Your Xero file holds sensitive business data, including bank feeds, payroll, client invoices, and BAS reports. Taking a few minutes to strengthen your security settings can go a long way in protecting that data. Recently, there has been a noticeable rise in scam emails impersonating Xero and event organisers, often using fake invoices, payment links, or registration forms to trick users into handing over their details. While we’ve shared tips on how to spot phishing attempts in our How to Recognise and Avoid Phishing Emails & SMS blog, this post focuses on the practical steps you can take within Xero to keep your file secure and your business running smoothly.

1. Turn On Multi-Factor Authentication (MFA)

MFA is one of the best ways to prevent unauthorised logins, even if someone gets your password. Xero requires MFA for Australian users, but it’s worth checking that it’s set up for all users on your file, including bookkeepers or part-time staff.

You can use:

• The Xero Verify app (push notifications)
• Google Authenticator
• Authy or similar tools

Tip: Encourage your whole team to set up MFA and check it’s working. Read step-by-step guide to setting up MFA.

2. Review User Access and Permissions

Business owners often forget to remove old users or check what each person has access to.

Here’s what to review:

• Remove access for ex-employees, ex-bookkeepers or temporary users
• Check if everyone has the correct role (Standard, Read-only, Adviser)
• Make sure no one has admin access unless it’s truly needed

Tip: Set a calendar reminder to review this every quarter or after staffing changes. Read how to update user permission in Xero.

3. Use Strong, Unique Passwords

Simple or reused passwords are still one of the biggest risks to online systems.

Encourage your team to:

• Avoid using the same password for Xero and email

• Use a password manager

• Never share passwords over email or text

Tip: If you suspect your Xero account has been compromised, change your password immediately.

4. Secure Your Connected Apps and Bank Feeds

If you’ve connected other apps to your Xero file (like payment platforms, inventory tools, or Hubdoc), take a moment to:

• Review authorised apps under Settings > Connected Apps

• Remove any tools you’re no longer using

• Make sure third-party apps are reputable and secure

Keeping your Xero file secure doesn’t require complex tools, just a few smart habits. By enabling MFA, regularly reviewing user access, and managing connected apps, you can protect your business data and reduce the risk of disruptions. These simple actions support a smoother experience in Xero and help ensure your financial records stay safe, accurate, and accessible when you need them most.