house key

Landlords targeted in expanded ATO crackdown

ATO Expands Property Management Data Matching Program to Strengthen Tax Compliance

The Australian Taxation Office (ATO) is expanding its Property Management Data Matching Program as part of its ongoing commitment to enhance tax compliance.

This program plays a critical role in identifying and addressing potential discrepancies in rental income reporting, particularly within the property management sector.

Key points

  • Expansion of Data Matching Program: The ATO has expanded its program to better track rental income reporting and ensure tax compliance within the property management sector
  • Enhanced Data Collection: The program now collects more detailed rental data, cross-referencing it with ATO records to identify under-reporting or non-compliance
  • Focus on Compliance: Property owners and managers are advised to maintain accurate records, as the ATO’s enhanced capabilities increase the likelihood of detecting discrepancies.

The Property Management Data Matching Program enables the ATO to collect and analyse a wide range of data from property management agencies across Australia. This includes detailed information on rental income, property expenses and other financial activities related to investment properties. The data collected is cross-referenced with other ATO records to identify cases of under-reporting or non-compliance with tax obligations.

Objective and Scope

The primary objective of the expanded program is to ensure that all property owners and managers accurately report their income and meet their tax obligations. By gathering data from property management software, rental bond authorities and other relevant sources, the ATO can detect inconsistencies between reported income and actual rental earnings. This helps to identify individuals and entities who may be attempting to under-report their income or avoid their tax responsibilities.

Implications for Property Owners and Managers

The program covers a broad spectrum of rental properties, including residential, commercial and short-term accommodations.

Property owners and managers are advised to ensure that their records are accurate and up to date. The ATO’s expanded data matching capabilities mean that discrepancies in rental income reporting are more likely to be detected, leading to potential audits, penalties or other compliance actions.

By leveraging advanced data matching technology, the ATO aims to ensure that all taxpayers meet their obligations. Read more »

CONTACT ALLAN HALL BUSINESS ADVISORS

parliament canberra

2024–25 Federal Budget Highlights

Budget 2024–25 key measures you must know

Described as a “responsible Budget that helps people under pressure today”, the Treasurer has forecast a second consecutive surplus of $9.3 billion.

The main priorities of the government, as reflected in the Budget, are helping with the cost of living, building more housing, investing in skills and education, strengthening Medicare and responsible economic management to help fight inflation.

The key tax measures announced in the Budget include extending the $20,000 instant asset write-off for eligible businesses by 12 months until 30 June 2025, introducing tax incentives for hydrogen production and critical minerals production, strengthening foreign resident CGT rules and penalising multinationals that seek to avoid paying Australian royalty withholding tax.

The Budget also includes various amendments to previously announced measures, as well as a number of income tax measures that have already been enacted prior to the Budget announcement, including:

These enacted measures have not been discussed in detail in our summary report:

Income tax

The tax, superannuation and social security highlights are set out below. The government anticipates that the tax measures put forward will collectively improve the Budget position by $3.1 billion over a 5-year period to 2027–28.

  • The instant asset write-off threshold of $20,000 for small businesses applying the simplified depreciation rules will be extended for 12 months until 30 June 2025
  • The foreign resident CGT regime will be strengthened for CGT events commencing on or after 1 July 2025
  • A critical minerals production tax incentive will be available from 2027–28 to 2040–41 to support downstream refining and processing of critical minerals
  • A hydrogen production tax incentive will be available from 2027–28 to 2040–41 to producers of renewable hydrogen
  • The minimum length requirements for content and the above-the-line cap of 20% for total qualifying production expenditure for the producer tax offset will be removed
  • A new penalty will be introduced from 1 July 2026 for taxpayers who are part of a group with more than $1 billion in annual global turnover that are found to have mischaracterised or undervalued royalty payments
  • The Labor government’s 2022–23 Budget measure to deny deductions for payments relating to intangibles held in low- or no-tax jurisdictions is being discontinued
  • The start date of a 2023–24 Budget measure to expand the scope of the Pt IVA general anti-avoidance rule will be deferred to income years commencing on or after assent of enabling legislation
  • Income tax exemptions for World Rugby and/or related entities for income derived in relation to the Rugby World Cup 2027 (men’s) and Rugby World Cup 2029 (women’s)
  • Deductible gift recipients list to be updated.

