This is an important reminder to remain vigilant with your online security. Cyber crime is an issue globally, and scams are increasingly becoming more sophisticated. We strongly advise you to read the information below to help minimise the chances of your online safety being compromised.

We are aware of ‘phishing’ scams currently targeting individuals with phone calls and emails that purport to be from the ATO and Xero.

What is a phishing scam?

A phishing scam aims to obtain information about you or gain access to your online accounts in order to steal confidential information. Scammers may use this confidential information in order to commit identity fraud.

Scammers do this sending emails and making phone calls to individuals purporting to be from a legitimate organisation. In both cases the email or the phone call may appear to be legitimate and unsuspecting individuals unwittingly provide confidential information.

Phishing emails contain links that, when clicked, may install malicious software (‘malware’) designed to steal passwords that are entered into web sites and applications, or take you to a website and ask you to provide your log in details.

Below are specific examples and how you should deal with them.

ATO Scams

Phishing scams targeting users purporting to be from the ATO are aimed predominantly at obtaining Tax File Numbers in order to lodge false tax returns. They may also ask you to make payment for outstanding tax liabilities that do not exist.

Recent ATO phishing scams have been in the forms of both phone calls and emails. Phone calls can be from a live person or an automated message. In the case of the latter it will always be a scam. The ATO does not employ automated calling to contact tax payers.

If there is a live person on the phone ask them for a reference number and call the ATO on the relevant number found on their website. Alternatively contact us as your tax agent and we will call the ATO on your behalf to verify the legitimacy of the call.

If you receive an email from the ATO:

  1. Do not click on any link or attachment contained in the email.
  2. Do not reply to the email.
  3. Take note of any identifying information in the email and contact us or the ATO by phone (do not forward the email to us).
  4. Delete the email.

Remember that your tax file number is highly confidential. If you believe that your information may have been compromised (i.e. you provided information over the phone or replied to an email) please contact us.

Xero Scams

Phishing scams targeting Xero users are also aimed at obtaining tax file numbers. See this blog article for further information about phishing scams targeting Xero users.

If you receive a suspicious email from Xero make sure you:

  1. Do not click on any link or attachment contained in the email.
  2. Do not reply to the email.
  3. Report the email by forwarding it to if it is Xero-branded (do not forward it to us)
  4. Delete the email.
  5. Advise us (mi-fi) of the action you have taken above.

Further Actions to Take

In light of these recent scams we urge you to do the following:

Check for malware

You should check that malware has not been installed on your computer. You can do this by ensuring you have the latest security software. Update your anti-malware (anti-virus, anti-spyware) and run a full scan on your computer.

Reset your Xero password

The best way to reset your password is to follow the “Forgot your password?” link on the Xero login page.

Remember to always login through the page and check for the padlock safety symbol in the URL bar.




Check your Xero log in activity regularly

You can check your log in activity from the dashboard in Xero.




If you notice that there has been access at times, other than you remember (i.e. early in the morning) or from locations outside of Australia you should immediately alert Xero and us.

Review user access

You should check who has access to your Xero file and if they no longer require it then remove their access.

You should also remind any other users to read this article and take the actions outlined in it.

Password Security

The weakest link in your online security is your password. Practices like using an easy password, using the same password for multiple accounts and letting other people use your password all undermine your security.

In short, your passwords should be:

  • Very hard to guess. We recommend passwords that are at least 8 characters in length, contain a mixture of letters (upper and lower case), numbers and punctuation. They should also be completely random. i.e don’t use your name and simply change some letters for numbers.
  • Never use the same password for more than one online account. By keeping your passwords different you are minimising the fallout if your password for one application is compromised.
  • NEVER share your password with others, even if you know them. Whilst the individual/s you share it with may be someone you trust, you cannot be sure of their security practices.
  • Update your password regularly (at least every 90 days).
  • Use two factor authentication where available. This is where the application also sends you a temporary password to your phone by SMS or mobile application. Most banks now use this technology.

Unfortunately no one is immune from being a target of cyber crime however there are always steps that can be taken to mitigate the risks so that you can operate online in confidence.

If you have any questions in relation to this article or would like to discuss ways to improve your businesses online security, please contact us.