SARS Phishing Scams: Fake Tax Refund Emails and SMSes
Every year around tax season, scammers impersonate SARS with fake refund notifications. Here's how to spot them and what the real SARS communications look like.
Few messages get a faster reaction than "You have a tax refund waiting." Scammers know this, which is why SARS-themed phishing surges every year around South Africa's tax season — typically between July and November when individual taxpayers are filing returns and expecting refunds. The goal is always the same: trick you into clicking a link, entering your eFiling login and banking details, and handing over enough information to steal your money or your identity.
SARS itself regularly warns taxpayers about these scams on its website and has a dedicated email address for reporting phishing. Yet the scams keep working because they are convincing, timely, and play on anxiety about tax compliance.
How the scam works
The mechanics are simple but effective:
- You receive an email or SMS claiming SARS owes you a refund, or that there is an urgent issue with your tax account.
- The message creates urgency — "your refund will be cancelled in 24 hours," "your account has been suspended," or "failure to respond may result in legal action."
- A link takes you to a convincing fake SARS eFiling login page, often with the SARS logo, correct colours, and a URL designed to look official at a glance.
- You enter your username, password, ID number, and sometimes your banking details.
- Scammers use these credentials to hijack your eFiling profile, redirect legitimate refunds to their own accounts, or commit identity fraud.
Some variants go further: after capturing your login, they call you posing as SARS agents and walk you through "verifying" your banking details — allowing them to update your eFiling banking profile with their own account number so future refunds go directly to them.
What SARS will never do
SARS will never send you a clickable link to log in or make a payment. SARS will never ask for your banking details or eFiling password by email or SMS. SARS will never call you to demand immediate payment under threat of arrest. If any communication does these things, it is a scam.
How to spot a fake SARS communication
Check the sender address carefully
Legitimate SARS emails come from @sars.gov.za. Fake emails often use domains like sars-refund.co.za, sars-gov.online, or subtle misspellings of the real domain. Look at the full address, not just the display name — "SARS eFiling" as a display name can mask any underlying address.
Look at the link before you click
Hover over any link in an email — without clicking — to see the actual URL in your browser's status bar. The real eFiling portal is efiling.sars.gov.za. Any other domain is a fake. On mobile, hold the link to preview the URL.
Watch for urgency and threats
SARS sends formal correspondence. It does not issue 24-hour ultimatums by email. Any message threatening legal consequences, account suspension, or expiring refunds if you don't act immediately is engineered to bypass your critical thinking.
Look at the quality of the communication
- Generic greetings like "Dear Taxpayer" instead of your name.
- Grammatical errors, odd spacing, or inconsistent formatting.
- Requests for information SARS already has, like your ID number or physical address.
How to protect yourself
Never click links in tax-related emails or SMSes
Go directly to the official SARS website by typing the URL yourself or using a bookmark. The same applies to the SARS MobiApp — download it only from the official Apple App Store or Google Play Store.
Enable multi-factor authentication on eFiling
SARS eFiling supports two-factor authentication. Enabling this means that even if a scammer gets your password, they cannot log in without also intercepting your OTP.
Keep your eFiling banking details current and monitored
Log in to your eFiling profile periodically to confirm your banking details are correct. If a scammer has already changed them, you want to catch this before a refund is processed.
Report suspicious messages
Forward suspicious SARS-related emails to phishing@sars.gov.za and then delete them. Reporting helps SARS track and shut down phishing operations faster.
If you've already clicked or shared your details
Act immediately:
- Change your eFiling password from a trusted device.
- Log in to your eFiling profile and verify that your banking details have not been changed.
- Call SARS on 0800 00 7277 to report the compromise and ask them to flag your account.
- Alert your bank to watch for fraudulent transactions or account changes.
- Check your credit profile if you shared your ID number — scammers use it to open accounts or apply for loans in your name.
Frequently asked questions
How do I check if SARS is actually trying to contact me?
Log in directly to efiling.sars.gov.za and check your inbox and notifications there. Any legitimate SARS communication will be reflected in your eFiling account. Do not rely on emails or SMSes to tell you the status of your account.
Can scammers steal my refund without my eFiling password?
Yes — if they can convince you to confirm your banking details over the phone, or if they access your email account and use password reset links, they may be able to update your eFiling banking profile without your eFiling password. This is why protecting your email account is just as important.
What does a legitimate SARS SMS look like?
Genuine SARS SMSes typically come from the sender ID "SARS" and contain your partial tax reference number. They do not contain clickable links. If an SMS purportedly from SARS contains a URL, treat it with extreme suspicion.
Will SARS compensate me if my refund is stolen?
SARS is generally not liable for refunds redirected as a result of your eFiling credentials being compromised. However, if you report promptly and can demonstrate the profile was hacked, SARS will investigate. Always open a case with SAPS as part of the process — SARS may request the case number.