A SARS tax-audit email lands in your bookkeeper's inbox at 10:47 on a Tuesday morning. The branding looks correct. The wording is formal enough. The attachment is named like a real reference number. Your bookkeeper opens it, because that is exactly what bookkeepers are paid to do.
Five minutes later, a stranger is reading your accounting system in real time.
This is not a hypothetical. It is a phishing wave called SilverFox, it has been running across South Africa since the start of 2026, and Kaspersky researchers logged over 1,600 of these emails in a single two-month window. If you run a small or mid-sized business in this country, the people most likely to open one are sitting at the keyboards closest to your money.
Here is what the SARS phishing scam in South Africa actually does, why local SMEs are getting hit harder than most, and what you can do about it before the next one arrives.
What is the SARS phishing scam targeting South African businesses?
The campaign was first publicly detailed by Kaspersky's GReAT threat-intelligence team on 30 April 2026. They tied the activity to a Chinese-speaking actor cluster known as SilverFox, which has been running similar lures internationally since December 2025 and has now turned the dial firmly toward South Africa, India, Indonesia, and Russia.
The lure works because it is plausible. South African businesses get genuine SARS correspondence all the time. Tax audits are real, deadlines are real, and the consequences of ignoring SARS are real. So when an email arrives that looks like SARS, with a reference number and a zip file labelled something like "Tax Violations 2026.zip", a finance person under deadline pressure opens it. That is the entire point of the design.
The opening is not the breach. The opening is the trigger.
How the SilverFox phishing scam actually works
The zip file does not contain a tax document. It contains a small loader, hidden behind a file with an innocent-looking name. When that loader runs, it does three things in sequence.
First, it pulls down a remote-access tool called ValleyRAT. This piece of malware has been in this group's toolkit for years and is purpose-built for stealthy persistence. It is the part that gives an attacker hands-on-keyboard access to the infected machine.
Second, ValleyRAT installs a newer Python backdoor that Kaspersky has named ABCDoor. This is the SilverFox group's 2026 upgrade, and it is the one that should worry SA businesses most. ABCDoor is modular, harder for traditional antivirus to flag, and built for long-term data theft from accounting and finance systems specifically.
Third, the attacker now has eyes on whatever the infected user has open. Sage. Pastel. Xero. The bank login still in the browser tab. Cached SARS eFiling credentials. Internal email threads about cashflow, payroll, customer accounts. None of this is theoretical. This is what these tools are built to do.
By the time anyone notices something is off, the data is gone and the attacker is selling it on or extorting the business directly.
Why South African SMEs are the soft target
There are three reasons SA SMEs get hit harder than most, and they are structural, cultural, and statistical.
Structurally, most South African small businesses run their finance function with one or two people, often part-time, often without a dedicated IT contact. There is no security operations centre. There is no email gateway sandboxing every attachment. There is the bookkeeper, a laptop, and a long list of things to get done before month-end.
Culturally, SARS communication carries weight in South Africa in a way that few other government emails do. Bookkeepers and finance admins are trained to take SARS messages seriously and act on them quickly. The attackers know this, which is why they chose SARS and not some generic courier scam.
Statistically, Kaspersky's telemetry shows South Africa accounted for around 2.79% of observed SilverFox traffic, with industrial, consulting, trade, and transport firms hit hardest. SABRIC's most recent figures put phishing behind 78% of all digital banking fraud in South Africa in 2025. The attackers are not picking SA at random. They are picking it because it works.
How to spot a fake SARS email in under thirty seconds
The good news is that real SARS communication has a small number of consistent properties. Once you know what they are, the SilverFox lure starts to look obvious.
SARS does not send tax-audit notifications as zip-file attachments. It uses eFiling, and almost all official correspondence routes through your eFiling inbox, not your email inbox. If the attachment is a zip, it is not from SARS.
SARS does not ask you to "verify your details" by clicking a link in an email. Verification happens through eFiling, in person at a branch, or via a SARS-issued letter.
Real SARS emails come from sars.gov.za addresses, not lookalike domains. SilverFox emails almost always use slightly off domains, free email providers, or compromised third-party servers. Hover over the sender. Read the address slowly.
The email that creates artificial urgency, that demands you act in 24 hours or face a penalty, is almost always a scam. SARS does enforce deadlines, but its first contact is rarely an apocalyptic one-day countdown.
If anything in a message gives you pause, phone SARS using the number from their official website. Not the number in the email. Never the number in the email.
What to do if your team already opened one
If a SilverFox attachment has been opened on a machine in your business, treat it as a confirmed compromise. The risk is not what was on screen at the moment of opening. The risk is what the attacker has done in the hours or days since.
Isolate that machine from the network immediately. Pull the network cable, kill the Wi-Fi, do not just lock the screen.
Reset every password that has touched that machine in the last six months. Email, banking, eFiling, accounting software, CRM, payroll. Use a clean device for the resets.
Check your bank, eFiling, and any payment platforms for unauthorised activity. Notify your bank's fraud line if anything looks off.
Notify the Information Regulator within the timelines required by POPIA if there is any chance personal information was exfiltrated. Reporting late is its own offence, and the Regulator has been issuing administrative fines through 2026 for slow notifications.
Get a forensic incident-response firm involved if the affected machine had broad access to financial systems. The cost of a proper investigation is a fraction of what an undetected SilverFox infection can do over six months.
Stop being the next SilverFox headline
The hard truth is that SARS-themed phishing will keep working for as long as South African businesses treat finance and IT as separate problems. The bookkeeper and the IT contractor need to be on the same page, with the same playbook, before the next email arrives.
The single most useful thing you can do this week is verify, before opening anything, that the sender, the domain, and the message are what they claim to be. UbuntuGuard's free Business Trust Check tool walks you through that verification in under two minutes, with no signup, and surfaces the same red flags a security analyst would catch. Run a suspicious email through it before forwarding it to your team.
Stay sharp.
Contact us at [email protected] if you have questions or need help assessing your exposure.
Run a Business Trust Check now
Verify a suspicious SARS email, sender domain, or attachment before your team opens it. Free, no signup, takes under two minutes.
Run a Free Business CheckSources:
- Kaspersky Securelist, SilverFox tax notification campaign analysis, 30 April 2026: securelist.com
- Hypertext, SilverFox phishing campaign uses fake tax audits to deploy backdoor malware, 30 April 2026: htxt.co.za
- Intelligent CIO Africa, Kaspersky identifies new SilverFox campaign targeting companies in South Africa, 30 April 2026: intelligentcio.com
- SARS official scam alerts page: sars.gov.za
- SABRIC, Annual digital banking fraud trends, 2025
Questions? Contact us at [email protected]