The investigation into systemic eFiling profile hijackings provides clear evidence of violations of fundamental taxpayer rights and discloses a troubling pattern of systemic failures within the South African Revenue Service’s fraud prevention, detection, and resolution processes.
South African Tax Practitioners United (SATPU), a union representing independent tax practitioners, further asserts that the report fails to adequately address its concerns about the bypassing of two-factor authentication (2FA), unauthorised changes to banking details, and extended lockouts affecting tax practitioners.
The Office of the Tax Ombud (OTO) last week released its draft report into allegations of the widespread hijacking of taxpayer and tax practitioner eFiling profiles, resulting in harm and prejudice to taxpayers.
Vulnerabilities in security measures
The report found challenges with SARS’s authentication systems and security measures, which created “vulnerabilities” that fraudsters exploit. It also raised concerns about the challenges facing SARS with fraud detection and slow response mechanisms that allow hijackers to access and misuse eFiling profiles undetected.
Tax Ombud Yanga Mputa says in her report the integrity of the eFiling system is critical for efficient tax administration and taxpayer compliance.
“The rapid increase in eFiling profile hijacking has presented significant challenges for South African taxpayers and tax practitioners and has raised concerns regarding the security of the SARS eFiling system.”
Fraudsters can gain unauthorised access to taxpayer accounts, modify banking details, and redirect tax refunds for fraudulent gain. SATPU secretary-general Theo Burrows says this is a clear violation of taxpayers’ rights.
“SARS failed to prevent unauthorised access and fraudulent modification of taxpayer profiles, exposing sensitive data and enabling theft of refunds.”
Taxpayers’ rights to timely and effective service, to be informed, fair treatment, and protection against ongoing harm were breached.
Fraud victims often waited months, and in some cases years, for resolution, exceeding the 150-day target and compounding financial and compliance risks. SARS pursued debt collection and compliance actions against victims of fraudulent returns before clearing the underlying fraud.
SARS acknowledged the publication of the report. It remains committed to strengthening the critical areas that have been highlighted, it says.
These include enhancing its authentication protocols; improving fraud-risk detection; optimising refund-verification systems; and strengthening collaboration with banks, the Companies and Intellectual Property Commission (CIPC), and the South African Police Service.
The tax agency also acknowledges that cybercrime is an evolving and growing risk, requiring significant and ongoing investment into the modernisation of its tax administration platform.
Changes and recommendations
Since November last year, SARS has made 2FA compulsory for individual taxpayers and tax practitioners. The OTO recommends that SARS should implement “graded” 2FA policies based on activity risk level.
SARS should continue monitoring the implementation of notifications to taxpayers and tax practitioners when high-risk changes are made to their profiles (password resets, banking detail changes, changes to the directors of a company, new access grants).
SARS has implemented alert emails for any changes to a taxpayer’s registered details, including updates to security contact details.
The OTO wants SARS to introduce a profile-lock option during tax filing season that allows taxpayers to voluntarily freeze changes to their banking details if no expected changes are to be made.
“This measure would help prevent unauthorised updates and reduce the risk of eFiling profile hijacking during times of increased fraudulent activity,” the OTO adds.
SARS ought to implement automated alerts for refunds processed after hours, or within days of a bank account creation or a change in banking details. The OTO also wants SARS to ensure that it provides timely responses and regular updates to fraud victims, thereby preventing gaps in communication.
The OTO says fraud does not happen in isolation, because there is an interconnection between different agencies and institutions, notably the banks and the CIPC. Incidents within specific banks have been reported to the South African Reserve Bank, with the recommendation that the Prudential Authority takes it further.
It also wants the CIPC to notify SARS automatically and immediately of changes to directors or company ownership. This should trigger SARS to temporarily freeze the payment of VAT refunds until the changes have been verified.
Internal collusion
Burrows says one of the most compelling recommendations is the establishment of an inspector general as proposed by the Nugent Commission. “That this is deemed needed strongly suggests the investigation found indications of possible internal collusion, or insider fraud, or something of significant seriousness to demand such a recommendation.”
An independent office with the power to investigate high-risk areas, enforce proactive risk assessments, and publish transparent reports is critical to restoring taxpayer trust.
