State Comptroller Matanyahu Englman says weaknesses in the Israel Tax Authority’s identification system allow attackers to bypass the site’s protections, steal the identities of legitimate businesses, issue invoices in their names, and obtain approval numbers for invoices issued unlawfully, without real-time alerts being triggered. In most cases, he found, the authority only acted afterward, after complaints that impostors had accessed its systems and been granted invoice approval numbers.
The report comes after Globes first exposed in February a new method used by criminal organizations to evade “Invoice Israel,” the state’s anti-fake-invoice program. The scheme involves breaking into the personal GOV.IL accounts of company officers and using those identities to enter corporate accounting systems and insert fake invoices worth tens of millions of shekels into legitimate business activity. Englman warned that despite the Tax Authority’s heavy investment in cybersecurity and risk management, attempts to breach its identification system are increasing, and he urged the authority to step up proactive efforts to prevent theft of legitimate businesses’ identities.
“Invoice Israel” went into effect in May 2024 after a short pilot. It requires a real-time approval number for invoices; without it, a business cannot reclaim VAT or recognize the invoice as a tax-deductible expense. Between January and December 2025, 15 million invoices were issued through the system worth 763 billion shekels, while approximately 42 billion shekels in suspected fraudulent transactions were blocked and exposed. About 62,000 invoices, or 5.5% of the total, were rejected, and roughly 1,000 suspicious invoices from about 150 businesses are blocked each week, prompting dozens of investigations.
The report says the Tax Authority still does not do enough against businesses that deduct fake invoices after warnings appear in the system, even though that could reduce damage to the state and lead to administrative and criminal enforcement. It also says fraud suspects continue to hide activity by creating new companies or shifting share ownership in existing ones, often reporting the changes only after the fake invoices have already been issued. In response, the Tax Authority said it sends alerts on unusual activity whenever possible, has recently added real-time prevention and warning tools, runs public anti-phishing campaigns, and will automatically close identification access if identity theft is suspected until the real taxpayer re-registers in person.
