The Office of the Tax Ombud (OTO) has recently raised an alarm over the increasing incidents of tax profile hijacking, where fraudsters gain unauthorized access to the eFiling profiles of South African taxpayers and tax practitioners. This systemic problem has caused significant frustration, financial distress, and operational issues for those affected.
A growing concern
The OTO, led by Tax Ombud Yanga Mputa, has identified tax profile hijacking as a critical issue, with a rising number of complaints regarding how the South African Revenue Service (SARS) handles these incidents. These complaints have been voiced by various recognized controlling bodies, including the South African Tax Practitioner United (Satpu) and individual taxpayers. A recent two-hour meeting involving tax practitioners, Satpu, and SARS highlighted the gravity of the situation, which first became prominent in 2021 and has since dominated tax practitioner forums.
The mechanics of hijacking
Profile hijacking scams typically involve fraudsters altering the login details of taxpayers or their tax practitioners. Once access is gained, the scammers change banking details to submit fraudulent tax or value-added tax (VAT) returns, aiming to redirect refunds to their own accounts. Two specific banks have been identified as frequent targets for these scams. Additionally, SARS has discovered the opening of sub-accounts under main bank accounts where fraud may be occurring.
Filing season vulnerabilities
Fraudsters are particularly active during the filing season or when refunds are due, exploiting the increased activity to perpetrate scams. The 2024 Filing Season, which began on 15 July, is expected to see a resurgence of these fraudulent activities. Concerns have been raised about the ease with which scammers bypass security protocols, changing passwords, bank details, and email addresses swiftly, often leading to speculation about internal support within the SARS system.
SARS’ response and challenges
SARS has stressed that there is no evidence of staff involvement in these scams. They have emphasized that while SARS itself has not been hacked, eFiling profiles have been compromised. SARS is monitoring staff interactions with taxpayers and conducting data verifications, although lifestyle audits on staff members have not been carried out.
A significant challenge is the perceived lack of feedback and the lengthy process to finalize investigations. In some instances, compromised profiles resulted from neglect by tax practitioners, allowing passwords to be easily accessible.
The need for broader involvement
Thabo Legwaila, CEO of the OTO, highlighted the necessity of strengthening internal controls at SARS to prevent further compromises. He called for broader involvement from other entities, such as the Ombudsman for Banking Services, the Financial Intelligence Centre, and the Financial Sector Conduct Authority, to develop comprehensive solutions to this issue.
Closing thoughts
The rise in tax profile hijacking poses a significant threat to the integrity of the South African tax system. By addressing internal controls and involving multiple stakeholders, there is hope for mitigating these risks.
As a taxpayer, however, you should always be vigilant in storing your passwords. Ensure that you change them regularly and store them in a file location that is accessible by yourself only.