Removal of ATO SMS hyperlinks

ATO announces the removal of hyperlinks in SMS

The ATO is in the process of removing hyperlinks from all outbound unsolicited SMS by Tax Time 2024.

Removing hyperlinks is a scam-preventative measure. It will help protect the community by making it easier to identify legitimate ATO SMS interactions and provide trust and confidence in the ATO’s tax, superannuation and registry systems. 

There has been significant growth in the use of SMS by cybercriminals.

Throughout the 2022–23 financial year, SMS scams impersonating the ATO brand, products, services and employees increased by over 400%. 

Cybercriminals often use hyperlinks in targeted SMS phishing scams. The hyperlinks take individuals to highly sophisticated fraudulent websites (such as a fake myGov sign-in page) designed to steal their personal information or install malware.  

The ATO  may use SMS  to contact you, but will never include links to log-in pages. If you want to access the ATO’s online services, always type my.gov.au or ato.gov.au into your internet browser yourself. 

This change also serves as a timely reminder to protect your information. Do not give out your TFN, date of birth or bank details unless you trust the person you are dealing with, and they genuinely require these details. 

If you think communication such as a phone call, SMS, voicemail, email or interaction on social media claiming to be from the ATO is not genuine, do not engage with it. You should either: 

  • go to Verify or report a scam to see how to spot and report a scam 
  • phone the ATO on 1800 008 540 if you have divulged information or remitted a payment to a scammer. 

For information and examples of ATO impersonation scams see Scam alerts »


qr code

QR Quishing Scams

Banks warn of Christmas QR code scams

Financial institutions and consumer advocates are sounding the alarm on the surge of Christmas-related scams, cautioning that criminals are employing a novel tactic by exploiting COVID-era QR codes to pilfer personal information.

What is Quishing?

Quishing is a form of phishing attack that uses QR codes instead of text-based links in emails, digital platforms or on physical items. Quishing is a social engineering technique used by scammers and cybercriminals to trick you into providing personal information or downloading malware onto your device.


A recent Westpac report highlighted that over half of reported scams related to purchases and sales in November and December last year. They emphasised that scammers often capitalise on the increased spending and potential distractions during the holiday season.

To illustrate the heightened risk, Westpac experienced a 5 per cent uptick in fraud-related calls following the facilitation of over 31 million point-of-sale transactions during the recent Black Friday and Cyber Monday sales.

Westpac’s research uncovered that 38 per cent of Australians fell victim to scams originating from fake websites, online retailers and marketplaces.

QR codes, once considered outdated by 2019, regained popularity during the COVID-19 pandemic due to the demand for contactless services. However, the Federal Trade Commission (FTC) in the United States has cautioned that scammers are now concealing harmful links in QR codes found at locations such as parking meters, cafes and bars.

The FTC outlined various deceptive tactics employed by scammers, including false claims of undelivered packages, account issues and fraudulent activities requiring immediate password changes. Young stressed the importance of verifying payment details before transferring funds and warned against clicking on links in SMS or email communications.

In the aftermath of clicking on deceptive links, individuals risk having their information stolen or malware installed on their devices.

Westpac identified several other prevalent Christmas scams, including enticing individuals to fake websites through social media advertisements, exploiting parcel-related anxieties with fake updates via SMS or email, and promoting seemingly lucrative fake investments.

Westpac also highlighted that investment scams pose a significant challenge, constituting half of all reported losses. These scams often promise substantial returns and involve scammers investing considerable time in grooming victims, making them difficult to identify.

In Australia, reported losses to Scamwatch on social media platforms have surged to over $66 million in 2023, marking a 40 per cent increase from the previous year. Consumer group Choice, along with 20 other organisations globally, is urging governments to mandate social media and technology companies to implement measures protecting consumers from scams.

Choice criticised tech giants such as Facebook, Instagram and Google for their failure to prevent scammers from exploiting their platforms, arguing that these companies possess the resources and technology to enhance consumer protection but are reluctant to do so without legal requirements.

Please note that Allan Hall will be closed from 22 December and will reopen on Monday 8 January 2024.


aga global conference athens 2023

Alliott Global Alliance Worldwide Conference 2023

The 2023 Worldwide Conference hosted by Alliott Global Alliance (AGA) in Athens surpassed expectations, drawing 155 delegates from 49 countries – an unprecedented turnout for our global network of accountants and lawyers.

AGA APAC Chair, Scott Jago, represented Allan Hall Business Advisors at the conference and highlighted the immense value of making international connections with both longstanding and the newest alliance members.

