As tax season kicks off with manual filing now open, cyber criminals are ramping up phishing scams and leaked credentials to get access to South African Revenue Service (SARS) taxpayer profiles and steal refunds.
In most cases, scammers break into a taxpayer’s SARS account using stolen login information or tricking them into handing it over, says Ferné Nagy, executive financial advisor of Life, Health & Invest at ASI Financial Services.
He tells ITWeb that, once inside, they “file a false return, often exaggerating deductions or creating fictitious income to trigger a refund”.
That payout is then sent to a bank account controlled by the fraudster, says Nagy. “SARS has been clamping down on this by linking bank verification more tightly to your profile, but it still happens.”
Fraudsters don’t always need access to an existing account. Sometimes they create entirely fake taxpayer profiles using stolen ID numbers, then submit returns just to claim refunds, says Nagy. “It's a numbers game: if they can file hundreds of bogus returns, even a small payout rate becomes profitable.”
E-mail delivery
E-mail communication from SARS – including notifications about refunds or return submissions – can be an early warning sign for taxpayers, but only if it reaches them.
Nagy says SARS sends e-mails and SMS messages as a “nudge” to get people to check their profiles. Yet, Brad Gilmour, director at Registered Communication, says there’s currently no third-party validation to confirm if these messages are successfully delivered or opened.
Technically, once an e-mail is sent, it passes through several servers and could be intercepted along the way, especially without end-to-end encryption. “So no, SARS doesn’t have a way of definitively knowing whether a message has been intercepted before it reaches the intended inbox,” says Nagy.
To minimise this risk, SARS doesn’t include sensitive personal or financial information in the body of the e-mail, says Nagy. “Instead, they'll prompt you to log into your eFiling profile or the SARS MobiApp, where access is protected by multi-factor authentication. In essence, they’re using e-mail more like a nudge than a delivery mechanism for private data.”
Impersonation and phishing are major threats. If a fraudster intercepts or mimics SARS communication, they could send a convincing e-mail with a malicious link, asking the taxpayer to “verify” details or “log in to view your assessment”, says Nagy. “That opens the door to credential theft, identity theft, and in some cases, even fraudulent tax refunds being filed in your name.”
Even though some of these scams are clearly fake, Nagy warns that “others are disturbingly well-crafted… even sophisticated users can fall for social engineering when they’re stressed, or in a rush”.
Nagy says criminals are now using generative artificial intelligence (AI) to improve phishing techniques, sometimes even copying the tone and formatting of SARS messages. “They're also using AI voice clones to impersonate tax consultants or officials in phone calls, complete with urgency, threats, or refund bait.
“In some cases, deepfake videos or fake Zoom calls are being used in broader scams involving ‘consultants’ who walk you through fake tax platforms,” he adds.
SARS, in response to ITWeb, said it “has the necessary internal processes that deal with the management of information received from anyone that interacts with the organisation on all matters within its purview”.
Legal view
Proving that an e-mail was delivered is also crucial in legal matters, says Gilmour. He notes that a delivery certificate is admissible in court, adding that Registered Communication cannot read the content of the e-mail, in compliance with data protection laws like the Protection of Personal Information Act.
“As soon as a mail gets sent, it has to go down some sort of street − a pipe as we would call it. As soon as that initiation happens, we start picking that up,” he explains.
Registered Communication’s technology tracks a mail from when the send button was hit, through to arrival in an inbox, through aspects such as metadata.
When it comes to which e-mail address SARS uses, it’s the taxpayer’s responsibility to keep their registered contact details up to date. “SARS must have your initial information from when you signed up with them. If anything changes, it’s up to you, your legal responsibility, to do so,” says Gilmour.
SARS has taken steps to strengthen its systems against these threats. “In their annual reports, they mention things like deploying a cyber security operations centre, increasing encryption on internal and external communications, and enhancing monitoring tools for threats and anomalies,” says Nagy.
Access to eFiling has been tightened, with multi-factor authentication rolled out for more services, including on the MobiApp. “There's a bigger emphasis on endpoint detection and response, too, which helps detect unusual activity on their own systems.”
Share