By Yolisa Dyasi
With the increase in the use of technology comes the increase in the risk of data breaches and digital fraud. The South African tax system and specifically the South African Revenue Service (Sars) is not immune to these risks.
In 2019, Sars Commissioner Edward Kieswetter made it his sole mission to create a digital and smart Sars, using technology and artificial intelligence. To Sars’s credit, this has been largely achieved as Sars is considered one of the most technologically-advanced revenue services in the world. Unfortunately, between 2021 and 2024, Sars has seen unprecedented-levels of digital fraud and users have been left feeling the brunt of the eFiling profile hijackings.
In February, eFiling users and more specifically tax practitioners started noticing an upwards trend of eFiling profile breaches and in some instances, complete hijackings of their eFiling profiles. These breaches became more prevalent in March and April, 2024 with at least 10 eFiling breaches reported per week. By any standards, this would be alarming for any institution dealing with sensitive taxpayer information.
That said, Sars is by no means the only institution that has been struggling with such breaches. In March, 2024 the Companies and Intellectual Property Commission (CIPC) suffered the same fate when its systems were hacked and several companies hijacked through the change in directorships.
It is believed that this breach aided some of the eFiling profile hijackings which took place in March, 2024. But how exactly did these two breaches go together? Well, several distinct modus operandi could be identified when analysing the eFiling profile hijacking cases reported to the South African Institute of Taxation (SAIT), with the next one being more elaborate and sophisticated than the one before.
The registered representative is an integral part of obtaining access to an eFiling profile. The registered representative is the custodian of the eFiling profile and bears the right to authorise the transfer of an eFiling profile from one user to another. In most cases, the appointed registered representative would be one of the directors registered with the CIPC.
The change in directorship at the CIPC therefore allowed fraudsters to change the registered representative details at Sars with the newly “updated” director details at the CIPC. From there, fraudulently transferring the eFiling profile would be a walk in the park.
In some cases, although the registered representative would remain unchanged, a fraudulent SIM swop would be performed to obtain the cellphone number required to receive a One-Time-Pin (OTP). Once the SIM swop was done, the eFiling profile username could be obtained and password changes with an OTP authorisation.
Although less sophisticated, fraudsters would create new eFiling profiles for individuals and create “shared access” to gain access to individual eFiling profiles. This would allow them to submit fraudulent income tax returns with fictitious refunds without the appointed tax practitioner suspecting any wrongdoing. Banking details would also be changed on the system to receive these fictitious refunds.
Despite Sars creating a dedicated channel to report such incidences of digital fraud, this has done very little to deter the fraudsters from their mission. The trust from the tax practitioner community and members of the public seems to dwindle daily with Sars seen as doing little to actively investigate and resolve the digital fraud cases reported.
Even though Sars has categorically denied that any Sars employees are involved in the submission of tax returns and change of banking details to obtain the refunds, many still wonder whether some of these breaches could be the result of an inside job. Unfortunately, the defensive and denialist approach has done very little to boost the public’s confidence in Sars.
Secondary to the eFiling profile hijacking is the aftermath and the work which needs to be done to get the profile back to the rightful owners, correcting the fraudulent returns and recovering the fictitious refunds.
Tax practitioners often find themselves in an endless battle, fighting tooth and nail to get any feedback from Sars on the ongoing fraud cases. It is noteworthy to mention that nine out of 10 times, the debt-collection steps continue against the taxpayer without any consideration of the background and ongoing fraud investigation. Reports have been received of cases dating back to 2021 which still have not been resolved, while penalties and interest continue to accrue against the taxpayer.
As a natural response to the eFiling profile hijackings, Sars recently announced several measures to be put in place to curb the risk of future breaches and payment of fraudulent refunds
Sars successfully coded its systems to automatically place stoppers on the accounts the moment a digital fraud case is reported. This means that regardless of a banking detail change, unless the cyber-crimes task team have authorised the lifting of the stopper, no refunds will be released from those accounts.
Sars also implemented a multifactor authentication option on eFiling. Existing eFiling users can enable the multifactor authentication which would require both a password and either an OTP or authorisation via the Sars Mobile App. All new eFiling registrations will automatically have multifactor authentication set.
Sars restricted the tax practitioner’s ability to update security details on behalf of their clients, even if they are in possession of a valid power of attorney. The argument being that only the rightful owners of eFiling profiles will be allowed to change these details and retain absolute control over the eFiling profiles.
Sars also started restricting taxpayers from registering an eFiling profile if their contact details (emails and cellphone numbers) were already linked as security details to another eFiling profile. This action by tax practitioners was recently classified by Sars as fraud, as a single natural person could not possibly be the custodian of more than one eFiling profile. Tax practitioners unfortunately got the short-end of the stick in this regard, as many of them were locked out of their profiles on May 31, 2024 because of this implementation.
While Sars tries to play catch-up on the fraudsters, much can be said about the apparent lack of collaboration with other financial institutions to get the matter under control. It is no secret that the majority of the fraudulent refunds were paid into bank accounts active with only two institutions. One would assume that Sars would directly engage those institutions to track down and prosecute those individuals. This is yet to be seen.
Digital fraud is a constant cat-and-mouse game between institutions and fraudsters, with fraudsters already looking for the next way to beat the system. It remains to be seen whether Sars will move from a defensive to an offensive mode any time soon.
* This article was originally published in the TaxTalk magazine by the South African Institute of Taxation.
**Dyasi is the tax technical specialist: operations and tax administration at the South African Institute of Taxation.
PERSONAL FINANCE