A bank can be liable for losses from a phishing scam in the Philippines, but liability is not automatic just because money was stolen from an account. The practical question is usually this: did the bank use adequate security controls, act with the high degree of diligence required of banks, and respond quickly enough after the customer reported the fraud? This article explains when a bank may have to refund or restitute the loss, what Philippine laws now say about phishing and social engineering, what evidence matters, and what steps a victim should take immediately.
Can a bank be liable for phishing losses?
Yes. A Philippine bank may be held liable when the facts show that the loss was caused or worsened by the bank’s own failure, such as:
- weak or inadequate authentication controls;
- failure to detect obviously suspicious transfers;
- allowing a new device, new payee, or high-value transfer without sufficient verification;
- failure to provide effective fraud reporting channels;
- delay in freezing, holding, or tracing funds after notice;
- failure to coordinate with the receiving bank or e-wallet;
- failure to exercise the highest degree of diligence expected from banks.
At the same time, the bank is not automatically liable in every phishing incident. Banks usually defend these cases by arguing that the customer voluntarily disclosed the password, OTP, PIN, or other credentials to the scammer. That does not end the inquiry, but it makes the evidence more important.
In real disputes, the issue is rarely just “Was the customer tricked?” The better question is: even if the customer was tricked, did the bank’s systems and response meet the legal standard required in the Philippines?
What counts as phishing or social engineering under Philippine law?
Phishing is a form of online deception where scammers pretend to be a bank, payment provider, government office, delivery company, employer, or trusted person to get sensitive information. This may include:
- usernames and passwords;
- OTPs or one-time PINs;
- card numbers, CVV, and expiry dates;
- mobile banking PINs;
- answers to security questions;
- account numbers and personal information;
- authorization links or QR codes.
Republic Act No. 12010, or the Anti-Financial Account Scamming Act enacted in 2024, specifically recognizes social engineering schemes. Under the law, these involve obtaining sensitive identifying information through deception or fraud, including by pretending to represent an institution or using electronic communication to gain access to a financial account. (Lawphil)
This matters because phishing is no longer treated only as a generic cybercrime. Philippine law now directly addresses scams involving financial accounts, money mule accounts, and the temporary holding of disputed funds.
Legal basis: why banks have a high duty of care
Banks must exercise the highest degree of diligence
Philippine jurisprudence has long treated banking as a business affected with public interest. Because people entrust banks with their money, the Supreme Court has repeatedly required banks to treat accounts with meticulous care.
In Banco de Oro Universal Bank, Inc. v. Seastres, the Supreme Court held BDO liable for unauthorized withdrawals after finding that the bank failed to observe extraordinary diligence. The case was not a typical phishing case, but it is important because it confirms the strict standard applied to banks when customer funds are lost through unauthorized transactions. (Supreme Court of the Philippines)
This doctrine is highly relevant to phishing disputes. Even when a scammer is the direct wrongdoer, the bank may still be examined for its own acts or omissions: Did it properly verify the transaction? Did it follow its own security procedures? Did it ignore red flags? Did it allow account takeover or unusual transfers despite available fraud-detection tools?
Civil Code liability for negligence and breach of obligation
The Civil Code provides the general basis for claiming damages when a party breaches an obligation through fraud, negligence, delay, or violation of the terms of the obligation. Article 1170 makes those who act with fraud, negligence, delay, or contravention of obligations liable for damages, while Article 1173 defines negligence as the omission of the diligence required by the nature of the obligation and the circumstances. (Lawphil)
A bank-customer relationship is contractual. The depositor entrusts money to the bank, and the bank undertakes to keep and return it under the terms of the account. If the bank’s negligence allowed unauthorized transfers or worsened the loss, liability may arise from breach of contract, negligence, or both.
The Civil Code also recognizes quasi-delict under Article 2176, which applies when a person causes damage to another through fault or negligence where there is no pre-existing contractual relation. Article 2180 may also make employers liable for acts or omissions of employees in proper cases. (Lawphil)
Financial Products and Services Consumer Protection Act
Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act, protects financial consumers and gives regulators such as the Bangko Sentral ng Pilipinas (BSP) authority over consumer complaints involving financial products and services. The law recognizes consumer rights including fair treatment, protection of consumer assets against fraud and misuse, data privacy and data protection, and timely handling and redress of complaints.
This law is important because it requires banks and other financial service providers to maintain a consumer assistance mechanism and provide clear, timely responses. For disputed or unauthorized transactions, the law also requires financial service providers to give reasonable accommodations while the investigation is pending, such as suspending related interest, fees, or charges where applicable.
The law also provides that waiver clauses taking away key consumer rights are unlawful and unenforceable. A bank cannot simply rely on fine print that completely removes a customer’s legal rights to complain, seek redress, or protect consumer data.
Anti-Financial Account Scamming Act
Republic Act No. 12010 is especially relevant to phishing, account takeover, and money mule scams. It requires covered institutions to protect access to clients’ financial accounts using adequate risk management systems and controls, such as:
- multi-factor authentication;
- fraud management systems;
- proper enrollment and verification processes;
- other controls appropriate to the risk.
If the BSP finds the institution compliant, the institution may have no liability under the Anti-Financial Account Scamming Act. But if the institution fails to use adequate systems and controls or fails to exercise the highest degree of diligence, it may be liable for restitution. The law also says that a criminal conviction is not required before restitution may be ordered. (Lawphil)
This is a major development. Victims often worry that they must first catch and convict the scammer before they can recover anything. Under this law, the bank’s civil responsibility may be examined separately from the criminal case against the scammer.
