Scammers gain access to Xero customers' accounts
Fake email imitated Xero branding, and successfully tricked some users into revealing their logon details.
Fake email imitated Xero branding, and successfully tricked some users into revealing their logon details.
Xero has sent customers an email advising them to change their passwords after a "small number" were caught out by a phishing scam — or a fake email, imitating Xero's branding, used by hackers to trick people into revealing their logon details.
"We're aware of a small number of Xero customers in Australia falling victim to phishing scams and someone has gained unauthorised access to their account login details and passwords," Xero head of corporate communications Alex Mercer tells NBR ONLINE.
"We have proactively communicated to those customers where an issue has been identified."
The company hasn't commented on exactly how many customers were affected or if any harm was done to their accounts.
Ms Mercer says stronger protection is on the way. "Two-factor security is in testing phase, so we’re on track to deploy it soon." Two-factor security gives users the option to add a second layer of authentication beyond a password — often a code sent by txt.
While a small number of customers were affected, a blooper on Xero's part saw its warning email sent to a wider group of people than intended (including yours truly).
"We sent an email advising some customers about resetting their password but it ended up sending to a broad base of people in error. While it was sent in error, we think it is a useful reminder to change passwords frequently. And customers will still benefit from making a password change," Ms Mercer says.
Xero Australia MD Chris Ridd says, "When the phishing campaign first started a few weeks ago, we commissioned KPMG to audit our systems for security issues and vulnerabilities, and we got a clean bill of health."