In Gqeberha, a nurse received an SMS saying SARS had auto-assessed her and a R9,840 refund was due to her. She had been waiting to fix her car to help travel for night shift.
R31,600 left her bank account later that day and real refund had never been released.
R31,600 left her bank account later that day and real refund had never been released.
Lindiwe was not chasing free money. She had worked overtime in April and May, her car had started making a grinding sound, and her unemployed boyfriend had already asked for help with money for a deal he was working on.
When the SMS arrived, the timing felt almost merciful. It used the language we all recognise around tax filing season; auto-assessment, refund, verification, banking details etc. That is why the message did not feel like a scam. It felt like admin finally moving.
When the SMS arrived, the timing felt almost merciful. It used the language we all recognise around tax filing season; auto-assessment, refund, verification, banking details etc. That is why the message did not feel like a scam. It felt like admin finally moving.
The SMS said her tax refund had been calculated but required banking confirmation before release. It included a reference number that looked exactly like the format she had seen on previous SARS messages and a link that looked official to lower her guard.
Lindiwe had used eFiling before, but not often enough to know every screen by memory. Like many people, she trusted the idea of SARS more than she understood the digital journey that was about to be copied in front of her.
Lindiwe had used eFiling before, but not often enough to know every screen by memory. Like many people, she trusted the idea of SARS more than she understood the digital journey that was about to be copied in front of her.
The first wrong turn was small. She opened the link during tea break because she did not want to miss a refund that could solve a real problem. The landing page looked safe, with a SARS-style header, a refund amount, a masked ID number and a button asking her to confirm whether her banking details were still correct.
Nothing asked her to send money. Nothing promised a lottery-style stuff.
Nothing asked her to send money. Nothing promised a lottery-style stuff.
After she entered her details, the page showed a warning that the refund could be delayed for 21 working days if the banking profile was not verified through her bank.
That line created pressure without sounding criminal. Nobody wants to wait 3 more weeks for money they believe has already been approved. Lindiwe did what ordinary people do when official systems feel confusing; she followed the next instruction, hoping to finish quickly and return to work.
That line created pressure without sounding criminal. Nobody wants to wait 3 more weeks for money they believe has already been approved. Lindiwe did what ordinary people do when official systems feel confusing; she followed the next instruction, hoping to finish quickly and return to work.
The fraudster’s real move was not the fake SARS page. It was the bridge from SARS trust into banking trust. A few minutes after Lindiwe submitted the form, a man called and introduced himself as an eFiling verification consultant.
He knew her first name, the refund amount and the last four digits she had typed on the fake page. That detail made him sound like he was inside the process, when he was only reading back what she had already surrendered.
He knew her first name, the refund amount and the last four digits she had typed on the fake page. That detail made him sound like he was inside the process, when he was only reading back what she had already surrendered.
He told her the banking confirmation had failed because the account had not been “synchronised” with the refund instruction. He then said she would receive a bank notification to confirm that no unauthorised refund redirection was taking place.
That framing was important and every prompt that followed was presented as protection, not payment, and Lindiwe was now trying to stop a delay rather than evaluate a transaction.
That framing was important and every prompt that followed was presented as protection, not payment, and Lindiwe was now trying to stop a delay rather than evaluate a transaction.
Inside the bank, the events did not look like a SARS refund. They looked like profile activity, authentication prompts, device trust, beneficiary setup, limit checks or payment instructions depending on what the fraudster was attempting.
That is the gap these scams exploit. The victim is inside one story, the bank is seeing another story, and the fraudster is translating between the two in real time. When the customer notices the mismatch, the money is usually already moving.
That is the gap these scams exploit. The victim is inside one story, the bank is seeing another story, and the fraudster is translating between the two in real time. When the customer notices the mismatch, the money is usually already moving.
Lindiwe saw wording on her phone that said she was approving an online banking action, not releasing a SARS refund. She asked the caller why the bank message did not mention @sarstax.
He sounded patient, almost offended on her behalf, and explained that banks do not show third-party tax references on secure prompts because of POPIA. It was the kind of answer that works because it borrows the language of compliance and uses it to silence a reasonable question.
