Am I at risk of being scammed on the Sars MobiApp?
Beware a spear phishing attack, the scammers may already have your personal details
Q: I’ve received notice of a Sars tax refund via SMS and e-mail. I could tell from the website address (I did not click on it) that it was a hoax e-mail. I use the Sars MobiApp. Am I at risk of being scammed? – Anonymous via e-mail.
A: Brian Pinnock, cyber security expert at Mimecast answers:
You are usually at risk of being scammed if you click on a link or open an attachment in an SMS or e-mail. (There are unfortunately a few types of attacks that simply require you to open an e-mail, but these usually only work on older versions of e-mail software such as outdated versions of Microsoft Outlook.)
There are essentially two types of phishing attacks:
- Untargeted attacks (phishing/smishing)) – these are the most common and are usually conducted via e-mail or smishing (SMS phishing). Untargeted attacks are often generic and usually don’t contain any of your personal details. You should still report these kinds of attempts to the SA Revenue Service (Sars) with all details, such as the sender’s e-mail or mobile number and the nature of the scam.
- Targeted attacks (spear phishing) – these are usually conducted via e-mail, SMS or even scam telephone calls. These kinds of attacks often contain accurate personal details such as your name, identity number, address, account number or tax number. You should be concerned if you are in the crosshairs of a targeted attack as it means criminals have access to at least some of your information already. This type of attack is more serious, and one should be alert to the possibility that a SIM swap or pretexting attack has or may soon occur.
In both cases never click on links or open attachments. Always manually type in the full website URL rather than using your browser history or clicking on a link.
The Sars MobiApp has similar security to that of a mobile banking application and uses two-factor authentication which is strong but not infallible. Criminals usually use either a SIM swap technique or phone the victim on some pretext to try to get access to your one-time PIN.
Sars says on its website that it will never request your banking details in any communication that you receive via post, e-mail, or SMS. However, for the purpose of telephonic engagement and authentication purposes, Sars will verify your personal details. Importantly, Sars will not send you any hyperlinks to other websites, even those of banks.