Unauthorized Access to IRIS Profile Triggers Rs. 74.8 Million Tax Fraud

The Federal Tax Ombudsman has uncovered an alleged major cyber intrusion into Pakistan’s tax system, in which unauthorized access led to fraudulent adjustments to input tax credit amounts totaling Rs. 74.8 million.

According to official findings, unidentified individuals illegally accessed a taxpayer’s IRIS profile by misusing login credentials and revised the sales tax return for October 2025. The breach introduced fake supplies worth Rs. 415.6 million, effectively wiping out the taxpayer’s entire carry-forward input tax credit.

The affected taxpayer approached the ombudsman seeking an independent inquiry, the removal of fake invoices, the restoration of the tax credit, and legal action against those involved. Investigations revealed that the fraud was part of a wider organized network, with indications of possible facilitation by individuals linked to the Federal Board of Revenue and Pakistan Revenue Automation Limited.

Authorities found that cybercriminals exploited data of dormant and blacklisted taxpayers, as well as accounts holding significant accumulated credits, to insert fake transactions into the system. The fraudulent activity was traced across multiple cities, including Karachi, Lahore, Multan, Quetta, and Islamabad, with several beneficiaries already identified for legal proceedings.

The ombudsman termed the unauthorized access and manipulation of tax records as maladministration and directed the Directorate General of Intelligence and Investigation, Inland Revenue to conduct a detailed probe. The investigation will use digital evidence, including IP tracking, to identify all individuals involved within and outside official institutions.

Tax authorities across major regions have been instructed to cooperate fully in tracing the supply chain and ensuring coordinated enforcement action. Meanwhile, the IRS Business Process Reengineering team has been tasked with proposing system upgrades, including tighter controls on credential changes, biometric verification, and stronger supervisory checks.

The Federal Board of Revenue has also been directed to submit a compliance report within 60 days, outlining progress on the investigation and measures taken to prevent similar incidents. The case has raised serious concerns about vulnerabilities in Pakistan’s digital tax infrastructure and the need for stronger cybersecurity safeguards.