He sounded patient, almost offended on her behalf, and explained that banks do not show third-party tax references on secure prompts because of POPIA. It was the kind of answer that works because it borrows the language of compliance and uses it to silence a reasonable question.
The app asked her to confirm a device she did not recognise and this should have ended the incident. Instead, the caller told her @sarstax verification was being routed through a secure tax-payment server and that the strange device label was only a temporary authorisation token.
The explanation was technically absurd, but it arrived at exactly the moment Lindiwe feared losing the refund. Fraudsters do not need the lie to survive a workshop. They need it to survive 10 pressured seconds.
The explanation was technically absurd, but it arrived at exactly the moment Lindiwe feared losing the refund. Fraudsters do not need the lie to survive a workshop. They need it to survive 10 pressured seconds.
At 15:48, the first R4,800 left her account. The caller immediately told her it was a reversible hold used to test whether her bank account could receive the @sarstax payment. At 15:56, another R8,700 moved. At 16:09, R12,500 followed. By 16:22, R31,600 had gone through a pattern of payments that made no sense for her normal banking behaviour.
The fraudster had converted a tax refund expectation into a banking loss before she could emotionally accept that the conversation was fraudulent.
The fraudster had converted a tax refund expectation into a banking loss before she could emotionally accept that the conversation was fraudulent.
The painful part is that Lindiwe still wanted the caller to be legitimate after the first debit. That is not stupidity, it is human psychology under loss. The moment money left, admitting the truth became more expensive than believing the explanation.
The caller used that window well, telling her that interrupting the “reversal cycle” could freeze both the hold and the refund. In that minute, she was not thinking like a customer authorising fraud. She was thinking like someone trying to rescue money.
The caller used that window well, telling her that interrupting the “reversal cycle” could freeze both the hold and the refund. In that minute, she was not thinking like a customer authorising fraud. She was thinking like someone trying to rescue money.
This is why tax-refund scams are so powerful around filing season. They attach themselves to money people already believe might be theirs. Unlike investment scams, the promise does not need to be huge and unlike job scams, it does not need to create a fake employer.
It only needs to arrive when taxpayers are expecting @sarstax messages, checking banking details, waiting for auto-assessments, and trying to understand a process many people use only once a year.
It only needs to arrive when taxpayers are expecting @sarstax messages, checking banking details, waiting for auto-assessments, and trying to understand a process many people use only once a year.
The false comfort sits in the paperwork and the seasonality. A SARS-looking reference number feels official, a refund amount feels plausible, a banking-confirmation request feels administratively normal, a caller who knows the amount feels connected, a bank prompt feels secure because it comes through the real app.
Each piece seems to confirm the next. In reality, those confirmations are not proving legitimacy, they are proving that the fraudster has successfully moved the victim from one trusted environment to another.
Each piece seems to confirm the next. In reality, those confirmations are not proving legitimacy, they are proving that the fraudster has successfully moved the victim from one trusted environment to another.
When Lindiwe phoned the bank, the dispute did not sound like the SMS that started everything. It sounded like authenticated app activity and payments from her profile. When she tried SARS, the real platform showed no refund and no instruction requiring her to verify through that link.
That is when the two stories finally separated. The SMS had been about a refund, the loss was about banking access and the victim had experienced one journey, but the institutions were looking at different parts of it.
That is when the two stories finally separated. The SMS had been about a refund, the loss was about banking access and the victim had experienced one journey, but the institutions were looking at different parts of it.
This is the audit blind spot in consumer language. If each institution reviews only its own evidence, the wrong conclusion can look reasonable. SARS can say the link was not theirs, the bank can say the payment was authenticated, the telco can say the number was prepaid or already gone and the receiving bank can say funds moved onward quickly.
Every statement can be narrowly true, but the fraud itself lives in the connection between those truths, where the victim’s real experience sits.
Every statement can be narrowly true, but the fraud itself lives in the connection between those truths, where the victim’s real experience sits.
The stronger detection opportunity was behavioural, not documentary. Lindiwe was not a customer who normally added new beneficiaries during a tea break, moved multiple amounts in under an hour, responded to a tax-themed link, and changed her banking behaviour immediately after receiving a refund message.
None of those signals alone proves fraud, but together they tell a story that authentication cannot tell. Fraud detection improves when institutions stop asking only whether a prompt was approved and start asking what pressure surrounded the approval.
