Tax Ombud releases draft report on eFiling Profile Hijacking for public comment

The Office of the Tax Ombud (OTO) has this week published the Draft Report into alleged eFiling Profile Hijacking for public comment.

The report aims to unpack the scope and impact of this growing threat, assess how vulnerable taxpayers are to it, evaluate the South African Revenue Services (Sars)’s response mechanisms, and offer recommendations for improvement.

At the heart of the issue is the Sars eFiling profile, a digital identity created by taxpayers or tax practitioners on the Sars eFiling portal. When this profile is hijacked, it means that unauthorised individuals have unlawfully accessed, taken over, or manipulated it, often with serious financial consequences.

According to the OTO, eFiling profile hijacking can occur through various methods of identity theft. "Criminals may physically steal wallets, documents, or mail containing sensitive data. Others resort to dumpster diving, sifting through discarded paperwork to extract personal information. But the most prevalent and dangerous methods are rooted in cybercrime," the report says.

Fraudsters use phishing emails, spoofed websites, and malicious software to trick individuals into revealing confidential data. Social engineering tactics are also common, where scammers manipulate victims through fake customer service calls, deceptive SMS messages, or social media interactions to gain access to personal details, the report revealed.

The report outlines several types of eFiling profile hijacking. Phishing scams are among the most widespread, with fraudsters impersonating legitimate organisations, often government agencies or banks, to lure victims into clicking on fraudulent links and entering sensitive information.

Sars has reiterated that it will never request eFiling details, passwords, or banking information via email or phone. Another common tactic is the tax refund scam, where criminals use stolen identities to file fraudulent tax returns and redirect legitimate refunds into their own accounts by altering banking details on hijacked profiles.

Identity theft for financial gain is also rampant, with fraudsters using victims’ personal data to access financial accounts, apply for loans, or conduct transactions under their names, leaving victims saddled with debts they never incurred. In some cases, scammers pose as Sars officials, claiming the victim is due a refund or under investigation, and pressure businesses into handing over confidential financial information.

"The investigation into these allegations was conducted using a triangulated research methodology," the report says. This included surveys of affected taxpayers and tax practitioners, analysis of case studies drawn from fraud-related complaints received by the OTO, and stakeholder engagements with a wide range of institutions. These included Sars, the Companies and Intellectual Property Commission (CIPC), Banking Association South Africa (BASA), Southern African Fraud Prevention Service (SAFPS), Recognised Controlling Bodies (RCBs), and the South African Tax Practitioners United (SATPU).

The report highlights several key findings. eFiling profile hijacking is most prevalent among tax practitioners, followed by individual taxpayers. Personal Income Tax (PIT) cases are the most affected, with Value Added Tax (VAT) cases following closely.

It says that while most fraud cases involve amounts below R10 000, a significant number fall within the R10 000 to R100 000 range. Weaknesses in authentication systems and security measures have created vulnerabilities that fraudsters exploit.

Moreover, challenges in fraud detection and slow response mechanisms allow hijackers to operate undetected. Taxpayers and practitioners often face ineffective communication channels and limited support from Sars when trying to resolve hijacking cases. Syndicated tax fraud frequently begins with unauthorised changes to company director information at the CIPC.

Victims report that SAPS stations are often unable to categorise or escalate such cases appropriately. Fraudsters continue to open fake bank accounts, especially with digital banks, and redirect fraudulent tax refunds into these accounts. The report also raises concerns about alleged insider involvement and a general lack of digital security awareness among taxpayers.

In response, the OTO has made several recommendations to Sars. These include strengthening authentication and access controls, such as compulsory Two Factor Authentication (2FA) for all users. Sars implemented 2FA for individual taxpayers and practitioners from November 22, 2024, and introduced One-Time Pin (OTP) verification for bank detail changes from March 2025.

According to the report, Sars has also begun sending alert emails to taxpayers when changes are made to their registered details. The report recommends that Sars continue enhancing these measures to ensure its platforms remain secure and user-friendly. It also suggests addressing known 2FA challenges by notifying users of high-risk changes, login attempts from unusual devices or locations, and enabling OTP location/device verification. Additional measures could include support for authenticator apps and stricter identity re-verification protocols when suspicious activity is detected.

Biometric security is another area flagged for improvement. While biometric authentication was introduced in August 2024, it currently applies only to new eFiling registrations. OTO says Sars is urged to retrofit biometric re-verification for all existing profiles, both individual and business. The report also recommends that incidents involving specific banks be reported to the Prudential Authority of the South African Reserve Bank for further consideration.

Collaboration between Sars and banks is essential, the report states. It advises that Sars work with banks to flag new accounts receiving refunds, especially those tied to recently changed CIPC entities or accounts with no transaction history. It also suggests flagging accounts previously used in VAT fraud schemes and delaying refunds to those accounts pending investigation. Strengthening real-time pre-refund validation with all banks is seen as a critical step in curbing fraudulent activity.

The OTO says it invites written comments on the eFiling profile hijacking draft report. By inviting public participation, the OTO says it aims to develop a robust and effective response to eFiling profile hijacking, thereby ensuring protection of taxpayers’ rights and enhancing trust in South Africa’s tax administration system.

For more information and to submit comments, stakeholders are encouraged to visit the OTO website at www.taxombud.gov.za before the deadline on October 31, 2025.

PERSONAL FINANCE