%PDF-1.3 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj << /Type /Outlines /Count 0 >> endobj 3 0 obj << /Type /Pages /Kids [6 0 R ] /Count 1 /Resources << /ProcSet 4 0 R /Font << /F1 8 0 R /F2 9 0 R /F3 10 0 R /F4 11 0 R >> >> /MediaBox [0.000 0.000 612.000 792.000] >> endobj 4 0 obj [/PDF /Text ] endobj 5 0 obj << /Creator (DOMPDF) /CreationDate (D:20250707090505+00'00') /ModDate (D:20250707090505+00'00') /Title (Report 07-2025) >> endobj 6 0 obj << /Type /Page /Parent 3 0 R /Annots [ 12 0 R ] /Contents 7 0 R >> endobj 7 0 obj << /Length 4837 >> stream 0.702 0.800 0.816 rg 34.016 34.016 543.969 723.969 re f 1.000 1.000 1.000 rg 45.266 229.280 521.469 517.454 re f 0.773 0.773 0.773 RG 0.75 w 0 J [ ] 0 d 45.641 229.655 520.719 516.704 re S 0.773 0.773 0.773 rg 61.016 245.030 m 550.984 245.030 l 550.984 245.780 l 61.016 245.780 l f 0.200 0.200 0.200 rg BT 61.016 693.716 Td /F1 14.4 Tf [(SARS E-MAIL MAY FOOL USERS)] TJ ET 0.400 0.400 0.400 rg BT 61.016 664.909 Td /F2 9.0 Tf [(Posted on )] TJ ET BT 104.045 664.909 Td /F3 9.0 Tf [(January 01,1970)] TJ ET BT 173.588 664.909 Td /F2 9.0 Tf [( by )] TJ ET BT 188.096 664.909 Td /F3 9.0 Tf [(IT Communications)] TJ ET 0.153 0.153 0.153 rg BT 61.016 637.420 Td /F4 9.0 Tf [(For some lucky people, it is time for the tax returns from SARS. The criminals know it too and every year at this time, )] TJ ET BT 61.016 626.431 Td /F4 9.0 Tf [(users will get emails allegedly from SARS promising tax returns and asking you to click on a link, log in and provide your )] TJ ET BT 61.016 615.442 Td /F4 9.0 Tf [(bank account details and password so they can pay you money!)] TJ ET BT 61.016 595.453 Td /F4 9.0 Tf [(This is a scam, and you should never respond or go to the site or open up the attached file, as this could compromise your )] TJ ET BT 61.016 584.464 Td /F4 9.0 Tf [(banking security.)] TJ ET BT 78.360 564.491 Td /F4 9.0 Tf [(1.)] TJ ET BT 91.016 564.475 Td /F4 9.0 Tf [(SARS has your banking details on record and these are stored in secure and encrypted form. They do not need )] TJ ET BT 91.016 553.486 Td /F4 9.0 Tf [(you to confirm or enter your banking details.)] TJ ET BT 78.360 542.513 Td /F4 9.0 Tf [(2.)] TJ ET BT 91.016 542.497 Td /F4 9.0 Tf [(SARS would always either SMS or send you a registered letter in the post to inform you of tax returns, etc. They )] TJ ET BT 91.016 531.508 Td /F4 9.0 Tf [(would never contact you via unsecured e-mail, and furthermore they have enough of your data to address the mail )] TJ ET BT 91.016 520.519 Td /F4 9.0 Tf [(to you PERSONALLY and not via some vague “Dear Taxpayer” salutation.)] TJ ET BT 78.360 509.546 Td /F4 9.0 Tf [(3.)] TJ ET BT 91.016 509.530 Td /F4 9.0 Tf [(There is no )] TJ ET 0.373 0.169 0.255 rg BT 138.536 509.530 Td /F4 9.0 Tf [(returnfund@sars.co.za)] TJ ET 0.373 0.169 0.255 RG 0.18 w 0 J [ ] 0 d 138.536 508.379 m 229.706 508.379 l S 0.153 0.153 0.153 rg BT 229.706 509.530 Td /F4 9.0 Tf [( address)] TJ ET BT 78.360 498.557 Td /F4 9.0 Tf [(4.)] TJ ET BT 91.016 498.541 Td /F4 9.0 Tf [(The attached file is usually a html \(webpage\) file that gives you a forged webpage sitting on the criminals server )] TJ ET BT 91.016 487.552 Td /F4 9.0 Tf [(somewhere overseas.)] TJ ET BT 78.360 