Personal Finance Financial Planning

How AI helps Sars to stop eFiling fraud

Lucas Molefe|Published
South Africa's tax season brings a sharp rise in phishing scams, eFiling account hijacking and fraud targeting SARS taxpayers. Lucas Molefe, Cybersecurity Expert at ESET Southern Africa, explains how AI-driven telemetry and behavioural analytics are helping banks and organisations detect threats in real time and protect taxpayers during the high-risk filing period.

South Africa's tax season brings a sharp rise in phishing scams, eFiling account hijacking and fraud targeting SARS taxpayers. Lucas Molefe, Cybersecurity Expert at ESET Southern Africa, explains how AI-driven telemetry and behavioural analytics are helping banks and organisations detect threats in real time and protect taxpayers during the high-risk filing period.

Image: File

The South African tax season is on everybody’s calendar, including cybercriminals. Every year, from July to October, millions of South Africans log into Sars eFiling and submit sensitive personal and financial information. In 2025, more than 10 million unique users accessed and shared their information via the tax authority’s digital channels, including eFiling and the Sars Mobi App. For cybercriminals, tax season is hunting season, a predictable, high-value campaign period that’s reflected in Sars' own warnings about phishing, eFiling profile jacking and growing attempts to defraud taxpayers.

In 2025, Sars, Standard Bank, Capitec and Nedbank issued warnings to customers about the rise in scams throughout this period, and Sars former commissioner Edward Kieswetter alerted taxpayers to the scams, emphasising that Sars will not ask for personal information over email or via SMS. While there are no official numbers on how many people fell victim to tax-season scams in 2025, the volume of alerts and guidance from professional bodies confirms a significant spike during the filing window, with spoofed emails, fake refund notices, and impersonation attacks specifically designed to harvest eFiling credentials and banking details.

The South African Fraud Prevention Service has described how fraudsters leverage the auto-assessment process, specifically, exploiting the same digital convenience that Sstd introduced to improve the taxpayer experience to launch sophisticated campaigns. The Office of the Tax Ombud investigation into hijacked eFiling profiles found that weaknesses in Sars’ authentication, profile management and fraud detection processes created exploitable gaps, which allowed fraudsters to change banking details and redirect funds before victims or the authorities realised what had happened.

Case reports on eFiling profile hijacking have shown how attackers are combining data breach information, social engineering and fraudulent SIM swaps to take over a taxpayer’s mobile number, intercept the Sars one-time PINs, reset eFiling credentials and then alter bank account details so refunds are paid into accounts controlled by criminal syndicates. In short, if an attacker can swap your SIM, they own your OTP and this is often the last line of defence for banking and Sars transactions.

For banks and fintechs, tax season has become a stress test. Transaction volumes increase, and customer anxiety follows suit, and the pressure on authentication and fraud detection infrastructure increases exponentially. And this is where AI telemetry is becoming invaluable. It is impossible to have human analysts reviewing every transaction during filing season, as the volumes are too high, and AI brings the ability to maintain detection at the speed and scale of digital.

The distinction between rule-based detection and AI-driven telemetry is important here, because legacy systems apply static thresholds – if X happens, flag Y – but with AI-driven telemetry, there is a continuous, personalised baseline built for every user. Their device, location, login patterns and typical transaction behaviours are all analysed and monitored by the AI to create a living baseline.

The moment that baseline deviates, the system flags it in real time before the transaction is completed. In addition, AI-powered identity authentication now uses behavioural biometrics such as typing cadence, swipe pressure and even the angle at which a device is held to create a security layer that operates without adding friction to the customer experience. It is the invisible layer of protection that institutions can control, but that doesn’t impede how customers engage with systems and services.

It also takes the conversation outside of just compliance because that just tells you what you have to protect, not what threats are actively targeting the business or how to defend against them. Threat intelligence and AI-driven telemetry fill this gap and move the primary burden of detection to the intelligence layer that can operate at the speed and scale that the eFiling window requires.

Consumers have the reasonable expectation that the platforms they use to file their taxes, manage their banking details and receive their refunds are doing the work of protecting them, without making that protection their problem to manage. AI-driven telemetry gives organisations the tools they need to make this expectation a reality, providing insights and threat detection capabilities that don’t add another layer of verification but instead create a level of precision that compliance frameworks and rule-based detection simply cannot replicate.

* Molefe is a cybersecurity expert at ESET Southern Africa

PERSONAL FINANCE