Superannuation

  • Superannuation will be paid on government-funded paid parental leave (PPL) for parents of babies born or adopted on or after 1 July 2025
  • The Fair Entitlements Guarantee Recovery Program will be recalibrated to pursue unpaid superannuation entitlements owed by employers in liquidation or bankruptcy from 1 July 2024
  • Prior to the Budget the draft of the $3 million super tax legislation was given Senate go-ahead and remains unchanged — it will include the taxing of unrealised gains and no indexation. Read more »

Tax administration

  • The ATO will be given a statutory discretion to not use a taxpayer’s refund to offset old tax debts on hold
  • Indexation of the Higher Education Loan Program (and other student loans) debt will be limited to the lower of either the Consumer Price Index or the Wage Price Index, effective from 1 June 2023
  • A pilot program of matching income and employment data of migrant workers will be conducted between the Department of Home Affairs and the ATO
  • A new ATO compliance taskforce will be established to recover tax revenue lost to fraud while existing compliance programs will be extended.

GST

  • Refunds of indirect tax (including GST, fuel and alcohol taxes) will be extended under the Indirect Tax Concession Scheme.

Small business depreciation — instant asset write-off threshold of $20,000 extended to 2024–25

The instant asset write-off threshold of $20,000 for small businesses applying the simplified depreciation rules will be extended for 12 months until 30 June 2025.

Small businesses (aggregated annual turnover less than $10 million) may choose to calculate capital allowances for depreciating assets under a simplified regime in Subdiv 328-D of ITAA 1997. Under these simplified depreciation rules, an immediate write-off applies for low-cost depreciating assets. The measure will apply a $20,000 threshold for the immediate write-off, applicable to eligible assets costing less than $20,000 that are first used or installed ready for use by 30 June 2025.

Assets valued at $20,000 or more (which cannot be immediately deducted) can continue to be placed into the small business simplified depreciation pool and depreciated at 15% in the first income year and 30% each income year thereafter. The provisions that prevent small businesses from re-entering the simplified depreciation regime for 5 years if they opt-out will also continue to be suspended until 30 June 2025.

The measure extends a 2023–24 Budget measure to increase the instant asset write-off threshold to $20,000 for the 2023–24 income year. A Bill containing amendments to increase the instant asset write-off threshold for 2023–24 is currently before Parliament. The Bill was amended by the Senate to increase the instant asset write-off threshold for 2023–24 to $30,000 and extend access to the instant asset write-off to entities that are not small business entities but would be if the aggregated turnover threshold were $50 million.

Tax administration

Statutory discretion for ATO to deal with tax refunds and debts on hold

The Commissioner of Taxation will be given the discretion to not use a taxpayer’s refund to offset old tax debts where that debt had been put on hold before 1 January 2017. The tax law will be amended to provide for this ATO discretion which will apply to individuals, small businesses and not-for-profits. The discretion will maintain the ATO’s current administrative approach to such debts.

Student loans indexation reform

Indexation of the Higher Education Loan Program (and other student loans) debt will be limited to the lower of either the Consumer Price Index or the Wage Price Index, effective from 1 June 2023, subject to the passage of legislation. The measure will apply retrospectively.

Data matching program for migrant workers’ income and employment

A pilot program matching income and employment data will be conducted between the Department of Home Affairs and the ATO to mitigate the exploitation of migrant workers and abuse of Australia’s labour market and migration system. This measure forms part of broader reforms to the migration system.