476.579 Td /F4 9.0 Tf [(5.)] TJ ET BT 91.016 476.563 Td /F4 9.0 Tf [(The amount that they promise to pay you is always something like R9,250.75)] TJ ET BT 78.360 465.590 Td /F4 9.0 Tf [(6.)] TJ ET BT 91.016 465.574 Td /F4 9.0 Tf [(Unless you have added your university e-mail address as the primary contact address on the SARS system you )] TJ ET BT 91.016 454.585 Td /F4 9.0 Tf [(should never get mail on your university account.)] TJ ET BT 61.016 434.596 Td /F4 9.0 Tf [(If you do go to this site and you do enter in your banking account details, credit card details, passwords etc, this will allow )] TJ ET BT 61.016 423.607 Td /F4 9.0 Tf [(the criminals to log into your bank account via the internet, and take control over your bank account. They will create )] TJ ET BT 61.016 412.618 Td /F4 9.0 Tf [(themselves as beneficiaries and then transfer all your money to their account, and then delete all the evidence pointing to )] TJ ET BT 61.016 401.629 Td /F4 9.0 Tf [(their account.)] TJ ET BT 61.016 381.640 Td /F4 9.0 Tf [(These scam e-mails will never stop. It is always difficult to block them too because scammers change their addresses, )] TJ ET BT 61.016 370.651 Td /F4 9.0 Tf [(details and methods on a daily basis. So it is always best to dump these mails in the junk mail folder, blacklist the sending )] TJ ET BT 61.016 359.662 Td /F4 9.0 Tf [(domain and delete the mail immediately.)] TJ ET BT 61.016 339.673 Td /F4 9.0 Tf [(Why do these criminals continue to send their mail? Because they catch people regularly. In 2012 South Africa was the 5)] TJ ET BT 541.742 342.337 Td /F4 9.0 Tf [(th)] TJ ET BT 61.016 328.684 Td /F4 9.0 Tf [(most phished country in the world behind India, Canada, the USA and the UK, with estimated figures of R14 million being )] TJ ET BT 61.016 317.695 Td /F4 9.0 Tf [(stolen from South Africans last year alone.)] TJ ET BT 61.016 297.706 Td /F4 9.0 Tf [( )] TJ ET BT 432.949 277.717 Td /F4 9.0 Tf [([ARTICLE BY DAVID WILES])] TJ ET 0.400 0.400 0.400 rg BT 61.016 259.228 Td /F2 9.0 Tf [(Posted in:E-mail,Security | Tagged:Bank Emails,Phishing,SARS E-mail,Spam | With 0 comments)] TJ ET endstream endobj 8 0 obj << /Type /Font /Subtype /Type1 /Name /F1 /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding >> endobj 9 0 obj << /Type /Font /Subtype /Type1 /Name /F2 /BaseFont /Helvetica-Oblique /Encoding /WinAnsiEncoding >> endobj 10 0 obj << /Type /Font /Subtype /Type1 /Name /F3 /BaseFont /Helvetica-BoldOblique /Encoding /WinAnsiEncoding >> endobj 11 0 obj << /Type /Font /Subtype /Type1 /Name /F4 /BaseFont /Helvetica /Encoding /WinAnsiEncoding >> endobj 12 0 obj << /Type /Annot /Subtype /Link /A 13 0 R /Border [0 0 0] /H /I /Rect [ 138.5357 508.6972 229.7057 517.8547 ] >> endobj 13 0 obj << /Type /Action /S /URI /URI (mailto:returnfund@sars.co.za) >> endobj xref 0 14 0000000000 65535 f 0000000008 00000 n 0000000073 00000 n 0000000119 00000 n 0000000305 00000 n 0000000334 00000 n 0000000472 00000 n 0000000554 00000 n 0000005443 00000 n 0000005555 00000 n 0000005670 00000 n 0000005790 00000 n 0000005898 00000 n 0000006026 00000 n trailer << /Size 14 /Root 1 0 R /Info 5 0 R >> startxref 6106 %%EOF SARS e-mail « Informasietegnologie
Language:
SEARCH
  • Recent Posts

