Latest phishing alert for bexio customers

Status as of 15 May 2026: Fake emails and fake bexio invoices are not sent by bexio – exercise caution when handling personal data.

bexio hero with icons

Fake emails are currently in circulation

Criminals are currently sending fake invoice emails in our name and in the name of our

customers. This is a phishing attack aimed at stealing your bexio login credentials. To do this, the fraudsters use external servers and falsify the sender's name.

bexio has not been compromised. There has been no breach of our systems, and no customer data has been leaked. Your documents and information in bexio remain protected by our high security standards.

We have compiled the most important questions and the relevant answers for you, including instructions on what to do and an authenticity check. Please invest a few minutes for your own security. Your vigilance is your best protection.

If you have any further questions, our bexio-Support team is here for you at any time.

Immediate Help & What to Do

What should I do if I receive a suspicious email? (Updated: 15.05.2026)
  1. Don't enter anything: Don't click on any links, and under no circumstances should you enter your login credentials on an unfamiliar website.

  2. Update - Inform us: Forward the suspicious message to our dedicated address

    [email protected]

    (you'll find exact instructions further below in the section How can I help?). This helps our bexio team get fraudulent websites blocked more quickly.

  3. Delete: Then delete the email from your inbox immediately.
I have entered my details on a suspicious website. What now?

If you have entered your password on a fake website, you need to act immediately:

  1. Log in to your bexio account directly via our official website (https://idp.bexio.com) and change your password.
  2. Banking check: Before finalising any payment, check all payment orders in your e- banking system extremely carefully to ensure they are correct.
  3. Check IBAN numbers in bexio: As a preventive measure, check the IBAN numbers of your suppliers stored in your bexio account, as well as your own draft invoices, for any signs of tampering.

Report a crime in the event of financial loss: If you have suffered a financial loss, the Federal Office for Cybersecurity (BACS) recommends reporting a crime to your local police force. You can find your nearest police station via Suisse ePolice.

How can I help? (Updated: 15.05.2026)

Update

Please contact us in the following cases:

  • If you receive suspicious emails in the name of bexio (e.g. with unusual demands). When in doubt: it's better to report once too often. Find out how to recognize such messages in the section «How do I recognize fraudulent emails?».

  • Very important: Contact us immediately if you have already clicked on a link or entered any data!

This information helps us. Unfortunately, a screenshot is not sufficient for our technical analysis. Please send us:

  • The original email as an attachment (.eml file), as this is the only way to preserve the important technical background data.

  • A brief note if you have already interacted with the message (e.g. clicked a link).

Here's how to proceed:

  1. Create the .eml file: Export or save the suspicious email as a .eml file. Find out how here

  2. Compose your message: Write a short email with a description of the incident.

  3. Add attachments & send: Attach the .eml file (and any other suspicious documents if applicable) and send everything to [email protected]

  4. Clean up: Delete all phishing emails and files, then empty your trash.

Detecting Fraud

How can I tell whether a bexio invoice (from bexio AG) is fake?
  1. The safest method: Check directly in your bexio account. Unsure? Do not click on any links in the email! Instead, log in directly to your bexio package management system here: https://office.bexio.com/index.php/billing/show/overview?tab=invoices

    There, you will immediately see whether a genuine invoice has been issued to you. If no new invoice appears there, the email was a fraud attempt. If this is the case, delete the email immediately.
  2. Check the real sender address: Don't be fooled by the sender name displayed (e.g., 'bexio AG' or similar). Hover your mouse over the sender's name or click on it to reveal the actual email address behind it. A genuine invoice from us will always come from the address [email protected]. If anything else appears there, it is an attempt at fraud.
  3. Check for hidden links: The email often contains a button (e.g., 'Go to your account') or links. Don't click on them; instead, simply hover your mouse over them. This will show you the hidden destination address (URL).

Important: The address must end in .bexio.com, i.e., 'dot bexio dot com' (e.g., idp.bexio.com or network.bexio.com). If the link leads to an address without this dot (e.g., bexio.something.com) or to a completely different address, it is a phishing attempt.

What should I do if I suspect a scam? If one or more of these signs indicate a fake: Don't click on any links, don't enter your details anywhere, and delete the email immediately.

How can I tell if an email is GENUINELY from bexio?

Don't rely on the sender's display name. Instead, check these three features:

  1. The sender's address: If you hover your mouse over the sender's name, the address must be [email protected]. Any other ending is definitely an attempt at fraud. However, this alone is not always sufficient, as resourceful fraudsters can sometimes falsify this sender address in a deceptively authentic way. Therefore, it is important that you always also pay attention to points 2 and 3 below.
  2. The link to the invoice: If you hover your mouse over the 'View invoice' button (without clicking), the link must lead to https://network.bexio.com.
  3. The login page: Our official and secure login page can only be found at https://idp.bexio.com. Always check the address bar of your browser (at the very top of the window): any other address shown there will lead to a fake website.

Background & Data Security

What exactly has happened?

Unknown persons are currently sending fake emails. This is a phishing attack: if you click on the link in the email, you will be directed to a replicated, fake website. There, you will be asked to enter your login credentials so that the attackers can steal your username and password.

Has bexio been compromised?

No. Our systems have not been compromised. There has been no breach of our infrastructure. The fraudsters are merely using our brand name and falsifying sender details ('spoofing') to lure you to an external, fake website.

Is my data safe?

Yes, your data is safe. As there was no access to our databases, all information stored in bexio remains protected. The scammers do not have access to bexio data, unless they manage to obtain your personal login details through these phishing emails.

What is bexio doing to address these incidents?

To protect you, we have implemented a crucial immediate measure: two-factor authentication (2FA) is becoming the mandatory standard at bexio. This means that, in future, when you log in, you will be asked for a code that we will send to your registered email address. This additional step significantly enhances access security and prevents unauthorised access – even if your password has fallen into the wrong hands. You can find more information on this in the relevant Help Centre article.

At the same time, our security specialists are continuously analysing the situation and working closely with specialist partners to have the fraudulent websites and servers blocked as quickly as possible. We have the situation under control and are doing everything we can to stop the attacks at their source as well.