Strengthening ATO ability to combat fraud and extension of compliance programs

The ATO will be provided additional funding to continue various compliance programs. The current ATO Personal Income Tax Compliance Program will be extended for another year from 1 July 2027 to enable the ATO to continue its focus on emerging risks to the tax system. The Shadow Economy Compliance Program and the Tax Avoidance Taskforce will be extended for 2 years from 1 July 2026.

Funding will be provided to the ATO to improve its detection of tax and superannuation fraud, including to upgrade its information and communications technologies to be able to identify and block suspicious activity in real time. A new compliance task force will also be established to recover lost revenue and block attempts to obtain refunds fraudulently. Funding will also be provided to improve ATO’s management and governance of its counter-fraud activities.

The ATO will also be given additional time within which to notify a taxpayer if it intends to retain a business activity statement (BAS) refund for further investigation. The current required notification period of 14 days will be extended to 30 days, aligning it with time limits for non-BAS refunds. This measure will take effect from the start of the first financial year after assent of the enabling legislation.

2019-20 Budget measure on black economy will not proceed

The 2019–20 Budget measure “Black Economy — Strengthening the Australian Business Number system” will not proceed as integrity issues are being addressed through enhanced administrative processes implemented by the ATO.

GST

Refunds of indirect tax extended under Indirect Tax Concession Scheme

Refunds of indirect tax (including GST, fuel and alcohol taxes) will be extended under the Indirect Tax Concession Scheme (ITCS).

The Square Kilometre Array Observatory (SKAO) will have ITCS access upgraded for additional concessions to be claimed for the purchase of vehicles for personal use by SKAO officials or a member of their family. Additional concessions for commercial rent will also be formalised for existing ITCS packages for Bangladesh, Costa Rica, El Salvador and the Taipei Economic and Cultural Office. Construction and renovation concessions will be formalised for the existing ITCS package for the Netherlands. Concessions for both commercial rent and construction and renovation will be formalised for the existing ITCS package for Pacific Trade Invest.

Superannuation

Super to be paid on government-funded paid parental leave

Superannuation will be paid on government-funded paid parental leave (PPL) for parents of babies born or adopted on or after 1 July 2025. Eligible parents will receive an additional payment based on the superannuation guarantee (12% of their PPL payments), as a contribution to their superannuation fund. Payments will be made annually to individuals’ superannuation funds from 1 July 2026.

Recovery of unpaid super from liquidated or bankrupt employers

The Fair Entitlements Guarantee Recovery Program will be recalibrated to pursue unpaid superannuation entitlements owed by employers in liquidation or bankruptcy from 1 July 2024.

To discuss how these Budget measures impact you or your business, please contact your Allan Hall Advisor.

Full Budget papers are available at budget.gov.au and the Treasury ministers’ media releases are available at ministers.treasury.gov.au.

CONTACT ALLAN HALL BUSINESS ADVISORS

qr code

QR Quishing Scams

Banks warn of Christmas QR code scams

Financial institutions and consumer advocates are sounding the alarm on the surge of Christmas-related scams, cautioning that criminals are employing a novel tactic by exploiting COVID-era QR codes to pilfer personal information.

What is Quishing?

Quishing is a form of phishing attack that uses QR codes instead of text-based links in emails, digital platforms or on physical items. Quishing is a social engineering technique used by scammers and cybercriminals to trick you into providing personal information or downloading malware onto your device.

—cyber.gov.au

A recent Westpac report highlighted that over half of reported scams related to purchases and sales in November and December last year. They emphasised that scammers often capitalise on the increased spending and potential distractions during the holiday season.

To illustrate the heightened risk, Westpac experienced a 5 per cent uptick in fraud-related calls following the facilitation of over 31 million point-of-sale transactions during the recent Black Friday and Cyber Monday sales.

Westpac’s research uncovered that 38 per cent of Australians fell victim to scams originating from fake websites, online retailers and marketplaces.

QR codes, once considered outdated by 2019, regained popularity during the COVID-19 pandemic due to the demand for contactless services. However, the Federal Trade Commission (FTC) in the United States has cautioned that scammers are now concealing harmful links in QR codes found at locations such as parking meters, cafes and bars.

