Unauthorized Access to IRIS Profile
Pakistan’s tax system has recently come under serious scrutiny after a major cyber intrusion exposed vulnerabilities within the Federal Board of Revenue’s FBR digital infrastructure. The Federal Tax Ombudsman revealed that unauthorized access to a taxpayer’s IRIS profile resulted in a massive tax fraud amounting to Rs. 74.8 million. This alarming incident has raised concerns not only about financial losses but also about the integrity and security of Pakistan’s digital tax ecosystem.
Tax Bar Gives FBR 12 Proposals to Fix Digital Tax System
How the Fraud Happened
The incident reportedly occurred when unidentified individuals gained illegal access to login credentials associated with a taxpayer’s IRIS account. Using these credentials, the attackers manipulated the sales tax return for October 2025. They inserted fake supplies worth Rs. 415.6 million, effectively eliminating the taxpayer’s carry-forward input tax credit. This type of manipulation highlights how sensitive financial data can be exploited when cybersecurity measures are insufficient or compromised.
Major Pakistani Airport is Getting a New Terminal
Taxpayer’s Response and Investigation
Following the discovery of the fraud, the affected taxpayer approached the Federal Tax Ombudsman, seeking justice and corrective action. The taxpayer requested the removal of fake invoices, restoration of legitimate tax credit, and strict legal action against those responsible. The Ombudsman initiated an independent investigation, which uncovered evidence suggesting that the fraud was part of a broader organized network.
NEPRA Removes Fees and License Requirement for Solar Users
Organized Network and Multi-City Involvement
Further investigations revealed that cybercriminals exploited dormant and blacklisted taxpayer accounts, as well as profiles with substantial accumulated tax credits. These accounts were used to insert fictitious transactions, allowing fraudsters to manipulate the system without immediate detection. The fraudulent activities were traced across multiple major cities, including Karachi, Lahore, Multan, Quetta, and Islamabad, indicating a well-coordinated and widespread operation.
Possible Internal Facilitation
What makes the situation even more concerning is the possibility of internal facilitation. The investigation hinted that individuals linked to the FBR and Pakistan Revenue Automation Limited (PRAL) may have played a role, either directly or indirectly, in enabling the breach. If proven true, this would point to systemic weaknesses not only in technology but also in governance and oversight.
UAE Exit From Oil Alliance Sends Shockwaves Across Global Energy Markets
Government and Legal Actions
The Federal Tax Ombudsman has termed this incident a case of maladministration. The Directorate General of Intelligence and Investigation (Inland Revenue) has been directed to conduct a comprehensive probe. Authorities are now using digital forensic tools, including IP tracking and system logs, to identify all individuals involved. Legal proceedings are expected against those found guilty.
Measures to Strengthen Cybersecurity
In response to the incident, tax authorities have been instructed to fully cooperate with the investigation. The IRS Business Process Reengineering (BPR) team has been tasked with proposing system upgrades such as biometric verification, stricter controls on credential changes, and enhanced supervisory checks.
Pakistan’s Military Spending Sees Significant Rise in 2025 Amid Regional Tensions
Importance of Digital Security in Tax Systems
Cybersecurity experts emphasize that systems handling financial data must include multi-layered protections such as two-factor authentication, encryption, and real-time monitoring. Without these safeguards, digital platforms like IRIS remain vulnerable to cyber threats.
FAQs
1. What is the IRIS system?
IRIS is an online tax system by FBR that allows taxpayers to file returns and manage their tax records digitally.
2. How did the fraud occur?
Unauthorized individuals accessed a taxpayer’s account using compromised login credentials and manipulated tax data.
3. What was the total loss?
The fraud resulted in Rs. 74.8 million loss in input tax credit.
4. Which cities were involved?
Karachi, Lahore, Multan, Quetta, and Islamabad were identified in the investigation.
5. What steps are being taken?
Authorities are investigating, tracing digital evidence, and planning system upgrades to prevent future incidents.
PTA Survey Reveals the Best Mobile Networks in Azad Jammu and Kashmir
Final Words
The Rs. 74.8 million IRIS tax fraud case highlights serious gaps in Pakistan’s digital security framework. While digitalization has improved efficiency, it has also introduced new risks that must be addressed. Strengthening cybersecurity, ensuring accountability, and implementing robust safeguards are essential to protect public trust and prevent future financial crimes.
The IRIS tax fraud case serves as a critical warning for Pakistan’s digital governance system, highlighting how vulnerabilities in cybersecurity can lead to significant financial and institutional damage. While ongoing investigations and proposed reforms are steps in the right direction, long-term success will depend on strict implementation, transparency, and accountability. Strengthening system controls, adopting advanced security technologies, and ensuring internal oversight are essential to prevent such incidents in the future. Ultimately, restoring public trust in the tax system will require not only fixing technical flaws but also building a culture of responsibility and vigilance within all relevant institutions.
Oil Blasts Past $120 After Shock UAE Exit While Trump Keeps Hormuz Choked