Burrows urges that the OTO’s recommendations are implemented without delay. “These steps are essential not only to stop eFiling profile hijacking but also to uphold the constitutional rights of taxpayers and the integrity of South Africa’s tax administration system.”
Amanda Visser is a freelance journalist who specialises in tax and has written about trade law, competition law, and regulatory issues.
Disclaimer: The views expressed in this article are those of the writer and are not necessarily shared by Moonstone Information Refinery or its sister companies.
Hi,
Is there any advice you can give for anyone who has been robbed of refunds by SARS employees.
My requests for an update merely go unanswered by SARS.
I suggest you file a complaint with the Tax Ombud: https://www.taxombud.gov.za/
You need a tax legal expert. Alan Lewis has successfully helped a number of tax payers with such fraud cases. 072 179 8814
We have a huge issue for the past month and a half with exactly this issue. Inside job, they change your Otp and do whatever they want. We have screenshots of their lock in Names,ID’s etc.. who can assist please. May I ask. to have your contact details please Amanda. This need to be attended to immediately.. how can SARS just let it pass??????
I have been waiting for a tax refund since last year. Then I was logged out of my efiling
I could log into my account yesterday with help from lady at Sars and 30 min on the phone.,but can’t see last years assessment, telling me I don’t have sufficient permission?????
I get a demand for payment every year for my cc. When I go into Randburg Sars, they print out around 10 pages going back to 2013. One year, I managed to get into the back section and they printed the penalties sheet for me, NIL. The sick part is, I still get demands. Most people would just pay and not question and that os what Sars relies on. Every section of government is corrupt, so is Sars
Good morning
I have profile highjack on my SARS profile since 2023 the money was deposited to tyme bank .SARS deducted the money from my salary including interests .When i provided the forensic report from Tyme bank someone inside SARs closed the case .i need help and public protector gave me a referral letter but they ignored it .
I suggest you file a complaint with the Tax Ombud: https://www.taxombud.gov.za/
Lol
Good business they run?
Sars refuses to address the internal theft issues. MOST of this is done on the inside and in collusion with banks. Instead of sorting that out they put more and more onerous security measures on taxpayers. And the ‘pretend’ to be sooo concerned.
It’s the new business model. It’s not flaws, it’s features.
During Covid my husband also received demands for payment of pebalties for nor submitting 2013 tax. According to us it was submitted. They mept on with demands, deduct money from my husbands bank account which we then closed, and then we received legal letters of demand for R3k+. We are both pensioners and for peace sake, decided to do 6 payments of approx R650 pm. We still have to do 3 payments which is not easy.
I also had my own ordeal with SARS which was eventually resolved after 4 years WITHOUT any “sorry we made a huge mistake”. Only that I owe SARS nothing, but I was before the resolution telephonically warned that my bank account will be entered every month to get “their” money…..SARS had a gentleman’s profile who has the same surname as I (a woman), totally different ID, and no connection to me whatsoever, linked to my SARS profile who owed SARS R1.6M for nearly R4m he received for translating books. I had to visit SARS offices over 200km from my home about 5 times, had to go to Pta together with a Tax Councilor, and even acknowledged that SARS made a huge mistake, it still took me nearly a year further of constant complaining and requests by another tax practitioner, plenty of affidavits, etc., before I was informed that I owe SARS nothing. And they took each year’s tax returns during these 4 years to “pay off your debt”. The tax practitioner advised that I let SARS be for a while and then we would try go see if I will get something back from SARS. It was a very stressful 4 years with a lot of unneccessary costs to try to convince SARS that I was not liable for that money. We unfortunately do not have money to appoint an attorney to establish if I am due for some kind of “payback” from SARS, therefore we did not request anything further from SARS plus the tax practitioner is worried that SARS maybe reverse their resolution🤨. All very very frustrating to both if us and wish there was something we could do.
Thank you for the opportunity to speak my mind.
Let Sars stop looting taxpayers money. I don’t understand how the percentage of tax are calculated. According to me only 5persent should be deducted not 45 percent which is almost 50 percent.
At the end of the day the very same money is looted buy the untouchable. Without helping the country with anything. SARRS should be investigated for demanding a lot from taxpayers.
Zakio in the Bible wanted to see Jesus and Jesus said to him, come down and Short man Zakhe promise to pay all the people he robbed. It is high time for Sars to make self introspection. To repay and ask forgiveness from God.