“…it is vital that all stakeholders in the digital ecosystem, including the taxpayers, SARS, and the banks, work together to prevent and combat profile hijacking.” (SARS)

The recent spike in the number of SARS eFiling profiles being hacked by cybercriminals should raise red flags for every taxpayer. It’s got so bad that the Minister of Finance has given the Office of the Tax Ombud (OTO) approval to conduct a review of SARS’ service failures in assisting taxpayers timeously with eFiling profile hijacking.  

This is a type of cybercrime in which fraudsters use phishing, malware, or social engineering to access and modify your personal or professional profile on a digital platform like SARS’ eFiling without your knowledge or consent.

Has this ever happened to you?

• You receive an email, SMS, or WhatsApp, seemingly from SARS, asking you to click on a link or attachment to update your profile, verify your information, or claim a refund. It appears legitimate, and not realising it’s a fake, you just do as the message says…
• You receive a call from someone pretending to be a SARS official, asking you to confirm your personal details or to click on a link, and you do, not realising that it will install malware on your device… 
• You are contacted by someone pretending to be a SARS official, offering you tax assistance or advice, and asking you to share your login credentials, OTP, or personal information with them, and you do…

Fraudsters use methods like these to trick you into revealing your login credentials. An alarming number of taxpayers have fallen victim to these unscrupulous predators, despite continuous system enhancements to secure and strengthen the security of SARS’ channels.

What could happen if my SARS eFiling profile is hacked?

Fraudsters can access and modify your details (e.g. contact number, password) without your knowledge or consent – with serious consequences for your tax compliance and financial security. 

They can then also change the bank details to divert a SARS refund due to you into their own accounts. And they can even submit fraudulent returns on your behalf to claim refunds!

How can I prevent profile hijacking?

Prevention is far better than cure. Here are a few pointers, direct from SARS.

• Use a strong and unique password for your eFiling profile. Change it regularly. 
• Don’t use the same password for other online accounts or services.
• Never share your login credentials, OTP, or personal information with anyone, even if they claim to be from SARS. 
• If you hear about a security compromise at any organisation you deal with, immediately log in to your account and update your password. 
• Always access eFiling through the official website (https://www.sars.gov.za) or the SARS eFiling mobi app. 
• Do not click on any links or attachments in emails, SMSes or WhatsApps that claim to be from SARS, and never “confirm” or submit your login details after clicking on a link. 
• Keep your computer and mobile devices updated with the latest security software and antivirus programs. 
• Activate multi-factor or “app” authentication on your eFiling profile. This will authenticate you every time you log in by sending an OTP message to your registered mobile number or email address or requesting you to authorise the action via your mobile phone.  

Source: SARS

We can help to keep you safe

As your accountants, we are well versed in avoiding these scams. Whenever you receive communications that seem to be from SARS, simply contact us.

• We are alerted to all known scams claiming to be from SARS, so we can quickly help you to identify phishing attempts.
• We can check your eFiling profile and tax information regularly and report any discrepancies or unauthorized changes to SARS immediately. 
• We constantly update our security details to ensure the safety of our profile and our clients’ profiles. 

In summary

SARS itself recognises that profile hijacking is a serious crime that harms taxpayers. But prevention is always better than cure. Take proactive steps to protect your security and contact us whenever you receive communications that seem to be from SARS. 

We offer a wide range of specialist services, including tax consulting and tax compliance. Should you need our advice or assistance, contact your contact Partner at MGI Bass Gordon. Send an email to info@bassgordon.co.za or call us on 021 405 8500.

Additional reading: 

SARS has established a specialised Digital Fraud Unit that deals with profile hijacking. If you suspect that your profile, or a client’s profile, has been hijacked, you can report digital fraud here, or by phoning the contact centre or going to the nearest SARS branch. Send an email to cctt@sars.gov.za for additional assistance. This SARS video is also useful: Protect your SARS eFiling Login Details.

The article is a general information sheet and should not be used or relied upon as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your financial adviser for specific and detailed advice.