None of those signals alone proves fraud, but together they tell a story that authentication cannot tell. Fraud detection improves when institutions stop asking only whether a prompt was approved and start asking what pressure surrounded the approval.
There is also a corporate version of this exact weakness where finance teams receive fake SARS letters about outstanding tax clearance, VAT refunds, PAYE settlements or compliance documents. HR teams receive employee tax-form updates. Suppliers send altered banking documents near month-end. Executives ask teams to “sort SARS quickly” before a deadline.
The same mechanism appears inside companies.
The same mechanism appears inside companies.
For a business, the danger is not only that an employee might click a fake SARS link, the danger is that the organisation may treat tax, payroll, supplier and banking updates as routine admin rather than fraud-risk moments.
A finance clerk who is careful with invoice approvals can still be rushed by a “final demand” notice, a payroll officer who knows policy can still process a banking change before salary run.
Fraud often enters through the process nobody thinks is dramatic enough to deserve escalation.
A finance clerk who is careful with invoice approvals can still be rushed by a “final demand” notice, a payroll officer who knows policy can still process a banking change before salary run.
Fraud often enters through the process nobody thinks is dramatic enough to deserve escalation.
When you get to your office on Monday, pull every process where money, identity, tax status or banking details can be changed after an email, SMS, portal upload, phone call or document attachment.
Then ask who verifies the source, who checks the destination, who reviews unusual timing, who can pause the action, and who owns the fraud risk if the instruction is technically complete but contextually suspicious.
If the answer is “the person processing it must be careful,” the control is already too weak and you must contact us before you become a victim.
Then ask who verifies the source, who checks the destination, who reviews unusual timing, who can pause the action, and who owns the fraud risk if the instruction is technically complete but contextually suspicious.
If the answer is “the person processing it must be careful,” the control is already too weak and you must contact us before you become a victim.
For consumers, the useful lesson is not simply “do not click links.” That advice is correct but incomplete. The better rule is that no refund should require you to approve outgoing banking actions, add beneficiaries, trust unknown devices, share card details, install support tools, or stay on a call while someone explains bank prompts.
A real refund does not need you to rescue it through panic. Once urgency enters the conversation, the safest action is to stop the journey and restart from the official app or website yourself.
A real refund does not need you to rescue it through panic. Once urgency enters the conversation, the safest action is to stop the journey and restart from the official app or website yourself.
For banks, tax platforms, employers and financial-service providers, the lesson is more strategic. Filing season creates a predictable fraud window where customer expectation, government trust, refund anxiety and banking authentication collide.
That window should be treated like a seasonal risk event, not a communications problem. The question is not only whether warnings were issued. it is whether high-risk journeys, new beneficiaries, device changes, contact-centre disputes and mule-account inflows are being watched differently during the season.
That window should be treated like a seasonal risk event, not a communications problem. The question is not only whether warnings were issued. it is whether high-risk journeys, new beneficiaries, device changes, contact-centre disputes and mule-account inflows are being watched differently during the season.
At @MKFraudInsights , this is the pattern we keep seeing across modern fraud; the money does not move at the point where trust is first created. Trust is created in one place, such as SARS language, WhatsApp, email, Marketplace, recruitment or a supplier relationship, and the money moves somewhere else, usually through a bank, wallet, merchant, payroll or payment process.
Fraud strategy must connect those worlds because the victim experiences them as one journey even when institutions do not.
Fraud strategy must connect those worlds because the victim experiences them as one journey even when institutions do not.
The tax-refund scam is dangerous because it does not ask people to believe in a miracle. It asks them to believe in admin. It arrives when taxpayers are already waiting for SARS, uses the language of verification, borrows the authority of compliance, and turns a real banking prompt into evidence against the victim.
That is the lesson. Some scams do not defeat controls by looking suspicious, they defeat controls by looking like the next step in a process everyone was already expecting.
That is the lesson. Some scams do not defeat controls by looking suspicious, they defeat controls by looking like the next step in a process everyone was already expecting.
No one is above social engineering. Here is why
https://x.com/Rendani666/status/2055974602287772078
• • •
Missing some Tweet in this thread? You can try to
force a refresh
