Settings and activity
1 result found
-
412 votes
Hi team, we appreciate the on-going support and feedback we're receiving on this idea and pleased to be able to share this update. Our product team are actively exploring how we can best solve for the needs raised here, although at this time are unable to provide any set timeframes.
They are very much aware of the appetite from our community on this, and as part of their exploration have reached out some users here as they gather insights.
For the time being we'll shift to In discovery and I'll return as soon as there is more on this to share.
An error occurred while saving the comment An error occurred while saving the comment 
Christopher Dunham
commented
We absolutely will correctly mark them as phishing. The security of Xero is not something of my concern, they are not my client and I am here to protect my clients. Xero have been informed many times on this thread anybody can sign up and send invoices from their email address, huge amounts of those invoices are simply pretending to be from other companies. Its really not hard to figure out, and is not technical whatsoever. The fraudsters know many companies use Xero and thus send out fake invoices from Xero accounts, I dont really get whats hard to understand about this? The chances Xero dont know about this are about 0%, they are not interested.
Anybody thinking I am going to spend the next 3 years trying to tell Xero this is a bad idea is absolutely insane, every single reply on this thread tells Xero its a bad idea to let anybody sign up to an account and send invoices from the same email as legitimate clients.
Xero have no interest in this, they just say its not their problem if somebody pays an invoice they shouldnt have.
I dont really see why people think I should make it my life long mission to get Xero to change their mind, rather than just block this Xero address. Why by the way, many other IT / Cyber security providers also block this and its probably the number 1 known fraud address globally as it opens an easy path to payments.
I could sign up to Xero tomorrow with a pretend company and send out invoices and see who pays, its so easy. Like I said, Xero already know. No sympathy for them of people blocking their emails.
An error occurred while saving the comment Christopher Dunham
commented
Good luck with that and enjoy. We had 335 fraud emails today across 2000 people, and they are the ones reported. I wont be using my 11 staff to spend their entire working year chasing 335 new vendors each day.
If a vendor cant secure their system they are on the blacklist. End of.
Thanks, and I wish you all a good day.
An error occurred while saving the comment Christopher Dunham
commented
Great, you mean like this never ending thread of responses of people telling Xero how insecure their platform is allowing anybody to send emails from Xero and Xero responding saying its not an issue. E.g. they already know these Xero emails are not secure so I see no point to this.
Anybody receiving these emails has already raised / followed the cyber security issue with Xero. Xero are not interested, if they was we wouldnt have them blocked on every client system due to high risk fraud.
An error occurred while saving the comment Christopher Dunham
commented
Great, go and knock on Xero's door then and tell their CISO they have insecure platform and you will fix all their issues for them. Then repeat it for every company in the world with an insecure issue.
Then when finished virtue signaling go and actually look after your clients
An error occurred while saving the comment Christopher Dunham
commented
Why would I do that? We provide cyber services to our clients, if Xero have an issue with Fraud its not my problem. We get hundreds of things like this a day, Xero are not our client. We use Xero for our finances but a third party sends our invoices for us. More simply raising awareness here as a small cyber security provider, we block the post.xero address in our client systems as it is a known fraud address.
An error occurred while saving the comment Christopher Dunham
commented
Tim - I am not a fan of these long trails however the emails certainly are being sent from Xero systems. They match the SPF records exactly. The spammers simply sign up for a xero account and then send the spam.
We investigate these xero fraud emails weekly as a cyber security company, they nearly always match the SPF and DMARC and pass. If you dont know what these are then just take it from me, they are sent from Xero.
An error occurred while saving the comment Christopher Dunham
commented
Kelly - Just FYI I run a small cyber security company. We only support around 2000 people however we have these Xero scams every week from post.xero.com. We have to tell our clients it is an untrusted address. We use a third party paid tool for our invoices syncing to Xero, but it is terrible we see this scams every single week from Xero without fail.
An error occurred while saving the comment Christopher Dunham
commented
There is absolutely no way anybody should be putting their financial information through a free email app. Anybody could then harvest your invoice details and use it for scams
An error occurred while saving the comment Christopher Dunham
commented
"everyone with a gmail, outlook etc account would, do what" - Simply not turn the feature on? We cant lower our standards to the least capable people using the system. If they cant figure out simply not to turn the feature on then maybe they should not be using the system at all
An error occurred while saving the comment Christopher Dunham
commented
Anything in business is difficult if you don't know how, that doesnt mean the option should not be open for companies who have even the most basic competent IT person (its not a hard task).
We are a small cyber security company and we see fraud / spam from xero almost weekly.
An error occurred while saving the comment Christopher Dunham
commented
A client got the below today from Xero, clearly spam / fraud.
Clients are insisting we block the address (we are their IT), but that will block our own invoices.
From: messaging-service@post.xero.com <messaging-service@post.xero.com> on behalf of T͏e͏s͏l͏a͏ Recruitment Team <messaging-service@post.xero.com>
Sent: 27 June 2025 08:59
To: ***************************************
Subject: Social Media Manager Opportunity at TeslaAn error occurred while saving the comment Christopher Dunham
commented
I don't see the relevance of adding a logo Tim, it is entirely unrelated to the subject in hand
An error occurred while saving the comment Christopher Dunham
commented
Are Xero liable for any fraud invoices sent to my clients from their domain?
"a feature of this kind is rather complex". I guess that says something about the Xero development team if this is considered too complex and even free wordpress plugin's offer it.
An error occurred while saving the comment Christopher Dunham
commented
That is not how it works at all Tim. Anybody can update their email domains "SPF" record to allow any server to send....
An error occurred while saving the comment Christopher Dunham
commented
Its not a "fake" email address.
As an IT provider nearly all of our clients use multiple systems to send from their email domain :) Its very normal and not hard to do at all.
An error occurred while saving the comment Christopher Dunham
commented
We just had a response back from a client as to why an invoice of 15% of our years revenue was delayed, apparently it went to their junk. The bank overdraft fees on this one are significant.
Really weighing up whether we can continue with Xero without being able to send emails from our domain on automated invoices. It is a lot of hassle to move, but the alternative is starting to look worse...
Such a simple thing to fix...
An error occurred while saving the comment Christopher Dunham
commented
At least give the choice! If companies cannot configure their SPF then that is their problem and it should not hold back the rest of us....
An error occurred while saving the comment Christopher Dunham
commented
Sure, I had assumed you could just download the pdf invoice and send it out anyway in your use case......
An error occurred while saving the comment Christopher Dunham
commented
Perry - thats not going to work for any companies which automate their invoices. We rarely send out an invoice individually.
This issue is such a shame as other than this Xero is great, but its all for nothing if clients dont get the invoices
Christopher Dunham
supported this idea
·
Once again, I dont work for Xero. If a company specializing in finance (Xero) is stupid enough to allow anybody who signs up for an account to send invoices from the same address as legitimate customers then I am going no further than raising it in their forum. Which I did, and this is that forum. hence you are seeing it. I am not going to spend hundreds of hours trying to tell a company how naughty they are for not doing the job properly. Firstly it wont get anywhere as they already know and secondly I am not a charity for rich global enterprises cutting corners on cyber security.
You seem to think Xero dont know about this, the chances of that are 0%. Xero know, and are not interested as they will claim those defrauded should not have paid an invoice from a shared email address.
This gets treated as any other phishing email does. Marked as fraud to teach the junk filters at Microsoft to block it.