Tax season is phishing season, and cyber criminals are preying on unsuspecting taxpayers through a range of sophisticated phishing techniques that could put your personal and financial information at risk.

And as a Sars MobiApp user you face the similar risks to those you face using mobile banking applications, Brian Pinnock, cyber security expert at Mimecast warns.

Riccardo Spagni, a cryptocurrency and blockchain developer, says information is freely available than ever, but we should not be so free and easy with our most personal information. There are also a lot more people who want to use your information for their own (possibly nefarious) purposes, he says.

So watch out for ways in which scammers try to get your personal info by way of what is known as “social engineering”. 

Phishing is the most common form of this, Pinnock says. 

The attacker creates a website that looks like that of an organisation like Sars or a bank and sends you the link via email or social media that looks convincing, often because it uses content from the legitimate site, he says.

In “spear phishing” the attackers take advantage of information available on social media but may augment this with stolen data. 

“These attacks are usually tailored to you and contain information that you, the potential victim, assume is not readily available – like a password or account number – and so appears more realistic,” Pinnock says.

He says vishing involves the fraudster calling you by phone or using an interactive voice response system that attempts to trick you into believing it is a legitimate system, set up by, for example, Sars or your bank.

The Sars MobiApp, Pinnock says, requires a fairly comprehensive registration process, including submitting proof of residence, which makes it more difficult for attackers to compromise the app. 

The Sars app also uses a password and a PIN – known as two-factor authentication. However, no application can be 100% secure because of the human factor, Pinnock cautions.

“Criminal syndicates will continue to attempt to gain access to your e-filing account and password details via phishing emails. Using an illegal SIM swap along with these valid stolen credentials could possibly give attackers access to your mobi app,” he warns.

Pinnock says scammers also use other techniques that don’t require a SIM swap, such as pretexting to gain access to your one-time pin. In this scam, the fraudster calls you claiming to be from, for example, your bank, conducting a security test or some other plausible activity and asking you to read back the one-time pin.

“In addition, if attackers can gain access to your e-filing account they don’t actually need to compromise the app but can gain access to the same details via the e-filing portal.”

So how do you protect yourself?

Spagni says you need to think about your communication habits. “It’s not difficult to intercept communications like SMS and email. If you have anything even vaguely sensitive to share, use WhatsApp instead – at least it’s still secure and end-to-end encrypted.”

Don’t ever send bank or credit card details by email, he says. 

“You can also look at services like Wire, which is free, and Signal, which requires you to link a phone number, but offers powerful end-to-end encryption,” he suggests.

When you’re using WhatsApp, be sure to turn on the security notifications (in settings -> account -> security) to alert you when someone’s number changes, Spagni says. 

Pinnock says you should always use a different password for different sites, using passphrases instead of passwords and better still, use a password manager.

Both Pinnock and Spagni suggest you use two-factor authentication to secure your accounts, but don’t use SMS as one of the ways to authenticate your log in. 

Rather look for a time-based one-time password (TOTP) app, Spagni says. A great app is Authy, which allows you to enable two-factor authentication for all your favourite sites and accounts, so that even if your password is compromised, the scammer doesn’t have your phone, he says.

Pinnock says you should use legitimate anti-virus software and keep it updated.

Never use free wifi at airports, hotels, coffee shops and petrol stations without a VPN if you are doing any form of banking or confidential work.

The experts also warn that you should never click on links in emails or open suspicious attachments unless you know the sender and have checked carefully who the sender is. 

And finally, don’t let social media betray you by alerting potential criminals to your location and longer-term whereabouts, they say.