Get an invoice from It's a scam

Today we received a heap of calls from people querying an invoice we sent them. It wasn't us.

Some scammers in China had registered a domain through a registrar in France, and decided to get a little more clever. They took a copy of our homepage, and hosted it on the same domain that they were sending the emails from. To anyone that visited, after getting an email from they would have seen our page and possibly assumed that it was a legitimate business that had sent the invoice.

In case you were wondering, yes, we are a legitimate business. And ironically, we specialise in helping businesses navigate the digital landscape.

If you received one of these emails, and you're on our real website, you're probably someone who clued in that something didn't seem right. Well done.

There are quite a few hints that point to when an email isn't legitimate, and there are ways in which you can verify it.

Here are four ways to know if an email is a scam -

1) Ask yourself - do I work with this business?

If you haven't worked with a business before - why would they be emailing you an invoice? This is a common sense check, and the first thing that usually triggers people that things may not be as they seem. If you have no reason to do business with the business that the email appears to come from, start digging a little deeper.

People who visited the fake copy of our website gave us a call and got in touch. Take that extra moment to do some research and save yourself some potential pain!

2) Check the email address that the spam email is coming from

Phishing and scam emails typically come from addresses registered to look like a legitimate email address. In this case it was from It looks like the address that Xero uses ( but isn't the same. If you know that emails come from it's easy to pick when something isn't legit.

You can always check the address by searching the domain name using a whois. A whois request identifies who the owner is of the domain, as well as where the name servers are located (the IP address of the servers that act like the switchboard for a domain)

Visit ICANN WHOIS to find out where a domain is registered

use ICANN whois to determine where a domain is registered

3) Hover over links in the email and see where they lead (but don't click on them)

Hovering over links you might notice that the domains names are different again, or the addresses look a bit off. If you see lots of different addresses that look like they aren't related to the business you are working with, or the apps that they use, it's probably fake.

4) Check the style of writing in the email

Sometimes a scammer can copy word for word a legitimate email that might be sent out by a provider. Other times it's a 'best effort' approach and you can spot spelling and grammar errors in the writing. Or it seems forceful and not well written.

Maybe you deal with people like that, and that's perfectly normal - but odds are that an email from a professional organisation will be well written and clear to read.

scammers often use poor english or grammar

While one thing might not be enough to tip you off a potential scam, the combination of a variety of different little hints should be enough to let you know that something isn't right. If you have any doubt at all, take the time to get in touch with the business and check to see if it's legitimate.

get in touch with a business you might suspect is a scammer

What if it's my website that scammers have ripped off?

If you ever find yourself in the position that we did today. Well congratulations on the compliment. The fact that scammers found your site and decided to use it to take advantage of others mean you must be doing something right with your SEO and marketing. Think of it like that unwanted gift you got from your aunt at Christmas. Yeah it's nice - but make it go away!

Here is what you need to do, to deal with scammers impersonating you -

1) If it's a cloud app they are impersonating - report it to the app

In the first 5 minutes of learning about this (yes the phone calls gave it away), we got in touch with Xero to let them know what was happening. They got their security team onto it and posted up a notice on their security noticeboard, as well as reported to the domain to a fraudwatch website. They were amazing in their support to us, in helping us work through something we've never had happen before!

Xero Security Noticeboard

2) Report the domain to providers, search engines and the federal police

Let providers know that the domain isn't a real site, and is a vector for phishing or a scam. You can report it to Google Safe Browsing, the Australian Federal Police through their Cybercrime Reporting Network amongst other groups. Look for cybercrime organisations in the country where the scammers originate, and the hosting is located.

report the scam domain to acorn

3) Let your hosting provider know

You might be thinking - what can your hosting provider do? With us - what we noticed is that the images, and files, and most of the links they had on the copy of our website led back to our real website.

The assumption the scammers made is that most people would only have a cursory look at the site, and if they did click on a few links, they wouldn't notice that the domain name would shift from to

What we did is let our hosting company know straight away what was going on.They then added a special redirect in place that looked at web requests coming from the referrer site ( and redirecting them to this very blog post.

4) Let the world know!

On face value it might seem as if there's no reason to put it out there to the world that your site has been ripped off and used for as a scam. There's nothing you did to create this situation right? You're just the victim here.

The more you can put it out there about what happened, to your customers, and the wider world - the more likely it is that people who may be looking at an email from the phishers see it before they become a victim. Put it out there and do the right thing, to limit the damage done to innocent people.

5) Move fast!

It doesn't take long for your website to get smashed by traffic and calls to flood your phones. The faster you can move and let people know, the quicker something can be done about it. In an age where things are digital and instant, speed is of the essence.

This situation is definitely not fun to deal with - trust us on this. The best you can do is your best to support the people who have been targeted, and do what you can to get the site shut down. The more people know about how to identify scams, the less likely it will be that others will fall victim to it in the future.

xero experts
Andrew Erkins

A passion for technology and people inspired Andrew to co-found Digit. With a background in information systems, he loves business strategy and figuring out what makes things tick (and how it could tick better)

learn more

Recent thoughts