DIRECT THEFT OF TAXPAYERS’ INCOME TAX REFUNDS ON THE INCREASE – BE VIGILANT!

DIRECT THEFT OF TAXPAYERS’ INCOME TAX REFUNDS ON THE INCREASE – BE VIGILANT!

What is the problem?

We have recently seen a disturbing uptick of the theft of taxpayers’ income tax refunds, where moneys are directly taken from a taxpayer’s income tax account at the South African Revenue Service (SARS).

It is normally taxpayers who are natural persons who are affected (although risks for companies, trusts, etc. should not be ruled out).  The losses may be substantial, depending on the quantum of the refunds involved.

Modus operandi of the thieves

Firstly, the thieves obtain access to the taxpayer’s eFiling profile.  They then add the details of a fraudulent bank account (to which they have access) onto the profile.  These fraudulent bank accounts are normally opened at one of the smaller South African banks.  Next, the fraudsters manipulate the system to trigger the payment of legitimate and illegitimate income tax refunds into the fraudulent account.

More specifically, once access to the taxpayer’s profile has been obtained, the amended bank details are usually “sneaked in” by the fraudsters, by requesting an income tax return for an older period.  The bank details are then amended on the old period income tax return and the return is then submitted.

This, in turn, updates the permanent records of the taxpayer at SARS (the RAV records) to designate the fraudulent bank account as the new “valid” account of the taxpayer, for purposes of receiving income tax refunds.

During this process the thieves also submit one or more older income tax returns over and above the return which amends the taxpayer’s banking details.  In some instances, they can also resubmit previous returns.  On these returns additional fictional deductions are claimed to increase the income tax credit owing to the taxpayer.

Where bank account changes are made, the SARS system usually flags the changes for a verification.  This requires that substantiating documents must be uploaded on eFiling to confirm that the new bank account indeed do relate to the taxpayer.  However, it seems that the fraudsters have found a way to circumvent this control.

In one recent case changes were made to the bank details of the taxpayer on 05/03/2024 by the fraudsters, triggering a bank verification.  A standard bank verification letter was issued by SARS and a “Bank Details Change” supporting documentation link was opened on eFiling.

However, only two days later, the verification case was abruptly closed on eFiling (including closure of the supporting documentation link on eFiling), without the taxpayer uploading anything, resulting in the fraudulent bank account being designated as valid on the SARS system.

Not long after this, the credits on the taxpayer’s income tax account were deposited into the fraudulent bank account, including a large credit that was legitimately owed to the taxpayer by SARS.

As only SARS officials are able to close verification cases on the SARS system, it seems that the fraudsters have somehow succeeded in obtaining direct access to system functions and rights which are normally only available to SARS employees.

Danger signs to look out for

If amendments are made to a taxpayer’s vital information at SARS (such as the address, contact details, bank account details etc), he or she will normally receive a SMS or email alert.

This communication is normally in the form of a “SARS – Detail Change Notification” in the following format:

On the one hand such communications may simply indicate that the taxpayer or his or her tax practitioner has made authorised and valid changes to the taxpayer’s information at SARS.

However, it could also be a result of unauthorised activity on the taxpayer’s account.  This is especially true, if such notices are received after-hours (specifically in the midnight hours or over weekends).

If you are aware of a legitimate pending income tax credit that must be paid out to you, SARS communications should also be treated with extra urgency, as there is a greater risk that thieves may be busy with steps to reappropriate your credit.

Where there are no pending income tax credits on your income tax account, the thieves can still create credits by way of submitting bogus returns, where the refunds are then paid into the fraudulent bank account, once the bank detail change has taken effect.

In such a case you will normally receive notifications relating to assessments issued on eFiling, notification of correspondence issued (such as verification letters), and account statement that has been generated by unauthorised parties.  In other words, you should see an unusual increase in messages from SARS.

What to do if you suspect unauthorized activity on your eFiling account?