Participants demonstrated a keen readiness to address future challenges by leveraging their memberships and tapping into alliance expertise, business acumen, innovations and resources. Discussions spanned a diverse range of topics, including succession planning, business development, AI, cybersecurity, leadership, pricing and crisis management.

In the CEO’s keynote address, a forward-looking vision was painted, emphasising growth, adaptability and a commitment to a collaborative and innovative spirit within AGA. While acknowledging the importance of heritage and core values, the CEO stressed the necessity for AGA to evolve continually to remain relevant in the ever-changing global landscape.

The shift towards a more proactive, collaborative culture emerged as a recurring theme, with the CEO highlighting five strategic goals: creating more opportunities, maximising human resources, facilitating knowledge transfer, sharing innovations and building a stronger brand identity.

Service excellence also took centre stage, with attendees encouraged to extend a metaphorical red carpet to fellow members and their clients, fostering a culture of generosity and responsiveness. Addressing challenges, members were urged to find solutions for core services outside their expertise but within the AGA network.

Allan Hall’s International Services

We live in an entrepreneurial and globalised market and many businesses are expanding internationally. If you are an international business looking to start up in Australia, or an Australian business looking to expand overseas, Allan Hall has a highly skilled and experienced team in International Services. We collaborate with you to develop strategic solutions tailored to your business so you can respond to global opportunities and take on challenges in your chosen region.



The 120% technology and skills ‘boost’ deduction

The legislation granting small and medium businesses (SMBs) the opportunity to claim a 120% tax deduction for technology expenses, skills training and training costs has finally passed Parliament, nearly a year after the announcement in the 2022-23 Federal Budget.

However, there are a few timing complexities involved. To benefit from the technology investment boost, you needed to have purchased and installed the technology by 30 June 2023, which was just seven days after the legislation was passed.

Key points

  • Under both the technology and Skills and Training Boost, eligible expenses will be available for the 120% deduction if they were incurred between 29 March 2022 and 30 June 2024
  • The bonus deduction for the technology boost is capped at 20% of the eligible expenditure, up to a limit of $20,000 ($100,000 of eligible expenditure)
  • There is no limit for the skills and training boost.

Who is eligible for the boosts?

Small business entities (including individual sole traders, partnerships, companies or trading trusts) with an aggregated annual turnover of less than $50 million can access the 120% skills and training boost, as well as the technology boost. Aggregated turnover includes the turnover of your business, affiliates and connected entities.

The technology investment Boost

Expenses that may qualify for the technology boost include:

  • Digital enabling items like computer hardware, telecommunications equipment, software, internet costs, computer network systems and services that facilitate their usage.
  • Digital media and marketing expenses including audio and visual content that can be accessed, stored or viewed on digital devices, as well as web page design.
  • E-commerce goods or services that support digitally ordered or platform-enabled online transactions, portable payment devices, digital inventory management, subscriptions to cloud-based services and advice on digital operations or digitisation such as guidance on digital tools for business continuity and growth.
  • Cybersecurity systems, backup management and monitoring services.

The technology must be primarily or substantially used for a business’s digital operations or digitisation. There must be a direct connection to how the business generates income, particularly through its digital operations.

There are several costs that the technology boost does not cover, such as expenses related to staff employment, capital raising, construction of business premises and the cost of goods and services sold by the business. The boost does not apply to:

  • Assets purchased and sold within the relevant period (on or before 30 June 2023)
  • Capital works costs, including improvements to business premises
  • Financing costs like interest expenses
  • Salary or wage costs
  • Training or education costs, meaning that training staff on software or technology does not qualify (refer to Skills and Training Boost below)
  • Trading stock or the cost of trading stock.

The Skills and Training Boost

The Skills and Training Boost is a program that provides SMBs with a 120% tax deduction for external training courses offered to their employees. The primary objective of this boost is to facilitate the growth of SMBs’ workforce by enabling them to hire and upskill less-experienced employees through external training. This initiative aims to enhance their skills and increase overall productivity.

Please note that sole traders, partners in a partnership, independent contractors and other non-employees are not eligible for the boost as it is specifically designed for employees. Similarly, associates such as spouses or partners, as well as trustees of a trust, are not qualified to participate.

