Protecting your Xero Organisation Online Security

Important information – Protecting your Practice’s online security

We have seen an increase in phishing scams using Xero’s branding. A phishing scam is when a malicious email targets people by pretending to be from a legitimate company, like Xero or a bank, to gain sensitive information such as login credentials.

We are aware of some customers falling victim to phishing scams. Cyber-crime is an issue globally, and scams are increasingly becoming more sophisticated. We each have a responsibility to be vigilant and can follow some simple steps to protect our online safety.

How to protect your online security

As a Xero user we strongly advise you to take the following steps to help minimise the chances of your online safety being compromised – this includes making it a priority to reset your password.

  1. Check for malware. Firstly, you should check that malware has not been installed on your computer. You can do this by ensuring you have the latest security software. Update your anti-malware (anti-virus, anti-spyware) and run a full scan on your computer. Make sure you get your anti-malware from a reputable source. Sometimes what can look like genuine software is actually malware in disguise. If in doubt, run as a preliminary check. Malware is one of the easiest ways for hackers to get access to your device, so it’s important to take this seriously.
  2. Reset your password. We strongly encourage you to change your password regularly. The best way to reset your password is to follow the My Xero Password instructions in our Xero Business Help Centre. We recommend using a different password for Xero than for other applications you access and turning off your password auto save.
  3. Do not share your password. To keep yourself safe online, do not share your password with anyone. There is no need to share login details within Xero. You can easily add new users to your account and provide them with their own login and access rights.
  4. Check your login page is safe. Always login through the page. Check for the padlock safety symbol in the URL bar.
  5. Be wary of suspicious emails. If you receive a Xero-branded email that is unusual or doesn’t look quite right, make sure you:
  • Do not click on any link or attachment contained in the email.
  • Do not reply to the email.
  • Report the email by forwarding it to
  • Delete the email.

Xero’s security

We would like to assure you that Xero systems have not been compromised. Investigation by KPMG’s Cyber Security Practice has confirmed that there is no evidence that this activity is a direct attack on Xero or its security services, or that Xero systems have been compromised in any way.

Xero takes security very seriously. If we were to ever identify any malicious activity in relation to your account, we may take the precautionary step of disabling your account temporarily, and would notify you immediately.

We’ve put together some information to help you stay safe online. If you’ve got any questions or would like to know more, take a look at our security page.


The Xero Team and Balance Books

Sally Hams

Get in Touch


Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.