Legitimate e-mails are being hacked. (Image source: 123RF, created via GenAI)
The South African Revenue Service (SARS) has issued another alert warning about phishing e-mails falsely claiming recipients have been summoned to appear in court over tax issues.
ITWeb has received two such e-mails purporting to be court notices – both from legitimate companies – indicating either compromised e-mail systems or spoofed addresses.
One e-mail featured a SARS logo with a notice to appear in court within four days, threatening “default judgement” for non-appearance. The mail contained a link to “case details and instructions” – clearly a phishing attempt.
Timing is critical in many cases, says Lynette Drevin, professor at the School of Computer Science and Information Systems at North West University. She noted that attacks escalate during the tax season when people are filing returns.
SARS wrapped up automatic assessments on 20 July, while individual taxpayers not auto assessed had until 20 October to file their returns after the agency shortened the filing period.
See also
The taxman’s notification states that a PDF letter is being e-mailed to people with the e-mail subject line: “LEGAL RULING SUMMON DEMAND AS AT 21 10 2025”.
It notes that “scams are changed on a regular basis so the subject line may differ. The letter contains a link to a fraudulent phishing website.”
Business e-mail compromise
ITWeb notified the first company and, in accordance with the Protection of Personal Information Act, the firm sent a recall and delete e-mail. “The e-mail address was compromised, and we apologise and understand this can be disruptive. We have taken steps to ensure it doesn’t happen again.”
Weeks later, another e-mail arrived from a different reputable company, also containing a suspicious link and a warning to appear “unless otherwise excused by the court”. ITWeb also alerted that company.
Prof Marijke Coetzee, also at North West University’s School of Computer Science and Information Systems, explains that hackers using legitimate e-mails addresses to send such mails “can gain access to your mailbox through various methods, making it difficult to detect”.
An example of the SARS scam e-mail.
The breach could stem from a stolen password, password attack, phishing attack, or other compromises, Coetzee says. “This can lead to a business e-mail compromise (BEC), where the attacker impersonates individuals within a company, such as CEOs or individuals within finance departments.”
Security company Proofpoint says these scams occur when attackers impersonate trusted sources using spoofed, lookalike, or compromised accounts and send targeted e-mails to employees, partners, or customers.
“The recipients, believing the e-mails are legitimate, then take actions that lead to scammers gaining access to sensitive data, funds or accounts. Notably, most BEC attacks result in fraudulent wire transfer or financial payment,” it says.
Legal obligations and recourse
Technology and privacy lawyer Nerushka Bowan, commenting on ITWeb’s examples, explains that companies must notify the Information Regulator and affected individuals when they have reasonable grounds to believe personal information has been accessed by an unauthorised person.
However, Bowan says: “If a company is unaware that their systems have been breached, they would not have any reasonable grounds to believe that any personal information was accessed.”
Once aware, companies must notify the Information Regulator “as soon as reasonably possible after the discovery of the compromise. They would also need to send a communication to affected data subjects,” states Bowan.
Coetzee notes that companies are responsible for monitoring and securing all e-mail accounts. Should a blitz of e-mails be sent out, the company should receive an alert and quickly disable the account.
“Implementing multi-factor authentication on all accounts can assist in mitigating this issue,” Coetzee says.
Bowan adds that e-mail recipients have recourse against companies whose systems have been compromised. They can submit complaints directly to the Information Regulator and “have the right to institute court proceedings for civil damages against a responsible party for breach of the conditions of lawful processing of personal information, or non-compliance with various sections of the Act”.
A key aspect raised by experts is whether companies have adequate security measures to protect information. This is an aspect that the Information Regulator will probe, following which, it will decide whether enforcement action is needed, Bowan explains.
“Unfortunately, companies regularly find out only months after their systems have been compromised. Often the cyber criminals sit quietly collecting data until they are found out, and then steps are taken to stem the leak. By this time, they would have amassed a lot of the company’s data.”
Coetzee says recipients of fake e-mails risk having their contact details added to lists used for malicious purposes.
“The problem is that we are dealing with a massive increase in phishing attacks. South Africa has emerged as the phishing capital of the cyber world, according to the latest bi-annual Threat Report from global cyber security provider ESET,” says Coetzee.
This is due to more online services, lack of awareness and insecure devices, Coetzee notes. She adds that “the number of phishing attacks crafted by artificial intelligence seems limited at this stage, but it is a growing threat”.
[Image] Overall risk ratio of e-mail threats in last quarter of 2024
[Caption] The overall risk ratio of e-mail threats in the last quarter of 2024.
When AI attacks escalate, it will be concerning as they will perfectly mimic company behaviour, CEO voices, and produce deepfakes, among other tactics, Coetzee adds.
“We are dealing with big business – estimated cyber crime in 2024 was around $9.22 trillion globally. We are fighting a losing battle – for example, Google blocks 100+ million phishing e-mails daily,” warns Coetzee.
* ITWeb has kept the companies’ names anonymous as this information is not germane to the article.