The FTC outlined various deceptive tactics employed by scammers, including false claims of undelivered packages, account issues and fraudulent activities requiring immediate password changes. Young stressed the importance of verifying payment details before transferring funds and warned against clicking on links in SMS or email communications.

In the aftermath of clicking on deceptive links, individuals risk having their information stolen or malware installed on their devices.

Westpac identified several other prevalent Christmas scams, including enticing individuals to fake websites through social media advertisements, exploiting parcel-related anxieties with fake updates via SMS or email, and promoting seemingly lucrative fake investments.

Westpac also highlighted that investment scams pose a significant challenge, constituting half of all reported losses. These scams often promise substantial returns and involve scammers investing considerable time in grooming victims, making them difficult to identify.

In Australia, reported losses to Scamwatch on social media platforms have surged to over $66 million in 2023, marking a 40 per cent increase from the previous year. Consumer group Choice, along with 20 other organisations globally, is urging governments to mandate social media and technology companies to implement measures protecting consumers from scams.

Choice criticised tech giants such as Facebook, Instagram and Google for their failure to prevent scammers from exploiting their platforms, arguing that these companies possess the resources and technology to enhance consumer protection but are reluctant to do so without legal requirements.

Please note that Allan Hall will be closed from 22 December and will reopen on Monday 8 January 2024.

CONTACT ALLAN HALL BUSINESS ADVISORS

cyber security

ATO deadline reminder for contractor reporting

Taxable payments annual report (TPAR) lodgements due 28 August 2023

The ATO is reminding businesses required to lodge a Taxable payments annual report (TPAR) to do so by 28 August 2023.

This deadline is crucial for businesses falling under the TPRS regime to fulfil their reporting obligations.

Entities operating within the construction, cleaning, courier, road freight, information technology, security, as well as investigation or surveillance sectors, and that have engaged contractors in these domains, are mandated to comply with TPAR requirements.

Tony Goding, ATO Assistant Commissioner, stresses the TPRS’s pivotal role in levelling the playing field by ensuring all enterprises contribute their fair share of taxes. Not reporting payments to contractors and deliberately under-reporting income raises red flags, potentially triggering closer inspections by the ATO.

The TPRS serves as an instrument in the ATO’s arsenal, helping in the discovery of unreported income. The TPAR equips the ATO with an array of data points to uncover discrepancies, such as unreported earnings, non-submission of tax returns or activity statements, unjustified GST claims or misuse of Australian Business Numbers.

Recent ATO actions serve as a reminder of compliance expectations. Over 16,000 penalties were issued to businesses failing to lodge TPARs for prior years. With an average fine of around $1,110, these underscore the growing difficulty of evading ATO scrutiny, especially when utilising cash transactions to evade tax.

A recent example exemplifies the efficacy of the TPAR data. An investigation into a cleaning company unveiled a mismatch between declared income and actual earnings. Despite reporting $6,892 in income, the cleaning service provider was found to have received over $80,000 from multiple companies. An audit confirmed the non-submission of activity statements and concealed payments. This resulted in adjustments to the tax return and the imposition of penalties.

CONTACT ALLAN HALL BUSINESS ADVISORS

Coat of arms of Australia

2023-24 Federal Budget

Tax and Superannuation Overview

2023-24 Federal Budget Highlights

The Federal Treasurer, Dr Jim Chalmers, handed down the 2023–24 Federal Budget at 7:30 pm (AEST) on 9 May 2023.

The Budget forecasts the underlying cash balance to be in surplus by $4.2 billion in 2022–23, the first surplus since 2007–08, followed by a forecast deficit of $13.9 billion in 2023–24.

The Treasurer has described the tax measures as “modest but meaningful” including changes to the Petroleum Resources Rent Tax and confirmation of a 1 January 2024 implementation of the BEPS Pillar Two global minimum tax rules.