To ensure compliance, there are a few rules to be aware of:

  • Registration for the training course must have occurred between 7:30 PM (AEST) on 29 March 2022 and 30 June 2024. If an employee is already enrolled in an eligible training course, enrolments in subsequent courses or classes after 29 March 2022 are considered eligible.
  • The training must be deductible to your business according to ordinary rules, meaning it should be directly related to how your business generates income.
  • The training needs to be provided by a registered training provider who charges your business (either directly or indirectly) for the training. (Please refer to the section on “What organisations can provide training for the boost?” below)
  • The training must be intended for employees of your business and should be delivered either in-person within Australia or through online platforms.
  • The training provider cannot be your business or an associate of your business.

Training expenditure can include costs associated with the training, such as resources or equipment necessary for the course, provided that the training provider charges your business for these expenses.

What organisations can provide training for the boost?

Please note that not all courses offered by training companies will qualify for the boost. Only courses offered by registered training providers within their registration will be eligible. Typically, these providers offer vocational training to acquire a trade or courses that contribute to a formal qualification, rather than purely professional development.

Qualifying training providers will be registered by:

While some desired training may not be delivered by registered training organisations, there is still a wide range of options available. Short courses offered by universities or flexible courses designed for upskilling, rather than obtaining a degree qualification, can still be explored, especially if they align with the development pathway identified through recent performance reviews for your staff.


computer security

Enhancing cybersecurity with MFA

Adopting a multi-factor authentication (MFA) strategy

With technology advancing, it has become easier for hackers to gain access to our personal data.

In the past, passwords were considered the best line of defence against cybercriminals, but times have changed.

That’s why adding an extra layer of security to your online accounts is essential, not just for your information, but for your customer information too.

That’s where multi-factor authentication (MFA) comes in.

MFA is a security measure that combines two or more ways to prove your identity to allow access to an account. By doing this, it makes it much harder for cybercriminals to steal or compromise your credentials. MFA types include:

  • something you know such as a password, PIN or response to a challenge like naming the first street you lived in
  • something you have such as a physical token, smart card or an SMS sent to your phone containing a code
  • Something you are for example a fingerprint, facial recognition or iris scan.

Cybercriminals may still get their hands on your password, but they will need your biometrics or a code to fully unlock your account. While MFA is not available for every online account, it’s becoming a more widely-applied way to verify your identity. Banks, social media platforms and software providers are adopting this measure to protect their users’ information.

Enabling MFA on your email accounts and computer software, especially if working remotely, is crucial. Adopting this practice in a work capacity strengthens the protection of your systems and sensitive information.

Implementing this strategy, alongside the other cybersecurity best practices, gives your systems a greater line of defence in the event of a cyber incident. By taking proactive steps to secure your online accounts, you can help safeguard your personal information and that of your customers. So, take the time to set up MFA on your accounts and enjoy the peace of mind that comes with knowing your information is secure or visit the ACSC website to find out more about implementing your MFA strategy.


computer security

Make cybersecurity a priority for 2023

Recent cyber-attacks have shown how important it is to have robust cybersecurity practices in place to protect both your business and customer information.

The Australian Cyber Security Centre’s essential 8 strategies provide guidance on how you can create a baseline of protection against cyber incidents.

Their first topic covers application controls. 

Application control strategy

Put simply, application control involves you putting together a list of computer apps and/or downloadable programs that are ‘authorised’ as being legitimate and safe to use.

You then add these authorised apps to your computer’s application control feature. These features act as your computer’s security guard, ensuring that you can only download and use the approved list of apps that can be on your computer.

Doing this can minimise the risk of malicious code (also known as malware) being downloaded onto your systems, which can then disrupt, damage or even gain unauthorised access to your computer systems.

It’s important that you regularly review the list of approved apps and remove any you no longer need. It’s also crucial that you test the application control to make sure it works. Simply try and download an app that isn’t on your authorised list and make sure your system blocks the download.


using xero on an iphone

Changes to multi-factor authentication coming for Xero customers

Over the last few years, our lives – and businesses across the world – have moved online at a rapid pace.

Unfortunately, cybercriminals have followed and are using new, digital methods to target Australians. As custodians of your data, Xero does all they can to protect the information held in your account.

One of the ways is through multi-factor authentication (MFA), a process designed to secure how you log in to Xero and verify it’s really you. An upcoming Australian Tax Office (ATO) update to MFA regulations means anyone that accesses an Australian organisation globally needs to re-authenticate their device every 24 hours when logging in to Xero.

What’s changing with MFA?

Many of Xero’s Australian customers would have started using MFA back in 2018 when it was first introduced by the ATO. Throughout 2021, Xero rolled out mandatory MFA for users in all other countries. Today, every Xero customer must use MFA when they log in.

