Scammers are sending out fake invoices that look exactly like they’re from Xero, MYOB, and Sage

Scammers are targetting Australian small businesses with fake emails pretending to be from reputable accounting systems like Xero, MYOB and Sage.

Tech security firm MailGuard has detected a new series of emails made to look like they were sent from MYOB and Xero, asking the recipient to open a supply order or invoice that needed to be reviewed and signed.

For an additional layer of complexity, the MYOB emails were sent “via DocuSign”, the brand of a legitimate electronic signature service. A flood of fake emails pretending to be from popular software Sage were also detected, sent from a domain registered in China.

Here’s a look at one of the fraudulent messages, looking very much like a legitimate Xero email:

Fake emails pretending to be from Xero. (Source: supplied)

MailGuard also provided us with this example of a scam message, posing as an email from Sage.

Fake emails pretending to be from Sage. (Source: supplied)

When users click on these messages, it transfers software to the recipient’s machine in a zip file, infecting their device. MailGuard did not specify the consequences of the malware, but typically these attacks result in either locking your device and demanding a ransom to release it, or recording keystrokes to harvest personal information.

MailGuard chief executive Craig McDonald said small businesses were targets for a good reason.

“Leveraging major accounting software brands that are popular with the SMB segment – like MYOB, Xero and Sage – the cybercrime networks may be chasing smaller businesses who don’t have a dedicated [information security] or IT team to help defend against scams.”

Xero head of security Paul Macpherson said fake invoice fraud was a “growing problem”.

“We have seen them targeting businesses — big and small — all over the world,” he said.

“We’re committed to the security of our customers’ data and provide multiple layers of protection for the personal and financial information entrusted to Xero, including two-step authentication and anomalous login detection. We’re also working closely with banks on safe payments initiatives to tackle this next level of fraud and educating customers on how to protect themselves against phishing scams and account takeovers.”

MYOB has previously told Business Insider that legitimate emails would only come from [email protected] or [email protected] addresses for its small business products. Hyperlinks to external sites always begin with

Xero’s Macpherson outlined the following warning signs that business and accounting staff can watch for to avoid trouble:

  • Incorrect spelling or grammar. Emails with basic errors can be a dead giveaway (however, keep in mind that some organisation don’t always get it 100% correct).
  • The email you’ve received comes from an address that isn’t the same as usual. For example, the difference may be as small as a change in email domain from, to
  • The actual linked URL is different from the one displayed — hover your mouse over any links in an email (but DO NOT click it) to see if the actual URL is different. The real URL will be displayed at the bottom of your browser window.
  • The email asks for personal information that they should already have or information that isn’t relevant to your business with them.
  • The email calls for urgent action. For example, “Your bank account will be closed if you don’t respond right away”. If you are not sure and want to check, then go directly to the bank’s website via the URL you would normally use, or phone them. Don’t click on the link in the email.
  • The email says you’ve got an invoice from a company you don’t deal with, or have a parcel waiting that you didn’t order. They’re just trying to get you to click on the link or attachment to infect your computer.
  • The email promises huge rewards for your help, you’ve inherited money from a relative you didn’t know you had, or won a competition you didn’t enter. Often this will be advance fee fraud, asking you to pay money to get more money, which you’ll never get. On the internet, if it sounds too good to be true then it probably isn’t true.
  • There are changes to how information is usually presented. For example: an email is addressed to “Dear Sirs” or “Hello” instead of to you by name; the sending email address looks different or complex; or the content is not what you would usually expect.