Tax season - the window criminals plan for, and compliance can’t close
By Industry Contributor 6 July 2026 | Categories: feature articles
By Lucas Molefe, Cybersecurity Expert at ESET Southern Africa
The South African tax season is in everybody’s calendar, including cybercriminals. Every year, from July to October, millions of South Africans log into SARS eFiling and submit sensitive personal and financial information. In 2025, more than 10 million unique users used the tax authority’s digital channels, both eFiling and the SARS Mobi App, to access and share their information. For cybercriminals, tax season is hunting season, a predictable, high-value campaign period that’s reflected in SARS’ own warnings about phishing, eFiling profile jacking and growing attempts to defraud taxpayers.
In 2025, SARS, Standard Bank, Capitec and Nedbank issued warnings to customers about the rise in scams throughout this period and SARS Commissioner, Edward Kieswetter, alerted taxpayers to the scams, emphasising that SARS will not ask for personal information over email or via SMS. While there are no official numbers on how many people fell victim to tax-season scams in 2025, the scale of alerts and guidance from professional bodies confirms that there was a significant spike during the filing window, with spoofed emails, fake refund notices and impersonation attacks specifically designed to harvest eFiling credentials and banking details.
The South African Fraud Prevention Service has described how fraudsters leverage the auto-assessment process, specifically, exploiting the same digital convenience that SARS introduced to improve the taxpayer experience to launch sophisticated campaigns. The Office of the Tax Ombud investigation into hijacked eFiling profiles found that weaknesses in SARS’ authentication, profile management and fraud detection processes created exploitable gaps, which allowed fraudsters to change banking details and redirect funds before victims or the authorities realised what had happened.
Case reports on eFiling profile hijacking have shown how attackers are combining data breach information, social engineering and fraudulent SIM swaps to take over a taxpayer’s mobile number, intercept the SARS one-time PINs, reset eFiling credentials and then alter bank account details so refunds are paid into accounts controlled by criminal syndicates. In short, if an attacker can swap your SIM, they own your OTP and this is often the last line of defence for banking and SARS transactions.
For banks and fintechs, tax season has become a stress test. Transaction volumes increase, and customer anxiety follows suit, and the pressure on authentication and fraud detection infrastructure increases exponentially. And this is where AI telemetry is becoming invaluable. It is impossible to have human analysts reviewing every transaction during filing season as the volumes are too high, and AI brings the ability to maintain detection at the speed and scale of digital.
The distinction between rule-based detection and AI-driven telemetry is important here, because legacy systems apply static thresholds – if X happens, flag Y – but with AI-driven telemetry, there is a continuous, personalised baseline built for every user. Their device, location, login patterns and typical transaction behaviours are all analysed and monitored by the AI to create a living baseline. The moment that baseline deviates, the system flags it in real time before the transaction is completed. In addition, AI-powered identity authentication now uses behavioural biometrics such as typing cadence, swipe pressure and even the angle at which a device is held to create a security layer that operates without adding friction to the customer experience. It is the invisible layer of protection that institutions can control, but that doesn’t impede how customers engage with systems and services.
It also takes the conversation outside of just compliance because that just tells you what you have to protect, not what threats are actively targeting the business or how to defend against them. Threat intelligence and AI-driven telemetry fill this gap and move the primary burden of detection to the intelligence layer that can operate at the speed and scale that the eFiling window requires.
Consumers have the reasonable expectation that the platforms they use to file their taxes, manage their banking details and receive their refunds are doing the work of protecting them, without making that protection their problem to manage. AI-driven telemetry gives organisations the tools they need to make this expectation a reality, providing insights and threat detection capabilities that don’t add another layer of verification but instead create a level of precision that compliance frameworks and rule-based detection simply cannot replicate.
Most Read Articles

Have Your Say
What new tech or developments are you most anticipating this year?

