South African taxpayers and tax practitioners are increasingly presented with the challenge of eFiling profile hijacking, says the Office of the Tax Ombud (OTO).
This, as fraudsters exploit vulnerabilities in the SARS system to gain unauthorised access to taxpayer accounts, modify banking details and redirect tax refunds for fraudulent gain.
The findings in the OTO’s “Draft report into alleged eFiling profile hijacking”, released yesterday, show the scope and impact of eFiling profile hijacking. The report sought to identify factors that make taxpayers vulnerable to eFiling profile hijacking, as well as evaluate SARS’s response mechanisms and suggest areas for improvement.
eFiling profile hijacking refers to a scenario where a taxpayer’s or tax practitioner’s SARS eFiling profile is unlawfully accessed, taken over or manipulated by unauthorised persons, explains the OTO.
This leads to the taxpayer or tax practitioner losing access to the SARS eFiling profile, significant financial losses, compromised personal data and administrative difficulties.
Concerning findings
The highest prevalence of eFiling profile hijacking happens among tax practitioners, followed by individual taxpayers, says the ombud.
Although the OTO’s report doesn’t state how many eFiling profiles were unlawfully accessed, most cases involve personal income tax and value-added tax, it notes.
It further highlights that the estimated value of fraudulent transactions typically involves amounts below R10 000, but can reach up to R100 000.
The OTO uncovered vulnerabilities in the authentication systems and security measures, which fraudsters exploit. There are also fraud detection weaknesses and slow response mechanisms that allow hijackers to access and misuse eFiling profiles undetected.
It stresses that taxpayers and tax practitioners encounter ineffective communications channels and limited support from SARS when trying to resolve eFiling profile hijacking cases.
In terms of syndicated tax fraud, the OTO states it begins with unauthorised or fraudulent changes to directors’ information at the Companies and Intellectual Property Commission (CIPC).
The OTO indicates that victims of eFiling profile hijacking report that South African Police Service (SAPS) stations are often unable to categorise or escalate cases of tax profile hijacking.
Additionally, fraudsters continue to open fraudulent bank accounts, particularly with digital banks, and redirect fraudulent tax refunds from SARS into these accounts.
The OTO’s findings state there is alleged internal fraud and insider involvement, and taxpayers lack digital security awareness.
The ombud’s draft report findings echo those expressed by industry commentators, who, at the start of the tax season, warned that cyber criminals were ramping up phishing scams and leaked credentials to get access to SARS taxpayer profiles and steal refunds.
Ferné Nagy, executive financial advisor of life, health and invest at ASI Financial Services, told ITWeb that scammers break into a taxpayer’s SARS account using stolen login information, or by tricking them into handing it over.
Nagy explained that once inside, they “file a false return, often exaggerating deductions or creating fictitious income to trigger a refund”. That payout is then sent to a bank account controlled by the fraudster, he stated. “SARS has been clamping down on this by linking bank verification more tightly to your profile, but it still happens.”
In line with its findings, the OTO has made several recommendations to SARS, tax practitioners, taxpayers, National Treasury, the South African Reserve Bank, banks, the CIPC and SAPS.
The ombud recommends the tax authority enhance authentication protocols, improve fraud detection and refund verification systems, boost taxpayer education, and strengthen collaboration with banks, the CIPC and the SAPS.
Tax practitioners are advised to implement stricter controls on third-party access and uphold high professional conduct standards.
It recommends that taxpayers use strong passwords, activate two-factor authentication and regularly monitor eFiling profile activities.
The ombud notes Treasury needs to amend certain provisions in the Tax Administration Act and establish an inspector-general as recommended by the Nugent Commission of Inquiry.
SARB must investigate banking irregularities linked to eFiling profile hijacking, notes the OTO.
The ombud has invited public participation on the eFiling profile hijacking draft report.
Written comments can be submitted via e-mail to communications@taxombud.gov.za before 31 October.
SARS responds
SARS says it notes the recommendations of the ombud’s draft report. However, it highlights that most have been integral to the modernisation programme over several years. “SARS remains committed to strengthening the critical areas that have been highlighted.
“These include enhancing its authentication protocols; improving fraud-risk detection; optimising refund-verification systems; and strengthening collaboration with banks, the CIPC, and SAPS.”
According to SARS, it will be making inputs into the draft report like all other interested parties, saying it believes its “constructive contribution” will help deepen confidence to all taxpayers that its electronic platforms are secure and safe for engagement with the organisation.
“SARS acknowledges that cyber crime is an evolving and growing risk, requiring significant and ongoing investment into modernisation of its tax administration platform as included in its current 5-year strategic plan.
“As an organisation that is operating in a rapidly changing technological environment, SARS continuously reviews strategic risks, so that it can react to these changes and stay ahead of the curve. SARS will be sharing these insights with the OTO.”
The revenue service notes that any compromised profile is one too many. “All role players must play their part to prevent criminals from accessing taxpayers’ information.
“It is worth repeating that taxpayers must keep their confidential details safe and never exposed to unauthorised individuals. Taxpayers must use secure internet platforms to access electronic services such as eFiling. SARS will never ask taxpayers to click any link to access its services.”
Share