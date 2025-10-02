The Office of the Tax Ombud (OTO) has released a draft report recommending several interventions to prevent taxpayers from having their South African Revenue Service (SARS) eFiling profiles hijacked.

This comes after the ombud and SARS dismissed media reports that as many as 16,000 eFiling profiles had been hijacked, resulting in taxpayers losing their refunds to cybercriminals.

The Office of the Tax Ombud has published the draft report for public comment, giving stakeholders until 31 October 2025 to submit their comments.

“Between 3 February and 5 March 2025, the OTO conducted the eFiling Profile Hijacking Survey to capture taxpayers’ experiences and challenges relating to eFiling profile hijacking,” it said.

The report highlights various key findings. For example, eFiling profile hijacking is most prevalent among tax practitioners and individual taxpayers.

“The majority of cases involve Personal Income Tax and Value-Added Tax (VAT). Fraudulent transactions typically involve amounts under R10,000, but can reach up to R100,000,” it said.

“Vulnerabilities include inadequate authentication processes, challenges in fraud detection, delayed SARS response times, insider threats, and low digital security awareness among taxpayers.”

The Office of the Tax Ombud’s report highlights extensive key recommendations for the taxman, among several other stakeholders.

It recommends that SARS enhance its authentication protocols, improve fraud detection and refund verification systems, and boost taxpayer education.

The OTO also recommends that the taxman strengthen its collaboration with banks, the Companies and Intellectual Property Commission (CIPC), and the South African Police Service (SAPS).

Regarding its authentication protocols, OTO says SARS should continue to monitor the implementation of notifications to taxpayers and tax practitioners when:

High-risk changes are made to profiles, such as password resets, changes to banking details, updates to the director(s) of a company, and new access grants.

Login attempts are made from unusual devices or unusual locations.

“SARS should consider introducing additional measures such as enabling OTP location/device verification, adding optional authenticator app support, and requiring full re-verification for 2FA reset protocols,” it said.

The OTO’s other key recommendations to SARS include:

Enhancing biometric security across all profiles

Strengthening fraud detection while enhancing service efficiency

Enhancing security and preventing fraud

Improving refund verification protocols

Improving SARS’ end-to-end digital fraud process

Strengthening internal controls and processes

Better communicating with and educating taxpayers

The Office of the Tax Ombud also made various recommendations for taxpayers, tax practitioners, the National Treasury, and the South African Reserve Bank.

Cyber defense recommendations

Editorial credit: MD_Photography / Shutterstock.com

The OTO recommends that tax practitioners work closely with SARS to strengthen third-party access controls.

This includes strengthening two-factor authentication for all tax practitioner logins and implementing a specific user ID and password for each individual in a practice.

It also recommended that tax practitioners work with SARS to implement real-time email or SMS notifications to taxpayers when practitioners request access to their profiles.

“SARS should provide taxpayers with a login history visibility where they can view all active tax practitioners linked to their profile and monitor recent activity on their accounts,” the OTO added.

“SARS should require additional verification if tax practitioners make high-risk changes to taxpayer profiles.”

The Office of the Tax Ombud advised that taxpayers use strong, unique passwords and two-factor authentication to secure their accounts.

“Taxpayers should create complex passwords using a mix of letters, numbers, and symbols,” it said.

It also recommends that taxpayers beware of phishing scams, keep their login credentials private, and use strong passwords and two-factor authentication to secure their linked email accounts.

Other recommendations for taxpayers included avoiding the use of public Wi-Fi for tax transactions, keeping device software up to date, monitoring profile activity, and using trusted devices.

The OTO has proposed that the National Treasury amend the Tax Administration Act to support taxpayers whose tax refunds have been fraudulently redirected to cybercriminals.

It also requested that the National Treasury establish an Inspector General to conduct investigations into fraud, implement continuous risk assessments, and monitor the effectiveness of SARS’ anti-fraud measures.

Lastly, it recommended that incidents identified with specific banks should be reported to the Prudential Authority of the South African Reserve Bank for its consideration.