A range of measures provide cost-of-living relief to individuals such as increased and expanded JobSeeker payments and better access to affordable housing. No changes were announced to the Stage 3 personal income tax cuts legislated to commence in 2023–24.

As part of the measures introduced for small business, a temporary $20,000 threshold for the small business instant asset write-off will apply for one year, following the end of the temporary full expensing rules.

The full Budget papers are available at www.budget.gov.au and the Treasury ministers’ media releases are available at ministers.treasury.gov.au. The business tax and superannuation highlights are set out below.

Business highlights

  • The instant asset write-off threshold for small businesses applying the simplified depreciation rules will be $20,000 for the 2023–24 income year.
  • An additional 20% deduction will be available for small and medium business expenditure supporting electrification and energy efficiency.
  • FBT exemption for eligible plug-in hybrid electric cars will end from 1 April 2025.
  • Employers will be required to pay their employees’ superannuation guarantee (SG) entitlements at the same time as they pay their salary and wages from 1 July 2026.

Small business depreciation — instant asset write-off threshold of $20,000 for 2023–24

The instant asset write-off threshold for small businesses applying the simplified depreciation rules will be $20,000 for the 2023–24 income year.

Small businesses (aggregated annual turnover less than $10 million) may choose to calculate capital allowances on depreciating assets under a simplified regime. Under these simplified depreciation rules, an immediate write-off applies for low cost depreciating assets. The measure will apply a $20,000 threshold for the immediate write-off, applicable to eligible assets costing less than $20,000 first used or installed between 1 July 2023 and 30 June 2024. The $20,000 threshold will apply on a per asset basis, so small businesses can instantly write-off multiple low-cost assets. The threshold had been suspended during the operation of temporary full expensing from 6 October 2020 to 30 June 2023.

Assets costing $20,000 or more will continue to be placed into a small business depreciation pool under the existing rules.

The provisions that prevent a small business entity from choosing to apply the simplified depreciation rules for 5 years after opting out will continue to be suspended until 30 June 2024.


Increased deductions for small and medium business expenditure on electrification and energy efficiency

An additional 20% deduction will be available for small and medium business expenditure supporting electrification and energy efficiency.

The additional deduction will be available to businesses with aggregated annual turnover of less than $50 million. Eligible expenditure may include the cost of eligible depreciating assets, as well as upgrades to existing assets, that support electrification and more efficient use of energy. Certain exclusions will apply, including for electric vehicles, renewable electricity generation assets, capital works, and assets not connected to the electricity grid that use fossil fuels.

Examples of expenditure the measure will apply to include:

  • assets that upgrade to more efficient electrical goods (eg energy-efficient fridges)
  • assets that support electrification (eg heat pumps and electric heating or cooling systems), and
  • demand management assets (eg batteries or thermal energy storage).

Total eligible expenditure for the measure will be capped at $100,000, with a maximum additional deduction available of $20,000 per business.

When enacted, the measure will apply to eligible assets or upgrades first used or installed ready for use between 1 July 2023 and 30 June 2024. Full details of eligibility criteria will be finalised in consultation with stakeholders.


FBT exemption for eligible plug-in hybrid electric cars to end

The FBT exemption for eligible plug-in hybrid electric cars will end from 1 April 2025.

Arrangements involving plug-in hybrid electric cars entered into between 1 July 2022 and 31 March 2025 remain eligible for the exemption.


Employers to be required to pay SG on payday

Employers will be required to pay their employees’ superannuation guarantee (SG) entitlements at the same time as they pay their salary and wages from 1 July 2026.

Employers are currently required to make SG contributions for an employee on a quarterly basis to avoid incurring a superannuation guarantee charge.

The proposed commencement date of 1 July 2026 is intended to provide employers, superannuation funds, payroll providers and other stakeholders sufficient time to prepare for the change.