  • Categories

  • Archives

SARS e-mail

Phishing attempt: “SARS eFiling Letter notification”

Thursday, January 31st, 2019

An email with the subject “SARS eFiling Letter Notification” was sent from a staff email to staff and students on campus. The email asks you to click on a link to download your SARS documents (See example below)

This is not a legitimate SARS email, but a phishing attempt from a compromised sun email account.

SARS will never ask you to provide any personal information by means of email. By clicking on links and providing your information, you give criminals access to your personal information and your accounts.

If you clicked on the link in this phishing email, immediately change your password on www.sun.ac.za/password. For enquiries contact the IT Service Desk by logging a request or calling 808 4367. More information on phishing is available on our blog and Twitter.

Click for a larger version.

SARS phishing e-mail

Monday, June 12th, 2017

Take note that a phishing e-mail promising a SARS payback is circulating on campus. Below is an example of the e-mail sent from a legitimate looking @sars.gov e-mail address with a web page attached which the receiver should click on and complete. 

Please do not click on the html file or enter any personal information. SARS would contact you via SMS if (in the unlikely event) they want to pay you money.  

Also look out for the telltale signs of a phishing e-mail below:

  1. Addressed to a generic name – “Dear Taxpayer”. SARS would at least include your full name and tax reference number.
  2. Grammar, spelling or punctuation errors. 
  3. SARS won’t ask you to complete any forms. They already have your information.

Dear Taxpayer,

 

After calculations of last year annual fiscal activities,we realised that you are eligible to receive a Tax refund of R9,250.75. please download the attached Tax refund form REFUNDSARS.html and complete the process of your Tax refund. Note:the refund will take 48hours to reflect in your account.

 

Thank you,

 

South Africa Revenue Services (SARS)

Tom Moyane Commissioner

Tax season = cyber scams

Friday, July 24th, 2015

Only people with an unusual desire for pain and discomfort look forward to a trip to the dentist. The same goes for tax.

Criminals know this and prey on our vulnerability. Every year at this time, e-mails like the one below end up in SU staff inboxes. It informs you that the taxman owes you money and all you have to do to receive it, is to click on a link.

This is a scam, and you should never respond or go to the site or open up the attached file, as this could compromise your banking security.

  1. SARS has your banking details on record and keeps it in secure and encrypted form. They do not need you to confirm or enter your banking details.
  2. SARS will always either SMS or send you a registered letter in the post to inform you of tax returns. They will never contact you by unsecured e-mail.
  3. They also have enough data to address the mail to you PERSONALLY and not via some vague “Dear Taxpayer” or “Good Day” salutation.
  4. There is no EFiling@sars.gov.za address.
  5. The attached file is usually a html (webpage) file and will connect you to a server controlled by the criminals. This server downloads a Trojan virus to your computer that will install software, malware and do all sorts of nasty things to your computer and data. Another tactic is to present you with a “login page” where you enter your banking account details, your PIN code etc.
  6. Unless you have added your university e-mail address as the primary contact address on the SARS system, you should never receive mail on your university account.

This phishing scam will allow the criminals to log into and take control of your bank account via the internet.

They can create themselves as beneficiaries, transfer your money to their account, and then delete the evidence pointing to their account.

These scam e-mails will never stop. It is always difficult to block them too because scammers change their addresses, details and methods on a daily basis. So it is always best to dump these mails in the junk mail folder, blacklist the sending domain and delete the mail immediately.

Why do these criminals continue to send their mail? Because they catch people regularly. In 2012 R14+ million was stolen from South Africans alone using phishing tactics such as this one.

Also read more on this on the mybroadband website.

EXAMPLE OF E-MAIL:

From: SARS eFiling [mailto:eFiling@sars.gov.za]
Sent: Saturday, 27 June 2015 10:14
Subject: Your account has been credited with R3,167.14
efiling

Your account has been credited with R3,167.14

Please click below to accept and verify payment.

Accept Payment

During this process, there will be verifications. If you don’t receive codes on time, come back to finish verification when received

SARS eFiling

[ARTICLE BY DAVID WILES]

SARS e-mail may fool users

Tuesday, October 15th, 2013

For some lucky people, it is time for the tax returns from SARS. The criminals know it too and every year at this time, users will get emails allegedly from SARS promising tax returns and asking you to click on a link, log in and provide your bank account details and password so they can pay you money!

This is a scam, and you should never respond or go to the site or open up the attached file, as this could compromise your banking security.

  1. SARS has your banking details on record and these are stored in secure and encrypted form. They do not need you to confirm or enter your banking details.
  2. SARS would always either SMS or send you a registered letter in the post to inform you of tax returns, etc. They would never contact you via unsecured e-mail, and furthermore they have enough of your data to address the mail to you PERSONALLY and not via some vague “Dear Taxpayer” salutation.
  3. There is no returnfund@sars.co.za address
  4. The attached file is usually a html (webpage) file that gives you a forged webpage sitting on the criminals server somewhere overseas.
  5. The amount that they promise to pay you is always something like R9,250.75
  6. Unless you have added your university e-mail address as the primary contact address on the SARS system you should never get mail on your university account.

If you do go to this site and you do enter in your banking account details, credit card details, passwords etc, this will allow the criminals to log into your bank account via the internet, and take control over your bank account. They will create themselves as beneficiaries and then transfer all your money to their account, and then delete all the evidence pointing to their account.

These scam e-mails will never stop. It is always difficult to block them too because scammers change their addresses, details and methods on a daily basis. So it is always best to dump these mails in the junk mail folder, blacklist the sending domain and delete the mail immediately.

Why do these criminals continue to send their mail? Because they catch people regularly. In 2012 South Africa was the 5th most phished country in the world behind India, Canada, the USA and the UK, with estimated figures of R14 million being stolen from South Africans last year alone.

 

[ARTICLE BY DAVID WILES]

 

© 2013-2025 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.