Taxpayers must have a complete audit trail of all logins, transactions, return submissions, and IP addresses from where transactions were executed when their eFiling tax profiles have been hijacked. This is one of the key recommendations from taxpayers and tax practitioners to the Office of the Tax Ombud (OTO) following the systemic investigation into the surge in profile hijackings last year.
To date, there has not been a single successful prosecution of any perpetrator, even though the South African Revenue Service has been alerted to about 16 000 cases.
Tax Ombud Yanga Mputa and her team held a virtual workshop last week with more than 100 stakeholders to discuss and refine the draft report that was published in October.
Read: Deep flaws in SARS’s systems, OTO investigation finds
She apologised for the delay in finalising the report. The draft was given to SARS in June this year, offering it a right of reply, with the intention to publish the report in July.
SARS asked for an extension until the end of August. Several meetings between SARS and the OTO ensued. “During these meetings, we agreed to disagree on certain instances, but the draft report was finalised,” Mputa said. The intention is to publish the final report in the second week of February.
In its response to the draft report, SARS said it remains committed to enhancing its authentication protocols, improving fraud-risk detection, optimising refund-verification systems, and strengthening collaboration with banks, the Companies and Intellectual Property Commission, and South African Police Service.
“SARS believes that any compromised profile is one too many. All roleplayers must play their part to prevent criminals from accessing taxpayers’ information,” the tax agency said.
Insider involvement
The allegation of insider involvement or fraud has struck a sensitive nerve with SARS. The OTO’s investigation could not confirm any allegations of insider involvement.
Mputa expressed the need for the appointment of an inspector general as mooted in the Nugent Report following the Commission of Inquiry into a captured SARS in 2018. The role of the inspector general would be to focus on investigating matters such as potential internal collusion and fraud.
Paul Gering, a dispute resolution specialist at PKF, said it is critical to find the “root cause” of eFiling hijackings. It is evident that taxpayers who are due a refund seem to be the target of profile hijackings.
“It is miraculous that the hackers know the information contemporaneous when you are getting a refund. How do they know that? There must be access into the SARS system,” he added. He also bemoaned the fact that, to date, no one has seen the inside of a jail cell.
Mputa said her Office has not received any information relating to criminal investigations or prosecutions. The response from SARS was that its fraud unit was “new” and the turnaround time for investigations was 150 days.
Tax practitioners noted that tax fraud and profile hijackings were not new, and SARS had been alerted to the problem as far back as 2019, again in 2022, with a surge in 2024.
Hijack versus compromise
SARS insisted that the word “hijack” should be replaced with “compromise”. Gering cautioned against “watered-down” versions of what is happening.
“Any transaction effected on an eFiling profile that is not at the behest of the taxpayer or directly as a consequence of a SARS transaction is an illicit transaction. It is a hijacking, an unlawful transaction, a breaking and entry into your own personal space.”
He said the matter was central to the preservation of the eFiling system. “If we don’t get it right, the system is undermined. That is why SARS wants to move away from the strong word (hijacking).”
Mputa confirmed that SARS did not like the word. However, the OTO will be sticking to the term “profile hijackings”. According to her, SARS does not consider profile hijackings as “material” because there are 22 million taxpayers and only 16 000 cases.
The estimated value of fraud in most eFiling profile hijacking cases is below R10 000, although there are cases that fall between R10 000 and R100 000. The targeting of taxpayers with refunds below a certain threshold is “indicative” of insider knowledge of SARS practices and thresholds.
Material in nature
Gering said that although the hijackings may not be material financially, they are material in nature. “If it is correct that an employee of SARS under the control and supervision of the commissioner is committing fraud on taxpayers, it is material in nature.”
Pieter Faber, a senior executive at the South African Institute of Chartered Accountants, emphasised the need to obtain proper insight into the internal control and governance systems at SARS.
It is apparent from some of the case studies that it is not a question of “no controls”. It is a question of someone overriding or ignoring them. Faber cautioned against the introduction of even more controls that can be circumvented. All that will happen is that life for taxpayers will become more difficult.
Amanda Visser is a freelance journalist who specialises in tax and has written about trade law, competition law, and regulatory issues.
Disclaimer: The views expressed in this article are those of the writer and are not necessarily shared by Moonstone Information Refinery or its sister companies.
