Sars itself, weak cybersecurity measures by individuals – and the role of ‘certain identified banks’ is to be raised with the Prudential Authority.
A lot of fingers are pointing to the South African Revenue Service (Sars) and some of the banks following a recent survey conducted by the Office of the Tax Ombud to get to the bottom of last year’s surge in hijackings of tax practitioner and individual taxpayer eFiling profiles.
The Office of the Tax Ombud (OTO) is finalising a draft report into its systemic investigation into the origins of the hijackings and the effect on taxpayers and practitioners.
There is an urgency to finalise the report and make recommendations. The filing season generally kicks off in July, and that is when hijackers tend to strike.
The refunds due to individuals make them an attractive target.
Tax Ombud Yanga Mputa this week gave feedback on her office’s survey that established who was affected, which tax types, and the response from Sars and the South African Police Service.
The OTO received the go-ahead from the minister of finance in August last year to investigate the hijackings as a systemic problem.
Several bodies representing tax practitioners as well as South African Tax Practitioners United (Satpu) alerted the Tax Ombud to the issues facing practitioners and their clients last year.
Theo Burrows, secretary-general of Satpu, noted then that the first reports of increased profile hackings surfaced in 2021. The matter gained momentum at the beginning of last year and became the predominant topic on tax practitioner forums around April.
ALSO READ: Evidence of practitioner involvement in eFiling hijackings
Insider involvement
Survey respondents cited internal fraud and insider involvement (at Sars) as one of the reasons behind the hijackings. Another reason is the ineffective response and communication from Sars.
The survey showed that although 71% of the affected taxpayers and practitioners reported the hijackings to Sars, only 18% felt that the interaction with Sars was adequate and effective following the discovery of the hijacking.
Sars reportedly also blamed the lack of cybersecurity and system vulnerabilities of individual taxpayers and some tax practices.
Mputa says individual taxpayers may have weaker cybersecurity measures in place.
“Individuals have weaker passwords, and they make limited use of multi-factor authentication. They also become more vulnerable to phishing.”
ALSO READ: Hours-long waits and your refund: Six eFiling questions answered
The targets
The survey results show that tax practitioners are the biggest targets for scamsters, with 48% indicating that they have been a target of profile hacking.
Individual taxpayers are second in line, with 32% saying they have fallen prey to eFiling scamsters.
Individuals and companies represented by a tax practitioner seem less vulnerable, with around 14% of individuals and 5% of companies being affected.
The biggest focus is on personal income tax.
Transactions involving value-added tax (Vat) and company income tax (CIT) are often cross-verified with other data, which lessens the opportunity for manipulation through hacked profiles.
The hijacking scams generally result in the login details of taxpayers or their tax practitioners being amended.
Swiftly thereafter, the banking details are changed, with the main aim of submitting fraudulent income tax or Vat returns to claim refunds paid into the amended bank accounts.
ALSO READ: Watch out for the VAT scam targeting SA consumers
Hijackers open bank accounts in taxpayers’ names – how?
During the feedback session this week, many of the participants expressed concern about the ease with which the hijackers were able to open bank accounts in the names of the taxpayers whose profiles they had hijacked.
Burrows says although much attention is directed at the vulnerability of taxpayers, tax practitioners and Sars, it is necessary to raise, with more veracity, the fact that the hijackers can open bank accounts in taxpayers’ names.
One of the participants questioned Sars’s practice of calling for regular verification of bank accounts, particularly when a refund is due – this, despite a taxpayer having had the same account for several years and Sars having paid refunds into the account in the past.
“Is this not opening up opportunities for people to tamper with bank accounts?” he asked.
Mputa, noting that tax practitioners will have verified all of their clients’ information before submitting their returns, shares his concern and said the OTO intends to raise this with Sars.
There have been instances where taxpayers changed their bank accounts, alerted Sars to the change, yet the refund was still paid into the old account. “We do not understand this mismatch,” Mputa added.
ALSO READ: Unjustified debt collection measures cause unnecessary taxpayer distress
Speculation and facts
A Sars representative, Altus Lambrecht, cautioned against speculation, saying it is necessary to get the facts and to communicate them to the people involved.
He asked the Tax Ombud to engage with Sars, stating that since the start of the investigation into the hijackings, there has only been one meeting with Sars. It is necessary to put some of the issues into context, he said.
Mputa noted that her office is not “speculating”, and that its information is based on the results of the survey.
The survey was done at the end of February and closed in the first week of March.
The results of the survey were indicative of what the outcome of the draft report will be.
The OTO will also raise concerns about the role of certain identified banks with the South African Reserve Bank’s Prudential Authority.
This article was republished from Moneyweb. Read the original here.
