eFiling Profile Hijacking: Tax Ombud Sounds Alarm, Calls for Public Input
This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.
The Office of the Tax Ombud (OTO) has released a Draft Report on a growing and deeply concerning issue: the hijacking of SARS eFiling profiles. The investigation exposes critical weaknesses in taxpayer security and highlights a systemic failure to prevent and respond to this type of fraud.
The draft report, published on 1 October 2025, is now open for public comment until 31 October 2025.
What Is eFiling Profile Hijacking?
eFiling profile hijacking occurs when fraudsters gain unauthorised access to a taxpayer’s or tax practitioner’s SARS eFiling profile, typically through phishing scams, weak authentication processes, or insider manipulation. Once inside, they change banking details and divert tax refunds to fraudulent accounts.
Key Findings
The investigation, launched with approval from the Minister of Finance in August 2024, is based on survey responses, case studies, and extensive stakeholder engagement. Major findings include:
Tax practitioners and individual taxpayers are the most frequent targets.
Most fraud involves Personal Income Tax and VAT refunds.
Although many fraudulent transactions are under R10,000, several exceed R100,000.
Critical vulnerabilities include:
Weak authentication and access controls.
Inadequate fraud detection and slow SARS response times.
Low digital security awareness among taxpayers.
Insider threats and poor inter-agency coordination.
Detailed case studies in the report show how profile hijacking often begins with unauthorised changes to CIPC company records, followed by manipulation of SARS profiles and successful diversion of refunds. In many cases, victims experienced months-long delays before SARS responded or rectified the fraud, often only after intervention by the OTO.
Recommendations: A Multi-Stakeholder Response Required
The OTO has made recommendations not only to SARS but also to taxpayers, tax practitioners, and key institutions including the National Treasury, CIPC, SARB, SAPS, and the banking sector.
Recommendations to SARS include:
Enforcing compulsory Two-Factor Authentication (2FA) for all users.
Expanding biometric verification to all existing users and high-risk activities.
Improving fraud detection systems, refund verification processes, and communication with taxpayers.
Introducing profile lock options during filing season to prevent unauthorised changes.
Strengthening internal audits and controls to address possible insider fraud.
Recommendations to National Treasury:
Amend the Tax Administration Act to:
Ensure taxpayers aren’t held liable for fraud committed through hijacked profiles.
Prevent SARS from initiating collections while fraud investigations are ongoing.
Establish an Inspector-General, as recommended by the Nugent Commission, to provide independent oversight of SARS.
Recommendations to Banks and CIPC:
SARS and banks should flag suspicious bank accounts and collaborate on fraud alerts.
CIPC and SARS should coordinate to verify company director changes before any refunds are processed.
Recommendations to Tax Practitioners and Taxpayers:
Practitioners should implement strict access controls and notify clients of any profile changes.
Taxpayers should:
Use strong passwords and enable 2FA.
Monitor their eFiling profiles regularly.
Avoid using public Wi-Fi for tax transactions.
For accountants and tax practitioners, the OTO’s report highlights a growing risk not just to client finances, but to practice reputations. If your clients’ profiles are vulnerable, so is your business. The proposed reforms offer a path toward greater protection and efficiency, but only if all key roleplayers get involved.
Public Comment Now Open
The OTO is inviting public comment on the draft report until 31 October 2025. Tax practitioners, business owners, and affected taxpayers are encouraged to contribute feedback to help shape solutions to this critical issue.
📄 Read the full report: Click here to access the report and submit comments to: communications@taxombud.gov.za.