LAHORE: The Federal Tax Ombudsman (FTO) has exposed a significant cyber intrusion into Pakistan’s tax system, resulting in the unauthorized revision of a taxpayer’s sales tax return and fraudulent adjustment of input tax credit worth millions of rupees.
According to official findings, unidentified individuals gained illegal access to the taxpayer’s IRIS profile by misusing login credentials and revised the return for October 2025.
Fake Transactions Worth Millions Detected
A press release revealed that fake supplies amounting to Rs415.6 million were inserted into the system, carrying a GST impact of Rs74.8 million. This manipulation effectively consumed the taxpayer’s entire carry-forward input tax credit.
The affected taxpayer approached the FTO seeking an independent inquiry, removal of fake invoices, restoration of tax credit, and strict legal action against those responsible.
Organized Network and Insider Involvement Suspected
Investigations indicate that the fraud was part of a broader organized network. Evidence suggests possible facilitation by individuals linked to the Federal Board of Revenue (FBR) and Pakistan Revenue Automation Limited (PRAL), raising concerns about insider access to sensitive taxpayer data.
Cybercriminals reportedly exploited dormant and blocked taxpayer accounts, as well as entities with large accumulated input tax credits, to introduce fake transactions into the system.
Multi-City Investigation Underway
The fraudulent supply chain has been traced across multiple cities, including Karachi, Lahore, Multan, Quetta, and Islamabad. Several beneficiaries have already been identified for legal proceedings by relevant field formations.
However, the FTO noted that restoration of the fraudulently adjusted input tax credit would be premature until the investigation is completed and key perpetrators are identified.
Directives Issued for Action
The FTO declared the incident as maladministration and issued several directives:
• The Directorate General of Intelligence and Investigation (Inland Revenue) has been tasked with conducting a comprehensive probe using digital evidence such as IP tracking.
• Chief commissioners have been instructed to ensure full cooperation in identifying beneficiaries across the supply chain.
• The IRS Business Process Re-engineering (BPR) team will recommend system upgrades, including stricter controls on credential changes, biometric verification, and enhanced supervisory oversight.
Additionally, the Federal Board of Revenue has been directed to submit a compliance report within 60 days.
Need for Stronger Cybersecurity
The case highlights serious vulnerabilities in Pakistan’s digital tax infrastructure and underscores the urgent need for stronger cybersecurity measures and internal accountability mechanisms.
