goods and service tax

Copy Page

Published on 7 August 2025

Protecting Your Business from ₹1.80 Crore GST Fraud: Key Strategies

Greater Noida GST Portal Fraud: How a ₹1.80 Cr Liability Hit R.S. Infra—and What It Teaches Other Businesses

In a troubling case out of Greater Noida, a small exporter, R.S. Infra, is now facing a ₹1.80 crore GST liability—after discovering that its former accountant allegedly used leftover portal access to commit identity-based tax fraud. The case highlights a growing vulnerability many MSMEs face: poor GST portal security and unchecked credential sharing.

What Happened: A Step-by-Step Look at the Fraud

The Setup R.S. Infra, a Noida-based export firm, had been working with a trusted accountant—Abhinav Tyagi—who handled its GST filings and financial paperwork. Tyagi was granted full access to the firm’s GST portal credentials and digital signatures.

The Breach In late 2024, Tyagi left the company. But his credentials were never revoked. Over the next few months (December 2024 to March 2025), he allegedly logged in remotely and:

  • Filed fraudulent invoices worth ₹10 crore using shell firms.
  • Created dozens of bogus e-way bills to support the paper trail.
  • Used the proprietor’s PAN and Aadhaar details for identity-linked fraud on the portal.

The Discovery The company only uncovered the fraud during a mid-2025 internal audit. By then, the GST portal showed a significant mismatch between real activity and filings—leaving R.S. Infra saddled with unexplained tax dues and statutory liabilities.

The Fallout When confronted, Tyagi allegedly issued threats before disappearing. A formal FIR was filed soon after, covering sections related to cybercrime, identity misuse, criminal intimidation, and forgery. The firm now faces not only an ₹1.80 crore tax burden but also the uphill task of defending itself legally.

Why It Worked: Common Lapses That Enable GST Portal Fraud

This wasn’t a sophisticated hack—it was enabled by everyday mistakes many small businesses make. Key gaps included:

  • Shared or Persistent Logins: The accountant retained access to the firm’s GST credentials long after exit. There was no role-based user control or expiry.

  • Lack of Multi-Factor Authentication: Many businesses still use outdated login methods, without Aadhaar/OTP safeguards that restrict access to authorised users.

  • Delayed Access Revocation: The company didn’t disable Tyagi’s access or his registered Digital Signature Certificate (DSC) in time.

  • Personal Contact Info Used for Business Login: The accountant’s personal email and phone number were still linked to the GST portal, blocking the company from receiving alerts or login notifications.

  • No Activity Monitoring: In the absence of real-time alerts or audit logs, the fraud went unnoticed for nearly six months.

What’s Changed in 2025: New Security Protocols and Best Practices

The GST Network (GSTN) and Ministry of Finance have taken note. In July 2025, new security directives were issued, and businesses are expected to comply. Here’s what you should do:

  1. Stop Sharing Master Credentials Assign users role-based access through the GST portal. Consider using GSP (GST Suvidha Provider) platforms that offer layered controls and user-level logs.

  2. Enable Multi-Factor Login for All Users As per the new GSTN guidelines, verified mobile, email, OTP, and Aadhaar-based authentication is now mandatory for all logins.

  3. Immediately Revoke Access Post-Exit Delete DSCs and portal access for all employees or consultants who exit. Periodically audit the list of authorised signatories.

  4. Reconcile GST Filings Monthly Match GSTR-1 and GSTR-2B returns, e-invoices, and e-way bills against actual business transactions every month.

  5. Register With Business-Owned Contact Details Ensure GST logins are linked to the business owner’s email and phone—not a third party’s. This helps detect suspicious activity early.

  6. Use GSP Platforms with Security Controls Platforms like Efiletax, ClearTax, and others now offer features like login alerts, real-time invoice validations, and user logs. These are critical safeguards.

  7. Act Swiftly on Any GST Notices Don’t ignore portal notices or assume system errors. Any discrepancy should trigger immediate internal review.

  8. Change Passwords Regularly Update GST login credentials at least every 3–6 months. Check logs for unfamiliar IPs or devices.

Legal Implications: Can You Avoid Liability for Employee-Led GST Fraud?

This is the hard part: under Indian GST law, the firm itself remains liable—even if the fraud was committed by an ex-employee.

  • Primary Liability (CGST Act Sections 122 & 132): If the GST portal was misused, the registered entity is deemed responsible, especially if the credentials were under its control.

  • Third-Party Accountability (Section 122(1A)): Even outsiders (like ex-employees or consultants) who help commit GST fraud can be fined ₹25,000 or the tax evaded—whichever is higher.

  • Criminal Prosecution (Section 132): In cases involving fake invoices or identity theft, imprisonment is possible if fraudulent intent is established.

  • Possible Relief: Courts have, in limited cases, granted relief when the business showed no complicity, robust internal controls and immediate action after discovering the fraud. Evidence of an FIR, timely reporting to GSTN and internal clean-up efforts are key to legal defence.

Key Takeaways for MSMEs and Small Businesses

  1. Disable Access Immediately Post-Exit Always revoke DSC and portal rights of former staff. Don’t delay.

  2. Use Your Own Email and Mobile for Registration Never register GST under your accountant’s contact details.

  3. Implement New Security Features Adopt OTP, Aadhaar login, regular password resets and GSP-based controls.

  4. Check Filings Monthly Monitor GSTR returns and e-way bills closely. The sooner fraud is spotted, the less damage done.

  5. Respond to Any Fraud or Suspicion Immediately File a police complaint. Inform GSTN. Secure digital evidence. Begin clean-up right away.

Final Word

This case is a cautionary tale, not an isolated one. The GST system’s digital convenience comes with the risk of digital negligence. For businesses—especially those without in-house finance teams—the line between trust and risk is thin.

Taking preventive action today is far more cost-effective than fighting a ₹1.80 crore liability later. Think of your GST login the way you think of your bank account: private, protected and tightly monitored.

Share: