We’re now seeing phishing emails being sent from the @post-xero.com domain. The full From address is firstname.lastname@example.org, rather than Xero’s legitimate email@example.com address. We’ve started the process to get the @post-xero.com domain taken down.
Here’s an example of one of these latest phishing emails:post-xero_example:
All of the examples we’ve seen so far from this latest phishing campaign have ‘Invoice INV00249’ in the subject line. However this could change so don’t assume an email is legitimate if it doesn’t have this invoice number. They’re also using a variety of company names.
Check any Xero invoice email you receive to ensure it came from our firstname.lastname@example.org email address. Also check the destination URL for the online invoice before you click on the link. You can do this by hovering your mouse over the link in an email (DON’T CLICK) to see the actual destination URL. This will be displayed at the bottom of your browser window.
If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.
Reference: Xero Security Blog