A taxpayer has been between a rock and a hard place since his tax practitioner’s profile was hacked and his account was removed from his practitioner’s profile without his knowledge or consent, or that of the practitioner.
Not only was his bank account cleared out when an erroneous value-added tax (VAT) “refund” was paid back to the South African Revenue Service (SARS) by his bank, but he has been waiting for a valid refund for the better part of eight months.
His account has since been restored, but his successful complaint to the Office of the Tax Ombud (OTO) about the delayed payment of his legitimate refund has not resulted in the refund being paid to him.
It all started in the 2022 tax year with the cyberattack on his tax practitioner’s profile and the removal of his account. According to the taxpayer, his refund had already been paid into his account at the time of the attack.
The taxpayer, who prefers not to be identified, says although his account was restored on his practitioner’s profile, his problems were not over. “Imagine my surprise after alerting SARS to the hack and moving the profile back to my practitioner when my current account was cleared and zeroed.”
His bank paid back funds to SARS on the strength of a letter from SARS referencing a VAT error. He is not registered for VAT. This problem was resolved, but after filing his 2023 tax return, he was owed a refund that has to date not been paid.
Tax Ombud investigates
The hoops through which his tax practitioner jumped to obtain answers from SARS included adhering to several requests to verify banking details, visits to a SARS branch, and numerous calls to the call centre. When all possible avenues were exhausted, they approached the OTO, which accepted the complaint and investigated the matter.
In December last year, the OTO recommended that SARS finalise the banking details verification based on the supporting documents that were submitted. It recommended that SARS pay the outstanding refund to the taxpayer or provide valid reasons for not doing so.
This, however, has not been done.
The OTO says it is aware of complaints from taxpayers and tax practitioners about the hijacking of their profiles. Gert van Heerden, specialist legal services and systemic investigations at the OTO, says the Office is committed to dealing with these complaints.
“We will be meeting with relevant stakeholders, including SARS, the relevant recognised controlling bodies, and taxpayers, to discuss the current situation, the actions being taken, and potential strategies to prevent future profile hijackings.”
The taxpayer brought his predicament to Moonstone’s attention following our report on the increase in cyberattacks on tax practitioners’ profiles. The criminals’ aim is to access to the practitioners’ eFiling profiles, to divert the refunds due to their clients to other bank accounts. They also submit fake returns to generate refunds.
Read: Cybercriminals ramp up their attacks on tax practitioners
A tax practice in North West noted that about 20 taxpayers were affected when hackers gained access to their profile. In their case, the bank accounts of taxpayers who were due large refunds were changed.
The South African Institute of Chartered Accountants (SAICA) has confirmed “multiple cases” of fraudulent access to eFiling profiles recently. The prevalence of unauthorised access has increased significantly in the past 12 months.
A report published by BusinessTech quoted Aamir Lakhani, a senior security strategist at Fortinet, as saying that tax-return time was “open season” for cybercriminals.
The prime targets for tax refund scams are small business owners, new taxpayers under the age of 25, and taxpayers over 60, she said.
“Cybercriminals assume these people may be less informed about tax policies and what to expect, so they may be more vulnerable to emotional manipulation. For example, the scammer may claim that the potential victim has missed an important tax deadline and pressure the victim to act quickly.”
Lakhani said criminals home in on any uncertainty surrounding tax season, and take a “spray and pray” approach to scams, hoping to catch someone in their net.
Steps to take
Somaya Khaki, project director for tax at SAICA, advised tax practitioners to inform the affected client immediately, and report the case through the SARS Online Query System (Report Digital Fraud option) and to the South African Police Service. It is a criminal matter.
Where the unauthorised access has resulted in banking details being changed on the SARS system – either to divert a legitimate tax refund or create a fraudulent refund – the taxpayer or tax practitioner should also inform their bank and the bank that was fraudulently added to their SARS profile.
Siphithi Sibeko, head of communications and media at SARS, earlier said the revenue authority is aware of the hijacking of profiles. SARS has met with the tax practitioner fraternity to address some of the challenges they are experiencing in terms of the eFiling system.
“Ultimately, we are the custodian of taxpayer information, and we do not abdicate our responsibility … Although no system is fool-proof, we try to get on top of the matter as soon as it happens. It would be reckless and a dereliction of duty on our side if we do not act swiftly,” he said in an interview.
Amanda Visser is a freelance journalist who specialises in tax and has written about trade law, competition law, and regulatory issues.
Disclaimer: The views expressed in this article are those of the writer and are not necessarily shared by Moonstone Information Refinery or its sister companies. The information in this article does not constitute financial planning, legal or tax advice that is appropriate to every individual’s needs and circumstances.
The only problem in the article is the reporting to the police- do they have the relevant expertise to deal with this, in other words, is there such a specific department in the police?