FTO exposes case of ‘cyber intrusion’ into tax system

ISLAMABAD: The Federal Tax Ombudsman (FTO) has brought to light a significant case of alleged cyber intrusion into the tax system, resulting in unauthorised revision of a taxpayer’s sales tax return and fraudulent adjustment of input tax credit worth millions of rupees. According to official findings, unidentified individuals gained illegal access to the taxpayer’s IRIS profile by misusing login credentials and revised the return for October 2025. Through this activity, fake supplies amounting to Rs. 415. 6 million were introduced, carrying a GST impact of Rs. 74. 8 million and effectively consuming the entire carry-forward input tax credit of the taxpayer. The affected party approached the FTO seeking an independent inquiry into the hacking incident, removal of fake invoices, restoration of the input tax credit, and strict legal action against those responsible. Upon examination of the supply chain trail and investigation reports, it emerged that the fraudulent activity was part of a broader, organised network. The findings indicate possible facilitation by some individuals associated with the Federal Board of Revenue (FBR) and Pakistan Revenue Automation Limited, suggesting that such manipulation could not have been carried out without insider access to the sensitive taxpayer data. Investigators observed that cybercriminals exploited information related to dormant and blacklisted taxpayers, as well as entities holding substantial accumulated input tax credits to introduce fake transactions into the system. The fraudulent supply chain was traced across multiple jurisdictions, and several beneficiaries have already been identified for legal proceedings by relevant field formations in Karachi, Lahore, Multan, Quetta, and Islamabad. The FTO noted that since the fraudulently adjusted input tax credit has already moved through the supply chain, its immediate restoration would be premature until the investigation is completed and the main perpetrators are identified. The Ombudsman declared the unauthorised use of login credentials and revision of tax records as maladministration under the relevant provisions of the law and issued key directives to address the matter. The Directorate General of Intelligence and Investigation (Inland Revenue) has been tasked with conducting a comprehensive probe to identify all beneficiaries and trace those involved in the cyber fraud, including individuals within or outside FBR and PRAL, using digital evidence such as IP addresses. Chief Commissioners of major tax offices have been directed to extend full cooperation in identifying beneficiaries throughout the supply chain and ensuring coordinated enforcement action. In addition, the IRS Business Process Re-engineering (BPR) team has been instructed to recommend immediate system upgrades, including stricter controls over changes in taxpayer credentials such as CNIC, mobile numbers, and biometric verification, along with enhanced supervisory oversight to prevent misuse of IDs and passwords. The FBR has further been directed to submit a comprehensive compliance report within 60 days, detailing the progress of the investigation and measures taken to prevent recurrence. The case highlights serious vulnerabilities in the digital tax infrastructure and highlights the urgent need for stronger cybersecurity mechanisms and internal accountability to safeguard both taxpayers and public revenue. Copyright Business Recorder, 2026

Read full story on Business Recorder