The Federal Tax Ombudsman has revealed a serious case of alleged cyber intrusion into Pakistan’s tax system, involving the незаконное revision of a taxpayer’s sales tax return and fraudulent use of input tax credit worth millions of rupees.
According to official findings, unknown individuals gained unauthorised access to a taxpayer’s IRIS profile by misusing login credentials and altered the return for October 2025.
As part of the manipulation, fictitious supplies amounting to Rs415.6 million were added, resulting in a GST impact of Rs74.8 million and exhausting the taxpayer’s entire carry-forward input tax credit.
The affected taxpayer approached the Ombudsman seeking an independent investigation, removal of fake invoices, restoration of the tax credit, and legal action against those responsible. Initial probes, including supply chain analysis, suggested the fraud was part of a larger organised network.
The investigation pointed to possible involvement of individuals linked to the Federal Board of Revenue and Pakistan Revenue Automation Limited, indicating that such a breach may have required insider access to sensitive taxpayer data.
Authorities found that cybercriminals exploited data of dormant and blacklisted taxpayers, as well as accounts with significant accumulated tax credits, to inject fake transactions into the system. The fraudulent activity spanned multiple regions, with beneficiaries identified in cities including Karachi, Lahore, Multan, Quetta, and Islamabad.
The Ombudsman noted that since the fraudulently claimed input tax credit has already moved through the supply chain, immediate restoration would not be appropriate until the investigation is fully completed and the main culprits are identified.
The unauthorised access and alteration of tax records were declared maladministration under the law, prompting several directives. The Directorate General of Intelligence and Investigation (Inland Revenue) has been assigned to conduct a detailed probe, using digital evidence such as IP tracking to identify all parties involved, both within and outside the system.
Chief Commissioners of major tax offices have been instructed to cooperate fully in tracing beneficiaries and ensuring coordinated enforcement actions across jurisdictions.
Additionally, the IRS Business Process Re-engineering (BPR) team has been tasked with proposing urgent system improvements, including tighter controls on changes to taxpayer credentials such as CNICs, mobile numbers, and biometric verification, along with stronger supervisory oversight.
The FBR has been directed to submit a comprehensive compliance report within 60 days, outlining investigative progress and preventive measures.
The case underscores critical weaknesses in the country’s digital tax infrastructure and highlights the need for stronger cybersecurity safeguards and internal accountability to protect taxpayers and public revenue.