Recently, in response to growing cybersecurity threats, the ATO updated its regulations around MFA for software providers like Xero. This means that the length of time a device is trusted for must be limited to 24 hours for cloud-based business applications, such as Xero. 

From early October, ‘remember me on this device’ will change. Currently, you can skip authentication for 30 days when signing in to Xero via MFA (such as through the Xero Verify, Google Authenticator or Authy apps), which remembers the unique device you’ve logged in with. With this update, you will need to re-authenticate your trusted device (such as a laptop, tablet or phone) every 24 hours.

When will this happen?

The 24 hour change to Xero’s MFA trust device frequency will start from early-October. From then, you’ll need to authenticate daily when you log in to your account.

Why is this being changed for Australian customers?

This is a regulatory change from the ATO and is to support cybersecurity measures to protect users’ valuable data – just think of all the critical information stored within your Xero account. It’s important to keep this safe.

You’ll likely remember when MFA was first mandated by the ATO. Just like last time, Xero is updating its platform to comply with this change and make it a smooth transition.

What if I’m in another country, like New Zealand, but access an Australian organisation in Xero?

This change doesn’t just apply to Australia but to anyone globally that accesses an Australian organisation – even if it’s just one account in Australia that you log in to. This is because you are accessing information (including personally identifiable information) that falls under the ATO’s remit.

Do I need to make any updates myself?

No – rest assured that the Xero platform will update automatically in early October. Since all Australian customers already use MFA, you won’t have to change anything about how you log in to Xero – except for daily authentication. This means you can continue to use your usual verification tool, whether it’s Xero Verify or a third-party app like Google Authenticator.

Why is cybersecurity so important and should I be worried?

Security has always been important at Xero and we want to keep your valuable business data safe. Since the start of the pandemic, activity by cybercriminals has been on the rise in Australia. As our lives have moved more and more online, so too have the approaches of cyber criminals.

They’ve continued to evolve and use increasingly sophisticated ways to entrap victims online. One of the most common types of cybercrime is phishing, which tricks you into clicking on a fraudulent email, text message or web link to then access your online accounts and steal your personal and business information.

How does MFA help protect me against cybersecurity threats?

MFA is one of many important tools used to safeguard against cybersecurity threats. It’s a security process which uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account.

This second layer of security is designed to prevent anyone else from accessing your account, even if they know your password. In fact, research shows that MFA can prevent up to 80% of data breaches.

What does this mean for Xero’s mobile apps?

Xero’s suite of mobile apps, such as the Xero Accounting App, Xero Expenses and Xero Projects, will also be impacted by these new regulations. When the new versions are introduced, you will no longer be able to choose the lock device option ‘Don’t lock it’. You will either need to use a security code, which will be available on Android for the first time and is currently available on iOS, or use Face ID.

What if I normally share my login with members of my team?

Shared logins reduce the security of your Xero account. The more people who have access to a login, the more likely it is to be compromised. Everyone who accesses an organisation in Xero should have their own login details (as per Xero’s terms and conditions).

If they don’t already, now is the time to make sure everyone is set up with what they need to securely use Xero. 

Read more about MFA here and troubleshoot any possible issues here »



The Australian Cyber Security Centre warns of Ransomware amidst increasing attacks

Ransomware attacks are on the rise in Australia

Learn how to protect yourself against it and secure your devices.

What is ransomware?

Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them.

A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also demand a ransom to prevent data and intellectual property from being leaked or sold online.

The effects of ransomware

Ransomware can cause severe damage to both individuals and organisations. You could face significant downtime while you restore your devices and data to their original state.

If you don’t have a backup, it could be impossible to recover your files.

Downtime or data loss can hurt your reputation, and cost you money.

What to look for

Ransomware can infect your devices in the same way as other malware or viruses. For example:

  • visiting unsafe or suspicious websites
  • opening emails or files from unknown sources
  • clicking on malicious links in emails or on social media.

Common signs you may be a victim of ransomware include:

  • pop-up messages requesting funds or payment to unlock files.
  • you cannot access your devices, or your login doesn’t work for unknown reasons.
  • files request a password or a code to open or access them.
  • files have moved or are not in their usual folders or locations.
  • files have unusual file extensions, or their names or icons have changed to something strange.

Case Study: Ransomware attacks can be devastating, but backups protect what matters most.

How backing up saved a business from ransomware

Ransomware can happen to anyone, anywhere, at any time, and for one business, it did. With assistance provided by the Australian Cyber Security Centre (ACSC), the business recovered from the attack, files intact and avoided months in downtime.