Changes to the design of the superannuation guarantee charge will also be required to align with the increased payment frequency. The government will consult with relevant stakeholders on the design of these changes, with the final framework to be considered as part of the 2024–25 Budget.

In addition, funding will be provided to the ATO to, among other things, improve data matching capabilities to identify and act on cases of SG underpayment.

Superannuation measures

  • Superannuation earnings tax concessions will be reduced for individuals with total superannuation balances in excess of $3 million from 1 July 2025.
  • The non-arm’s length income (NALI) provisions will be amended to provide greater certainty to taxpayers.

Reducing tax concessions for super balances exceeding $3M

Superannuation earnings tax concessions will be reduced for individuals with total superannuation balances in excess of $3 million.

From 1 July 2025, earnings on balances exceeding $3 million will incur a higher concessional tax rate of 30% (up from 15%) for earnings corresponding to the proportion of an individual’s total superannuation balance that is greater than $3 million. The change does not impose a limit on the size of superannuation account balances in the accumulation phase and it applies to future earnings, ie it is not retrospective.

Earnings relating to assets below the $3 million threshold will continue to be taxed at 15%, or zero if held in a retirement pension account.

Interests in defined benefit schemes will be appropriately valued and will have earnings taxed under this measure in a similar way to other interests.


Need help?

If you would like assistance to interpret these changes and how they may affect your individual or business circumstances, please contact your Allan Hall Advisor on 02 9981 2300.

CONTACT ALLAN HALL BUSINESS ADVISORS

computer security

Enhancing cybersecurity with MFA

Adopting a multi-factor authentication (MFA) strategy

With technology advancing, it has become easier for hackers to gain access to our personal data.

In the past, passwords were considered the best line of defence against cybercriminals, but times have changed.

That’s why adding an extra layer of security to your online accounts is essential, not just for your information, but for your customer information too.

That’s where multi-factor authentication (MFA) comes in.

MFA is a security measure that combines two or more ways to prove your identity to allow access to an account. By doing this, it makes it much harder for cybercriminals to steal or compromise your credentials. MFA types include:

  • something you know such as a password, PIN or response to a challenge like naming the first street you lived in
  • something you have such as a physical token, smart card or an SMS sent to your phone containing a code
  • Something you are for example a fingerprint, facial recognition or iris scan.

Cybercriminals may still get their hands on your password, but they will need your biometrics or a code to fully unlock your account. While MFA is not available for every online account, it’s becoming a more widely-applied way to verify your identity. Banks, social media platforms and software providers are adopting this measure to protect their users’ information.

Enabling MFA on your email accounts and computer software, especially if working remotely, is crucial. Adopting this practice in a work capacity strengthens the protection of your systems and sensitive information.

Implementing this strategy, alongside the other cybersecurity best practices, gives your systems a greater line of defence in the event of a cyber incident. By taking proactive steps to secure your online accounts, you can help safeguard your personal information and that of your customers. So, take the time to set up MFA on your accounts and enjoy the peace of mind that comes with knowing your information is secure or visit the ACSC website to find out more about implementing your MFA strategy.

CONTACT ALLAN HALL BUSINESS ADVISORS

computer security

Make cybersecurity a priority for 2023

Recent cyber-attacks have shown how important it is to have robust cybersecurity practices in place to protect both your business and customer information.

The Australian Cyber Security Centre’s essential 8 strategies provide guidance on how you can create a baseline of protection against cyber incidents.

Their first topic covers application controls. 

Application control strategy

Put simply, application control involves you putting together a list of computer apps and/or downloadable programs that are ‘authorised’ as being legitimate and safe to use.

You then add these authorised apps to your computer’s application control feature. These features act as your computer’s security guard, ensuring that you can only download and use the approved list of apps that can be on your computer.

Doing this can minimise the risk of malicious code (also known as malware) being downloaded onto your systems, which can then disrupt, damage or even gain unauthorised access to your computer systems.

