Avatar photo

By Amanda Visser

Moneyweb: Journalist


Phishing scams target eFiling: How taxpayer profiles are being hijacked

Sars refunded taxpayers to the tune of R414 billion in the previous financial year.


Various phishing scams involving eFiling taxpayer profiles have been rearing their ugly heads in recent months, resulting in the hacking of taxpayer profiles and the hijacking of companies.

Scamsters amend login details and soon thereafter amend banking details with the main aim of submitting fraudulent value-added tax (Vat) returns to be paid to the fraudster’s bank account.

ALSO READ: Seven Sars officials nabbed for R653 million fraud, two others’ arrest pending

Jean-Louis Nel, tax director at Van Huyssteens Commercial Attorneys, says the South African Revenue Service (Sars) will hold a taxpayer accountable if the fraud emanates from within the company.

He refers to Medtronic International’s tax case, in which accountant Hildegard Steenkamp exploited weaknesses in Sars and Medtronic’s accounting systems.

She was able to scam the company out of an eye-watering R537 million between June 2004 and May 2017.

Steenkamp executed her fraudulent scheme, and concealed her embezzlement, by submitting false Vat returns and seeking reimbursements from Sars.

ALSO READ: Sars announces filing season 2024 dates – here’s what you need to know

Medtronic successfully applied for relief under the Voluntary Disclosure Programme but was still required to repay the overstated Vat inputs claimed. This amounted to R457.6 million (the capital tax of R288.5 million and interest of R171.2 million).

Recovery proceedings

Nel says taxpayers are required to exercise a duty of care with their login credentials. Failure to do so may result in Sars holding them responsible for amounts fraudulently paid to scammers if their information is stolen. 

In instances where Vat fraud occurs and a taxpayer becomes aware of it, the taxpayer may be required to lodge an objection in terms of the dispute rules to normalise their tax position. 

ALSO READ: How to stay out of Sars’ crosshairs

“However, I am of the view that where a taxpayer has no fault in the submission of fraudulent returns, it would be difficult for Sars to hold such a taxpayer accountable for the repayment of refunds obtained by fraud.”

If the taxpayer is obliged to repay the amount, on the basis that no action has been taken by the taxpayer and the amount is due in law, Sars has an “arsenal of recovery proceedings” that it can use against the taxpayer.

According to Nel, this includes the liquidation or sequestration of the taxpayer, or holding the financial management team personally liable for the outstanding tax debts.

In certain instances, Sars can also hold the shareholders of a corporate taxpayer liable.

Sars’ specialised digital fraud unit

Sars has established a specialised unit for digital fraud to deal with profile hijackings.

In its guide for taxpayers on how to prevent and report digital fraud, Sars warns taxpayers to be vigilant. They remain responsible for protecting their information and preventing profile hacking.

ALSO READ: Family fraud: Mother and daughter granted bail after allegedly cheating Sars of R90k

Profile hijacking is usually done through phishing, malware, or social engineering.

Fraudsters use tricks such as sending taxpayers fake emails, SMSs or links to websites that look like they are from Sars, asking them to update their profiles, verify their information, or claim a refund.

Some fraudsters pretend to be Sars officials, asking you to confirm your personal details or click on a link that will install malware on your device.

Others offer tax assistance or advice, asking you to share your login credentials, one-time pin, or personal information with them.

Sars was relatively vague when asked what would happen if the hijacked taxpayer was not able to repay the amount paid to the fraudster and whether Sars would write off the tax debt.

A spokesperson says Sars investigates all matters where an incident of profile hijacking has taken place, and its action depends on the circumstances of each case. It deals with each matter on a case-by-case basis.

“Sars is taking measures to ensure that its systems are secure, and one of the measures it employs is to implement continuous monitoring and alignment with best practice standards.”

ALSO READ: Celebrity chef Lusizo Mvula Henna sentenced to 10 years in prison for defrauding Sars

Sars regularly assesses and evaluates its systems’ performance, functionality and security, and identifies potential vulnerabilities or risks. When issues are identified, Sars prioritises them and takes appropriate action to correct them to mitigate any risk, the spokesperson says.

“By doing so, Sars aims to prevent hackers from exploiting any loopholes or weaknesses in its systems and accessing taxpayers’ information.”

Sars investigation results 

Nel says one can only hope that Sars can recover fraudulent amounts from fraudsters; however, whether this happens remains a secret. The results of investigations are not made public due to privacy provisions.

Sars may permanently write off a tax debt if a senior official is satisfied that it is “irrecoverable”. The Tax Administration Act provides that a tax debt is irrecoverable at law if it cannot be recovered by the action and judgment of a court. 

ALSO READ: Sars cracks down on unreported income: What taxpayers need to know

“Consequently, Sars will be required to institute action against the taxpayer or scamster. There should be no prospects of recovering the amount before the tax debt will be written off,” says Nel.

It refunded taxpayers to the tune of R414 billion in the previous financial year and prevented the outflow of R101 billion of impermissible refunds.

This article was republished from Moneyweb. Read the original here