  1. Contact your tax practitioner immediately if you receive suspect SARS communications, as outlined above.  Normally there is enough time to counter fraudsters when unauthorised activity is detected on an account for the first time.
  2. If you do your own income tax submissions, log onto your eFiling account and check for the following, if you suspect foul play:
    1. See whether your banking details have been changed or are in the process of being amended.  Do this by navigating to the “My Bank Accounts” page under the “SARS Registered Details / Maintain SARS Registered Details” workpage.  If the system shows that a fraudulent account has been added, delete the account on eFiling.
    2. If a bank change request has been submitted and flagged for verification, a verification letter should appear under SARS correspondence and an upload link should be present under the Personal Income Tax (ITR12) workpage relating to a specific year.  This may indicate unauthorised activity.
    3. Check whether any income tax returns have been submitted without your knowledge, to create fraudulent credits on the account.  The easiest way to do this, is to request an ITSA statement of account on eFiling.  Then check for any anomalies such as unexplained credits, duplicate assessments, etc.
    4. Should an examination of the ITSA reveal anomalies, the income tax workpage for a specific year can be accessed.  From here duplicate returns can be accessed as well as the resulting assessments (ITA34).
  3. If you suspect unauthorised access on your eFiling profile, also immediately change your password, if you do your own taxes.
  4. Preventative:  Always ensure that your eFiling password is appropriately complicated and kept safe to decrease the risk of unauthorised persons gaining access to your account.  Two-factor authentication should be implemented, to add an additional layer of protection.
  5. Preventative:  Shared access arrangements, where both the tax practitioner and the taxpayer, independently have access to the taxpayer’s eFiling profile, should be kept to a minimum as this may increase the risk of unauthorised access.

I have been a victim of eFiling hacking – what now?

Three different scenarios can apply, namely:

  1. A legitimate income tax refund that was owed to me, has been redirected to the fraudster’s bank account.
    In this scenario the theft should be reported to SARS as soon as possible.  It is unclear whether SARS will refund a taxpayer for stolen income tax credits, where there is no-fault on the taxpayer’s side.

    If the taxpayer has insurance, they can possibly attempt to register a claim at the insurer.  Whether the insurer will honour the claim will depend on the specific conditions of the insurance contract.

  2. Fictitious credits have been created on the taxpayer’s income tax account via fraudulent tax returns and the credits have been released into the fraudulent bank account

    The following steps should be taken in this scenario:

    • The fraudulent tax returns should be reversed by submitting a correct return.  If fake credits have already been paid out to the thieves, this will result in a debit (amount owing to SARS) on the taxpayer’s account.
    • The fraud case should be reported to SARS as soon as possible via the following link: https://tools.sars.gov.za/sarsonlinequery/ReportDigitalFraud.  All supporting documents to substantiate the theft can be submitted via this link.
    • To request a pause on SARS collecting the outstanding debt, a “suspension of payment” application should be submitted on eFiling, pending the outcome of the taxpayer’s fraud case that will be created from the link.
    • The debt will subsequently be written off if SARS determines, after reviewing all evidence, that the debt was created as a direct result of fraud.
  3. Combination of above two scenarios.
    • Follow a combination of the advice provided above.
    • Should you require assistance, contact a registered tax practitioner for professional advice.

Conclusion

By adapting to the times, remaining vigilant and timeously following up on SARS communication, taxpayers can substantially decrease the risk of falling prey to fraudsters who targets their income tax credits.

If you suspect any foul play do not procrastinate and take immediate action by checking your eFiling profile for any signs of unauthorised access. Alternatively, contact your tax practitioner as soon as possible.

Hopefully SARS will in the very near future put additional controls in place to stop this type of fraud, once and for all.

If you have any enquiries, please contact Petri Westraadt at pwestraadt@fhbc.co.za

Disclaimer

This article is for informational purposes only and should not be considered as legal advice.  Although all efforts have been made to provide accurate information, the FHBC group of companies, nor any of its employees, take no responsibility for any mistakes or omissions that may have slipped in.  When in doubt, please contact a registered tax practitioner.