The Federal Tax Ombudsman (FTO) has exposed a sophisticated cyber fraud network operating through the digital systems of the Federal Board of Revenue (FBR) and Pakistan Revenue Automation Limited (PRAL). The group was found to be manipulating sales tax filings by submitting fake and revised returns based on fraudulent invoices that showed imaginary business transactions.
After uncovering the scheme, the FTO issued strong directives instructing the FBR to immediately act against everyone involved in the wrongdoing. This includes both the individuals who carried out the cyber manipulation and the beneficiaries who unlawfully gained from the fabricated tax claims.
In its findings, the Ombudsman raised alarm over the repeated misuse of taxpayers’ login credentials, calling it a clear sign of weak cybersecurity and poor governance of tax-related IT systems. The report pointed to serious gaps such as ineffective internal controls, inadequate protection of sensitive data, absence of system-based alerts for suspicious activity, and unauthorized edits to taxpayer profiles. These loopholes enabled criminals to inject fake supply records and alter official tax data.
According to the FTO’s order, a taxpayer’s password ID was unlawfully used to submit falsified sales tax returns and amended returns on a regular monthly basis for the period spanning July 2024 to June 2025. Fraudulent entries were added through Annexure C, which later created obstacles for the taxpayer when attempting to file genuine returns. The Ombudsman ruled that these failures amounted to maladministration by the authorities.
To ensure implementation of corrective measures, the FTO directed the FBR to issue instructions to Chief Commissioners of Inland Revenue at Regional Tax Offices in Multan, Peshawar, Quetta, Faisalabad, Lahore, Rawalpindi, Sahiwal, and both RTOs in Karachi, along with CTOs and LTOs in Islamabad and Lahore.
The FTO also ordered the FBR to begin legal proceedings against the beneficiaries already identified and shared with the Board through official correspondence in late 2025. These cases are to be handled under the standard operating procedures laid out in Sales Tax General Order No. 12 of 2023, which provides a framework for dealing with fake and flying invoice cases.
Furthermore, the FBR has been instructed to trace additional beneficiaries deeper within the supply chain and promptly forward such cases to the relevant tax jurisdictions for legal action by the concerned Commissioners.
The Director General of Intelligence and Investigation (I&I) has been tasked with identifying the cybercriminals—whether based within or outside FBR and PRAL—who used specific IP addresses to insert fraudulent supply data into the system. Legal action has been ordered against those responsible under applicable laws.
In a separate directive, the FTO instructed the Chief Executive Officer of PRAL, Islamabad, to remove a specific link embedded in the 181-registration form under the name Muhammad Sohail Ajmal. Alternatively, PRAL has been asked to authorize the Local Registration Office at RTO Bahawalpur to remove the link, as it currently lacks the ability to do so independently.
The case has once again highlighted serious weaknesses in the country’s digital tax infrastructure and underlined the urgent need for stronger cybersecurity measures, better oversight, and strict accountability to protect taxpayers and maintain the integrity of the revenue system.