It’s important that you regularly review the list of approved apps and remove any you no longer need. It’s also crucial that you test the application control to make sure it works. Simply try and download an app that isn’t on your authorised list and make sure your system blocks the download.

CONTACT ALLAN HALL

using xero on an iphone

Changes to multi-factor authentication coming for Xero customers

Over the last few years, our lives – and businesses across the world – have moved online at a rapid pace.

Unfortunately, cybercriminals have followed and are using new, digital methods to target Australians. As custodians of your data, Xero does all they can to protect the information held in your account.

One of the ways is through multi-factor authentication (MFA), a process designed to secure how you log in to Xero and verify it’s really you. An upcoming Australian Tax Office (ATO) update to MFA regulations means anyone that accesses an Australian organisation globally needs to re-authenticate their device every 24 hours when logging in to Xero.

What’s changing with MFA?

Many of Xero’s Australian customers would have started using MFA back in 2018 when it was first introduced by the ATO. Throughout 2021, Xero rolled out mandatory MFA for users in all other countries. Today, every Xero customer must use MFA when they log in.

Recently, in response to growing cybersecurity threats, the ATO updated its regulations around MFA for software providers like Xero. This means that the length of time a device is trusted for must be limited to 24 hours for cloud-based business applications, such as Xero. 

From early October, ‘remember me on this device’ will change. Currently, you can skip authentication for 30 days when signing in to Xero via MFA (such as through the Xero Verify, Google Authenticator or Authy apps), which remembers the unique device you’ve logged in with. With this update, you will need to re-authenticate your trusted device (such as a laptop, tablet or phone) every 24 hours.

When will this happen?

The 24 hour change to Xero’s MFA trust device frequency will start from early-October. From then, you’ll need to authenticate daily when you log in to your account.

Why is this being changed for Australian customers?

This is a regulatory change from the ATO and is to support cybersecurity measures to protect users’ valuable data – just think of all the critical information stored within your Xero account. It’s important to keep this safe.

You’ll likely remember when MFA was first mandated by the ATO. Just like last time, Xero is updating its platform to comply with this change and make it a smooth transition.

What if I’m in another country, like New Zealand, but access an Australian organisation in Xero?

This change doesn’t just apply to Australia but to anyone globally that accesses an Australian organisation – even if it’s just one account in Australia that you log in to. This is because you are accessing information (including personally identifiable information) that falls under the ATO’s remit.

Do I need to make any updates myself?

No – rest assured that the Xero platform will update automatically in early October. Since all Australian customers already use MFA, you won’t have to change anything about how you log in to Xero – except for daily authentication. This means you can continue to use your usual verification tool, whether it’s Xero Verify or a third-party app like Google Authenticator.

Why is cybersecurity so important and should I be worried?

Security has always been important at Xero and we want to keep your valuable business data safe. Since the start of the pandemic, activity by cybercriminals has been on the rise in Australia. As our lives have moved more and more online, so too have the approaches of cyber criminals.

They’ve continued to evolve and use increasingly sophisticated ways to entrap victims online. One of the most common types of cybercrime is phishing, which tricks you into clicking on a fraudulent email, text message or web link to then access your online accounts and steal your personal and business information.

How does MFA help protect me against cybersecurity threats?

MFA is one of many important tools used to safeguard against cybersecurity threats. It’s a security process which uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account.

This second layer of security is designed to prevent anyone else from accessing your account, even if they know your password. In fact, research shows that MFA can prevent up to 80% of data breaches.

What does this mean for Xero’s mobile apps?

Xero’s suite of mobile apps, such as the Xero Accounting App, Xero Expenses and Xero Projects, will also be impacted by these new regulations. When the new versions are introduced, you will no longer be able to choose the lock device option ‘Don’t lock it’. You will either need to use a security code, which will be available on Android for the first time and is currently available on iOS, or use Face ID.

What if I normally share my login with members of my team?

Shared logins reduce the security of your Xero account. The more people who have access to a login, the more likely it is to be compromised. Everyone who accesses an organisation in Xero should have their own login details (as per Xero’s terms and conditions).

