What is eFiling profile hijacking?

EFiling profile hijacking occurs when your taxpayer profile on the South African Revenue Service (SARS) eFiling site is unlawfully accessed, taken over or manipulated by an unauthorised person.

Once fraudsters gain access to your profile, they typically change your contact details and banking details to redirect a tax refund owed to you to their own account. In many cases fraudsters file a fraudulent tax return aimed at generating a tax refund that is then redirected into their own account.

This crime often results in financial losses, compromised personal data and administrative difficulties for the victims trying to restore their profiles. When fraudsters have your personal data they may use it to take out and use credit or loans in your name.

How does eFiling profile hijacking occur?

Fraudsters usually begin by obtaining your personal information using one of several methods:

• Physical theft: Criminals steal wallets, documents or mail sent in the post containing your details.
  
  
• Dumpster diving: Fraudsters search through discarded documents to obtain valuable personal details.
  
  
• Cybercrime: Fraudsters use internet-based techniques, including phishing emails or messages urging you to click on links, spoofed websites and malicious software to extract confidential information and get your eFiling details.
  
  
• Social engineering: Scammers trick you into revealing your details through social media interactions, fake customer service calls or fraudulent SMS messages. These communications may imitate government bodies, banks or even SARS officials. Remember that SARS will never request your eFiling login details, passwords or any bank details via email or phone. When scammers pose as SARS officials, they falsely claiming that you are is due a refund or are under investigation. They may send fraudulent letters or contact businesses pretending to be auditors, pressuring you into providing information.

Tips to protect yourself

The OTO found eFiling profile hijacking cases most commonly affect tax practitioners and individual taxpayers, especially in relation to Personal Income Tax and Value-Added Tax (VAT). To protect yourself:

• Use strong unique passwords. Make sure passwords are made up of a mix of letters, numbers and symbols on your eFiling profile and email accounts linked to your SARS profile.
  
  
• Use Two Factor Authentication (2FA). SARS recently introduced 2FA on individual SARS eFiling profiles for extra security or biometrics that make use of facial recognition on individual SARS eFiling while using a trusted authenticator app or SMS verification.
  
  

2FA is an additional security measure and requires you to provide two different authentication methods to access your eFiling profile, such as your password and an OTP sent to a device you linked to your eFiling profile. It is mandatory on all individual profiles. If it has not been activated, the eFiling screen will display steps to follow.

• Be alert to phishing attempts. As a taxpayer you should never click on suspicious links or open attachments from unknown sources. SARS will never send you hyperlinks directing you to any other website, the tax ombud says. Ensure you verify emails or SMS messages claiming to be from SARS via the official SARS website, SARS call centre or OTO call centre to not fall victim.
  
  
• Keep login credentials private. Do not share your SARS eFiling login details with anyone, including tax accountants, without secure arrangements in place about methods of communication.
  
  
• Secure your e-mail account. Use 2FA for email accounts linked to your SARS profile and make sure it is working. Regularly monitor your emails to check to your eFiling account.
  
  
• Avoid public Wi-Fi for tax transactions. Ensure you log on to your eFiling account and do any other tax-related tasks on secure, private networks only.
  
  
• Update your software regularly. Taxpayers are advised to ensure that their operating system, browser and antivirus software are up to date to avoid malware risks.
  
  
• Monitor your SARS profile activity. Regularly logging into your SARS eFiling account will help you spot any unusual activity or unauthorised changes.
  
  
• Use trusted devices. It is better to avoid logging in from public computers where keyloggers may be installed.
  
  
• Report suspicious activity immediately. Do not waste time, contact SARS without delay to secure accounts if you suspect your profile has been hijacked.
  
  

Am I liable for fraudulent returns and penalties

Currently SARS will pay a refund owing to you if you can prove your eFiling account was hijacked and your banking details changed without your involvement. 

The Office of the Tax Ombud has recommended amendments to the Tax Administration Act, including inserting a provision stating that where a profile has been hijacked and a refund fraudulently redirected to a third-party bank account, SARS shall remain obligated to pay the legitimate refund to the affected taxpayer, after an investigation is done, where no evidence of taxpayer involvement.

The ombud has also suggested the Tax Administration Act be amended to protect taxpayers from problems arising from delays in resolving eFiling profile hijack cases. These proposals include:

• A provision to exclude any amounts owed or owing as a result of fraud from being treated as tax debt, and to prohibit SARS from taking these amounts into account when determining a taxpayer’s compliance status, from the date on which the profile-hijacking incident is reported by the taxpayer or tax practitioner until a final investigation outcome has been reached to determine whether the taxpayer was involved.
  
  
• A provision to allow the Commissioner of SARS to publish policies and criteria for extending filing deadlines in cases where taxpayers and practitioners subject to eFiling hijacking are unable to submit returns on time as they are locked out of their profiles, leading to penalties and interest.

Tax practitioner suggestions

Tax practitioners have requested that SARS provide an expansion of the audit trail of logins and all changes made on an eFiling profile, as some are done by SARS. While these changes may not be related to hijackings, practitioners argue that it is important to see the whole history and the IP addresses from where changes were made, without having to resort to legal processes to get the necessary information.

Tax practitioners also asked that Recognised Controlling Bodies and SARS work together on how to manage the process when a taxpayer terminates the services of a tax practitioner, for instance dual notification. This will help the tax practitioner to see when they have been removed from a profile and by whom, safeguarding them from accusations that they may have been involved should a profile be hijacked and money lost.