Settings and activity
1 result found
-
415 votes
Hi team, we appreciate the on-going support and feedback we're receiving on this idea and pleased to be able to share this update. Our product team are actively exploring how we can best solve for the needs raised here, although at this time are unable to provide any set timeframes.
They are very much aware of the appetite from our community on this, and as part of their exploration have reached out some users here as they gather insights.
For the time being we'll shift to In discovery and I'll return as soon as there is more on this to share.
Gavin Wilkinson
supported this idea
·
An error occurred while saving the comment An error occurred while saving the comment Gavin Wilkinson
commented
Here's an example of something that looks wrong and shouldn't be happening.
It's an email from xero.com but for a company recruiting for AirBnB by asking to click a link.
To me, this stuff should not come from xero.com, it's what gets our invoices blocked.
An error occurred while saving the comment Gavin Wilkinson
commented
I receive job offers saying they are from Ferrari or Chanel, etc. and when I look at the address, it is a post.xero.com address.
There is no way these places would be offering me a job and they are clearly phishing. The trouble is that I can't flag them as such because it would mess with our billing and payroll. Nightmare.
Letting us send from our domain would be ideal. I can't think of any other platforms we use that don't allow this.
I agree with the diagnosis that it is passing SPF/DMARC. They are also allowing the messages on a subdomain used for financial comms.
If the reason for not tackling it is to allow free trials, they could at least bump free accounts onto a different subdomain.
I understand the appropriate action is to forward any examples as an attachment to phishing@xero.com
For such a major vendor and persistent security issue, it could go to the National Cyber Security Centre (NCSC) in the UK - see if they can communicate with Xero about it.