Gerri, who worked at a small design firm, noticed one morning she could not access a design file. The file extension was different and the icon was a blank page rather than the usual logo. Suspecting something, she raised it with her colleague Simon.

Simon decided to look at all the files on their server and noticed in real time that their files were being encrypted randomly, making them unusable.

“We actually caught it happening and then I pulled the plugs on everything and managed to save a lot,” said Simon.

A .txt file titled ‘Read Me’ popped up – it was a note sent by a cybercriminal saying the files were encrypted with ransomware. The note demanded a ransom in cryptocurrency to unlock them.

Simon took a screenshot of the ransom note and ran anti-malware and anti-virus on all their machines. He quickly called the Australian Cyber Security Hotline on 1300 CYBER1 to report the ransomware attack and seek advice about how to recover.

Luckily, the business was following ACSC best practice advice and kept regular backups of their work to cloud servers and external drives, as well as a Network Attached Storage device.

Due to Simon’s quick thinking and awareness, he was able to save the majority of their files; however, they lost some newer files that were encrypted by the ransomware.

The business consulted an IT professional, who reformatted their systems to ensure there was no trace of ransomware on their networks, as well as updated their anti-virus software.

Unfortunately, the encrypted files could not be recovered, taking the business an additional 2 weeks to recreate the lost work and to get all the systems back up and running.

“The downside was having to reload the software onto the systems, which took hours for some,” said Simon.

However, if it was not for the backups made prior to the attack, the situation could have been much more severe.

“Backup all your stuff daily… if it wasn’t for that we would have been stuck for months,” said Simon.

The ACSC has updated its ransomware guidance to help Australian individuals and businesses protect themselves and respond to a ransomware attack.

The ACSC is here to help all Australians impacted by cyber incidents. ACSC cyber security advice and assistance is available 24/7 through the Australian Cyber Security Hotline (1300 CYBER1) and through ReportCyber.

ACSC advice

Never pay a ransom

There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.

The practical guides below will help you to protect yourself against ransomware attacks and tell you what to do if you’re held to ransom.

If you get stuck


conferring by computer

Priority access to AU web domain names

Businesses urged to safeguard digital identities

The Australian Small Business and Family Enterprise Ombudsman is urging Australian businesses to protect their online assets as the cut-off date for priority access to register for their shortened domain name approaches. 

Direct domain names: the new .au digital address

Time is running out for businesses to secure the latest .au domain name resource and prevent an unrelated party setting up shop at the internet’s latest address. The .au domain is here!

Anything that you see on the internet, irrespective of whether it is an online store, employee portal, customer forum or article, has a unique address. This address falls under a domain name.

Domain name registrations are not just an administrative or record-keeping task for a business — they are an essential tool when it comes to carving out an exclusive identity online. Ownership of key domains can ensure customers are transacting with an authentic trader and helps prevent unauthorised third parties from capitalising on a business’ valuable reputation. Maintaining a suite of domain names also enables a website to have improved search engine rankings, consistent branding and establishes a business identity in a global online trading environment.

Businesses will have no doubt encountered some of the different third-level domain (3LD) options already available for domains in Australia. The domain name ending in .au indicates that the people or company operating the site has a business presence or connection with Australia. Soon we will have a new, snappier namespace available at the second level (2LD) domain. It is essential that traders identify whether they are eligible and take steps to secure this asset in the current priority period.

Eligibility for priority access to the .au domain

The .au domain is in high demand, so it is vital that Australian businesses take the necessary steps as soon as possible to place themselves at the top of the queue. According to data published by the Australian Domain Administration (auDA), more than 3.5 million .au domains are already reserved as at August 2022.

A business can reserve a .au domain if it already has a 3LD .au domain name registered. The existing 3LD .au domain name must have been registered before 24 March 2022 to qualify for priority status. auDA will reserve an equivalent domain name for existing registrants, provided the existing registered domain complies with eligibility requirements.

Businesses have until 20 September 2022 to apply for priority status of the exact .au match of an existing 3LD .au domain name registration. Under the priority process, names that are exact matches will be put on ‘priority hold’ to prevent them from being registered by others. The purpose of this is to give existing registrants the ability to register their priority status of the exact match. This priority holding period ends on 20 September 2022.

If no one applies for priority status, the available .au domain names are released from priority hold on 3 October 2022, after which anyone from the public can seek registration through an accredited registrar.

.au direct has launched. If you have priority, apply for your matching name by 20 September.