A draft report by the Office of the Tax Ombudsman has found that the mechanisms put in place by the South African Revenue Service to assist taxpayers who fall victim to eFiling profile hijacking are inadequate and ineffective.
According to the report, which was released on Wednesday, tax practitioners are more susceptible to eFiling profile hijackings compared to individual taxpayers.
“Challenges on the authentication systems and security measures have created vulnerabilities that fraudsters exploit. Furthermore, challenges with fraud detection and slow response mechanisms allow hijackers to access and misuse eFiling profiles undetected,” said the report.
“Taxpayers and tax practitioners encounter ineffective communications channels and limited support from Sars when trying to resolve eFiling profile hijacking cases.”
TechCentral on Monday reported the ombudsman in August 2024 made a request to finance minister Enoch Godongwana for permission to investigate systemic failures at Sars in helping taxpayers whose profiles had been compromised. The review followed complaints received in June 2024 from taxpayers and industry bodies.
But Sars was not the only government entity caught lacking. The report found that South African Police Service personnel were often unable to categorise and escalate cases of eFiling profile hijackings adequately when victims reported such incidents at police stations.
The Companies and Intellectual Properties Commission (CIPC) was also fingered in the report, with unauthorised or fraudulent changes to director and company information at the CIPC found to be the first step in most syndicated tax fraud operations.
In the firing line
Banks, especially digital banks, were also in the firing line for allowing fraudsters to open fake bank accounts for collecting funds stolen from hijacked profiles. Digital banks were identified as a particular favourite for criminal syndicates.
The tax ombudsman’s findings were accompanied by several recommendations to help curb rising rates of eFiling profile hijackings. For Sars, improvements to the two-factor authentication (2FA) protocol made compulsory in August 2024 were first and foremost. The ombudsman suggested a tiered 2FA system based on the risk profile of the action being performed. This means users would have to authenticate themselves even after logging in, especially for actions like changing bank account details.
Read: Sars turning to AI to collect more tax
“According to the information from Sars, with effect from March 2025, Sars introduced one-time Pin (OTP) on eFiling registration detail function for all bank detail changes. Sars should continue monitoring the effectiveness of the OTP implementation to ensure that it adequately addresses the underlying risks,” said the ombudsman.
The ombudsman suggested Sars make its OTP system more robust by identifying when OTPs were requested from new devices or locations and adding more secure OTP options by supporting authenticator applications such as those by Microsoft and Google. A more widespread use of biometric authentication tools, only partly implemented by Sars, was also recommended.
“Sars should allow taxpayers to view a detailed login history (IP address, device, location) from within their profile. During the risk period of Sars tax filing season, Sars should consider introducing a profile lock option that allows taxpayers to voluntarily freeze changes to their banking details by those taxpayers who do not expect to make changes in this regard. This measure would help prevent unauthorised updates and reduce the risk of eFiling profile hijacking during times of increased fraudulent activity,” said the ombudsman.
In a statement on Thursday in response to the findings, Sars said that while it acknowledged the ombudsman’s recommendations, much of what has been stipulated forms part of ongoing work to ensure that Sars systems are secure.
“While Sars notes the Office of the Tax Ombusdman’s recommendations, the organisation would like to assure taxpayers that most of these have been integral to the modernisation programme over a number of years. Sars remains committed to strengthening the critical areas that have been highlighted,” Sars said.
“As an organisation that is operating in a rapidly changing technologically environment, Sars continuously reviews strategic risks, so that it can react to these changes and stay ahead of the curve.”
The ombudsman has also recommended to national treasury that the Tax Administration Act be amended by inserting a provision that would make Sars responsible for paying a legitimate refund to a taxpayer whose profile has been hijacked where their refund was stolen by criminals. Under this provision, Sars would only be lawfully allowed to recover the refund paid to the taxpayer after an investigation proved their involvement in the fraud.
Closer collaboration between Sars, the police, the CIPC and the banks for intelligence exchange that would help stem the tide of eFiling profile hijackings was also among the ombudsman’s recommendations.
‘Serious threat’
The ombudsman has invited the public to comment on its findings and the recommendations given in the report via its website before 31 October.
“The findings of this investigation reveal that eFiling profile hijacking poses a serious threat, not only to taxpayer trust in the Sars eFiling system but also to the long-term credibility, security and efficiency of the whole tax system.
Read: Sars pushes back on eFiling profile hijackings report
“Strengthening these controls will not only mitigate the incidence of eFiling profile hijacking but also help restore public trust in the Sars eFiling system. Ultimately, such measures are essential to safeguarding taxpayer rights and upholding the integrity of South African tax administration system,” said the ombudsman. – © 2025 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.
