Tax practitioners continue to be targeted by hackers aiming to access to their eFiling profiles, to change banking details to divert refunds to other accounts.
There have been multiple cases of the fraudulent accessing of eFiling profiles recently, and the prevalence of unauthorised access has significantly increase in the past 12 months, says the South African Institute of Chartered Accountants (SAICA).
There have also been instances involving corporate taxpayers where directors’ details were changed at the Companies and Intellectual Property Commission (CIPC), effecting changes to the registered tax representative.
“The corporate taxpayer director changes could possibly be related to the hacking of CIPC systems or other CIPC controls,” says Somaya Khaki, project director for tax at SAICA.
In April, tax practitioners in North West alerted the South African Revenue Service (SARS) of incidents where fraudsters obtained unauthorised access to their profiles, removing clients and changing their banking details.
The refund lure
In one incident, the information of about 20 taxpayers held by a tax practice in Schweizer-Reneke was compromised when a hacker accessed the practitioner’s profile.
Bank accounts of taxpayers who were due large refunds were changed. However, it is unclear whether the refunds have been paid into the newly created accounts.
According to an administrator at the practice, their password was changed, and taxpayers were removed from their profile, stating “registered on individual’s profile”.
However, the taxpayers did not request a transfer of their profile.
According to the practice, they contacted the SARS fraud line and went to the nearest branch to report the breach, but their system remains compromised.
Siphithi Sibeko, head of communications and media at SARS, says a North West tax practitioner also alerted him about unauthorised access to its eFiling profile. The clients were diverted to another profile, and he could no longer access his own profile, let alone those of his clients.
The tax practitioner visited his nearest branch, where the SARS officials were able to “stem the bleeding”, and his profile was restored within a few hours.
Sibeko says tax practitioners have been given more authority to migrate clients onto their profiles. “In doing so, it could be that the system has become more vulnerable. We are taking this very seriously. We are continuously upgrading our systems to create an impenetrable system that can withstand attacks.”
Secure systems
Sibeko emphasised that SARS will not act in a way that undermines its responsibility to safeguard taxpayer information. “Equally, tax practitioners also have a particular responsibility to ensure that their systems are secure.”
Khaki says tax practitioners must immediately inform the affected client and report the case through the SARS Online Query System (Report Digital Fraud option) and to the South African Police Service. It is a criminal matter.
Where the unauthorised access has resulted in banking details being changed on the SARS system – either to divert a legitimate tax refund or create a fraudulent refund – the taxpayer or tax practitioner should inform their bank and the bank that was fraudulently added to their SARS profile, she advises.
There have been cases where new taxpayer profiles have somehow been created, and the perpetrator removed the tax practitioner’s access. In such cases, the tax practitioner would not be notified unless the taxpayer notices something amiss and informs the tax practitioner, notes Khaki.
“There was a recent incident where the perpetrators actually called the taxpayer asking him to share the one-time PIN that was just sent to him, so they could get access to his profile to enable them to assist him with his tax returns.”
Khaki says it is unclear how taxpayers’ banking details are being changed so easily given the SARS risk processes applicable to banking details and the FICA risk processes applicable to banks. “The details are sometimes changed within one or two days.”
No fool-proof system
Sibeko says SARS met with the tax practitioner fraternity in April to address some of the challenges it is experiencing in terms of the eFiling system.
“Ultimately, we are the custodian of taxpayer information, and we do not abdicate our responsibility […] Although no system is fool-proof, we try to get on top of the matter as soon as it happens. It would be reckless and a dereliction of duty on our side if we do not act swiftly.”
His advice to tax practitioners – the moment they become aware of unauthorised activities on their eFiling profile – is to contact their recognised controlling body immediately.
These bodies have direct access to a dedicated SARS stakeholder unit. The matter will be escalated without delay.
“We do see tax practitioners as our partners, and where there are challenges, we must put our heads together.”
According to Khaki, the steps taken by SARS in recent weeks appear to have significantly reduced the number of new cases reported. However, some of the cases previously reported are still being investigated and resolved.
“The issue of digital crimes in the tax system is not unique to South Africa and is an unfortunate consequence of a digital world and tax system that requires constant mitigation and collaboration by all the parties involved,” she adds.
Amanda Visser is a freelance journalist who specialises in tax and has written about trade law, competition law, and regulatory issues.
Disclaimer: The views expressed in this article are those of the writer and are not necessarily shared by Moonstone Information Refinery or its sister companies. The information in this article does not constitute financial planning, legal or tax advice that is appropriate to every individual’s needs and circumstances.
My thinking is that SARS is responsible for ensuring privacy and confidentiality of all private information. Issue a complaint to the POPIA Regulatory body.
Very concerning indeed. Glad you brought it to the attention of the public.
It’s all an inside job. Isn’t it interesting that all the checks and balances imposed on law abiding taxpayers are never imposed on these “hackers”..? We have several cases with Sars on this issue and they do not investigate ANY of them to find the real perpetrators. I wonder why?