Tax refund changes on the cards for South Africa
The Office of the Tax Ombudsman (OTO) has published draft recommendations to SARS to change its tax refund verification processes to combat eFiling profile hijackings in South Africa.
This includes holding tax refunds longer for further verification when profile details were recently altered, and implementing more stringent pre-refund verifications when they cross a certain value.
The recommendations come as part of the the OTO’s draft report on eFiling profile hijacking, which was published on Wednesday, 1 October.
The OTO launched an investigation into profile hijackings after receiving multiple reports of these incidents happening.
These are cases where cyber-fraudsters gain unauthorised access to taxpayer eFiling profiles, change various details, and often redirect things like tax refunds to their own bank accounts.
According to the ombud, the highest prevalence of profile hijacking was seen among tax practitioners, followed by individual taxpayers.
Incidents of eFiling profile hijacking are common with Personal Income Tax (PIT) followed by Value Added Tax (VAT), it said.
While the estimated value of fraud in most eFiling profile hijacking cases is below R10,000, the office flagged a “considerable number” that are higher value, hitting as high as R100,000.
Some of the biggest issues leading to these incidents are that the current authentication systems and security measures create the vulnerabilities that fraudsters exploit.
Fraud detection is often slow, and the response mechanisms are also slow, allowing hijackers to access and misuse eFiling profiles undetected, the ombud said.
This usually involves the changing of banking details on an eFiling profile, directing payments to newly set-up banking accounts, usually at digital banks.
With syndicated tax fraud, hitting companies, this begins with unauthorised or fraudulent changes to the information of directors of companies at the CIPC.
Even when fraudulent activity is picked up, the OTO noted that taxpayers and tax practitioners encounter ineffective communications channels and limited support from SARS when trying to resolve hijackings.
When trying to escalate matters, like approaching the South African Police Service for help, stations are also often unable to categorise the crime, leaving taxpayers hanging.
Changes are being made
According to the draft report, SARS has already made some changes to its systems to counter hijackings and to frustrate criminals.
With effect from 22 November 2024, SARS made two-factor authorisation (2FA) compulsory for individual taxpayers and tax practitioners.
The OTO recommended that SARS also implement graded 2FA policies based on activity risk level.
With effect from March 2025, SARS introduced One-Time Pin (OTP) on eFiling registration detail function for all bank detail changes.
The OTO recommended that SARS continue monitoring the effectiveness of the OTP implementation to ensure that it adequately addresses the underlying risks.
“SARS also advised the OTO that they have implemented alert emails being sent to the taxpayer’s security contact detail addresses for any changes to a taxpayer’s registered details, including updates to security contact details,” the ombud said.
“SARS should continue enhancing its security measures to ensure that its online platforms remain trusted, secure and user-friendly for all taxpayers.”
Crucially, the OTO recommended that SARS make additional changes to its processes to protect tax refunds in particular, as these were a key target.
Here, the ombud said that SARS should improve its refund verification by implementing automated alerts for refunds processed after hours or within days of bank account creation or change in banking details.
SARS should also hold refunds for additional verification when banking details are changed shortly before a refund is claimed.
The ombud said that the taxman should also increase pre-refund verification steps for all VAT refunds above certain thresholds, and that stoppers are implemented immediately on taxpayer accounts as soon as the taxpayer or tax-practitioner reports the incident of profile hijacking.
“SARS should adjust its refund audit triggers to not only flag high-value claims but also unusual refund patterns, new or recently modified details, and frequent refund requests from the same entities,” it said.
The full draft report is open for public comment. Written comments can be sent to [email protected]. The deadline for submissions is 31 October 2025.
Loading ...