If they don’t already, now is the time to make sure everyone is set up with what they need to securely use Xero. 

Read more about MFA here and troubleshoot any possible issues here »

CONTACT ALLAN HALL

ransomware

The Australian Cyber Security Centre warns of Ransomware amidst increasing attacks

Ransomware attacks are on the rise in Australia

Learn how to protect yourself against it and secure your devices.

What is ransomware?

Ransomware is a common and dangerous type of malware. It works by locking up or encrypting your files so you can no longer access them.

A ransom, usually in the form of cryptocurrency, is demanded to restore access to the files. Cybercriminals might also demand a ransom to prevent data and intellectual property from being leaked or sold online.

The effects of ransomware

Ransomware can cause severe damage to both individuals and organisations. You could face significant downtime while you restore your devices and data to their original state.

If you don’t have a backup, it could be impossible to recover your files.

Downtime or data loss can hurt your reputation, and cost you money.

What to look for

Ransomware can infect your devices in the same way as other malware or viruses. For example:

  • visiting unsafe or suspicious websites
  • opening emails or files from unknown sources
  • clicking on malicious links in emails or on social media.

Common signs you may be a victim of ransomware include:

  • pop-up messages requesting funds or payment to unlock files.
  • you cannot access your devices, or your login doesn’t work for unknown reasons.
  • files request a password or a code to open or access them.
  • files have moved or are not in their usual folders or locations.
  • files have unusual file extensions, or their names or icons have changed to something strange.

Case Study: Ransomware attacks can be devastating, but backups protect what matters most.

How backing up saved a business from ransomware

Ransomware can happen to anyone, anywhere, at any time, and for one business, it did. With assistance provided by the Australian Cyber Security Centre (ACSC), the business recovered from the attack, files intact and avoided months in downtime.

Gerri, who worked at a small design firm, noticed one morning she could not access a design file. The file extension was different and the icon was a blank page rather than the usual logo. Suspecting something, she raised it with her colleague Simon.

Simon decided to look at all the files on their server and noticed in real time that their files were being encrypted randomly, making them unusable.

“We actually caught it happening and then I pulled the plugs on everything and managed to save a lot,” said Simon.

A .txt file titled ‘Read Me’ popped up – it was a note sent by a cybercriminal saying the files were encrypted with ransomware. The note demanded a ransom in cryptocurrency to unlock them.

Simon took a screenshot of the ransom note and ran anti-malware and anti-virus on all their machines. He quickly called the Australian Cyber Security Hotline on 1300 CYBER1 to report the ransomware attack and seek advice about how to recover.

Luckily, the business was following ACSC best practice advice and kept regular backups of their work to cloud servers and external drives, as well as a Network Attached Storage device.

Due to Simon’s quick thinking and awareness, he was able to save the majority of their files; however, they lost some newer files that were encrypted by the ransomware.

The business consulted an IT professional, who reformatted their systems to ensure there was no trace of ransomware on their networks, as well as updated their anti-virus software.

Unfortunately, the encrypted files could not be recovered, taking the business an additional 2 weeks to recreate the lost work and to get all the systems back up and running.

“The downside was having to reload the software onto the systems, which took hours for some,” said Simon.

However, if it was not for the backups made prior to the attack, the situation could have been much more severe.

“Backup all your stuff daily… if it wasn’t for that we would have been stuck for months,” said Simon.

The ACSC has updated its ransomware guidance to help Australian individuals and businesses protect themselves and respond to a ransomware attack.

The ACSC is here to help all Australians impacted by cyber incidents. ACSC cyber security advice and assistance is available 24/7 through the Australian Cyber Security Hotline (1300 CYBER1) and through ReportCyber.

ACSC advice

Never pay a ransom

There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.

The practical guides below will help you to protect yourself against ransomware attacks and tell you what to do if you’re held to ransom.

If you get stuck

CONTACT ALLAN HALL