams spike around EOFY?
At end of financial year businesses are reconciling accounts, paying invoices and logging in to their accounting software constantly — so a fake invoice or billing email lands at a believable moment. Treat any unexpected account or invoice message with extra caution from June to October, and log in by typing the platform's address yourself.
The email looks like it's really from Xero / MYOB / QuickBooks — can the sender be faked?
Yes. Scammers can spoof a platform's real email domain, so a genuine-looking 'from' address doesn't prove a message is real. Judge the message by what it asks you to do, and never log in or pay through a link in an unexpected email.
I clicked a link or opened an attachment from a fake accounting email — what now?
Change your password on the platform by going to its official site directly, turn on multi-factor authentication, and run a security scan on your device. Report it to the platform and to Scamwatch, and if banking or business data may be exposed, contact your bank and IDCARE.
How do I report a fake Xero, MYOB or QuickBooks email?
Report it to the platform through its official security or phishing-report page, and to Scamwatch at scamwatch.gov.au so the National Anti-Scam Centre can track the campaign. If the scam arrived by text, forward it to 7226 (spells SCAM) so carriers can block the sender. If your business lost money or data, also report it to ReportCyber at cyber.gov.au.
How is an accounting software scam different from business email compromise?
They're close cousins. An accounting software scam impersonates the platform itself to steal your login or infect your device, while business email compromise uses a hacked or lookalike business email to redirect a genuine payment to the scammer's account. The same habits defeat both: log in by typing the address yourself, and confirm any change of bank details by phoning a number you already hold.
Related scam types
Other scams hitting Australians right now — know the warning signs:
Sources
- Email scams (Scamwatch (National Anti-Scam Centre))
- Business email compromise scams (Scamwatch (National Anti-Scam Centre))
- Phishing scams (Scamwatch (National Anti-Scam Centre))
This guide is general information, not legal or financial advice — if you've lost money, contact your bank and the reporting channels above straight away.