Researchers identified a phishing campaign targeting customers of South African banking institutions in order to steal credentials, accounts numbers, PINs, and more. The phishing email appears to come from the South African Revenue Service’s (SARS) eFiling service and claims to reference a tax return that has been deposited into the user’s account. Recipients are requested to select and log in to their institution from one of five listed banks in order to complete the refund process. Each of the links leads to a look alike login page for the associated bank. The landing pages ask for a variety of information, such as account numbers, passwords, PINs and cell phone numbers. All of the sites are hosted on the same server and leverage the Webnode website building service. By using Webnode, any data entered into the form is conveniently gathered and stored by the service.