Cybercrime Prevention Act
Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, may apply to the scammer’s conduct. Depending on the facts, phishing may involve illegal access, computer-related fraud, identity theft, misuse of devices, or other cybercrime offenses. (Supreme Court E-Library)
For criminal investigation, the National Bureau of Investigation and the Philippine National Police are responsible for cybercrime enforcement, and cybercrime cases are handled by designated courts. (Supreme Court E-Library)
How bank liability is usually analyzed
In practice, the strength of a claim against the bank depends on the evidence. The following questions usually matter.
1. Was the transaction truly unauthorized?
An unauthorized transaction is generally one made without the account owner’s actual or legally attributable knowledge and consent. BSP Circular No. 1195 defines unauthorized electronic fund transfers in this way for account-to-account electronic fund transfers.
Useful evidence includes:
- the customer’s statement that they did not initiate the transfer;
- transaction reference numbers;
- login and device history;
- SMS or email alerts;
- IP address or location logs, if available;
- proof that the customer was asleep, abroad, offline, or otherwise unable to perform the transaction;
- evidence that a new device, SIM, email address, or payee was added shortly before the transfer.
2. Did the customer disclose credentials?
If the customer typed a password or OTP into a fake website, the bank will likely argue contributory negligence. Under Article 2179 of the Civil Code, a person’s own negligence may affect recovery when it contributes to the damage. (Lawphil)
But sharing an OTP or clicking a fake link does not automatically defeat the claim. The remaining questions are:
- Was the bank’s warning clear and timely?
- Did the scam use spoofed sender IDs or a fake page nearly identical to the bank’s?
- Did the bank allow unusual transfers that did not match the account history?
- Did the bank require enough verification for new devices or new payees?
- Did the bank send effective alerts before the money left?
- Did the bank act quickly after the customer reported the incident?
3. Did the bank’s systems detect suspicious activity?
Banks are expected to maintain fraud management systems and risk controls. Under the Anti-Financial Account Scamming Act and BSP rules, institutions are expected to have systems for authentication, fraud detection, reporting, tracing, and coordinated verification. (Lawphil)
Red flags may include:
- multiple transfers in quick succession;
- transfers to newly created or suspicious accounts;
- sudden transactions far above the customer’s usual pattern;
- device change followed by immediate transfer;
- password reset followed by fund movement;
- transaction from an unusual location;
- fund movement to known mule accounts;
- repeated failed login attempts before a successful transfer.
4. Did the bank respond fast enough after notice?
This is often the most important practical issue. Even if the scammer successfully transferred money out, the bank’s response after receiving notice may determine whether funds can still be held.
BSP Circular No. 1215, implementing the Anti-Financial Account Scamming Act, requires procedures for temporary holding and coordinated verification of disputed funds. A bank may temporarily hold disputed funds for up to 30 calendar days, including initial and extended holding periods, unless a court extends the hold.
The circular also provides that a temporary hold may be initiated through a complaint by the source account owner via the bank’s 24/7 fraud reporting channel, a finding by the bank’s fraud management system, or a holding request from another institution.
If the bank fails to temporarily hold funds when required and this failure causes loss or damage, the law may make the institution liable, including for restitution to the account owner. (Lawphil)
What to do immediately after a phishing transfer
Speed matters. In many phishing cases, money moves through several accounts within minutes. The goal is to create a record, trigger the bank’s fraud process, and preserve the possibility of holding funds.
1. Call or message the bank’s official fraud channel immediately
Use only official channels from the bank’s website, mobile app, card, or verified branch number. Do not call numbers from suspicious SMS, email, or social media posts.
Tell the bank clearly:
- “I am reporting an unauthorized transaction.”
- “My account was accessed through phishing/social engineering.”
- “Please block online access and freeze further transfers.”
- “Please initiate temporary holding of disputed funds under the Anti-Financial Account Scamming Act and BSP Circular No. 1215.”
- “Please give me a reference number and written confirmation.”
Write down:
- exact time and date of the call;
- name or ID of the representative, if given;
- complaint or ticket number;
- instructions given by the bank.
2. Secure your accounts
Do these as soon as possible:
- Change your online banking password.
- Change your email password.
- Log out all devices, if the app allows it.
- Remove unknown devices.
- Disable biometrics if you suspect device compromise.
- Lower transfer limits.
- Temporarily lock cards.
- Check linked e-wallets and payment apps.
- Inform your telco if you suspect SIM swap or unauthorized SIM activity.
- Update the bank with your correct mobile number and email.
BSP Circular No. 1215 also places responsibility on account owners to protect sensitive information, use secure devices, report disputed transactions immediately, cooperate in investigations, activate alerts and multi-factor authentication where available, update contact information, and monitor account statements and notifications.
3. Preserve evidence before anything disappears
Take screenshots and save files showing:
- the phishing SMS, email, chat, ad, or website;
- the sender name, phone number, email address, URL, or QR code;
- full email headers, if available;
- bank app notifications;
- transaction receipts;
- reference numbers;
- account balance before and after the fraud;
- timestamps;
- call logs with the bank;
- chat transcripts with bank support;
- your written complaint and the bank’s replies.
Do not delete the suspicious message. Do not edit screenshots. Save both image files and PDFs when possible.
4. Submit a written complaint to the bank
A phone report is important, but a written complaint is usually stronger. Send it through the bank’s official complaint channel or branch.
Include:
- your full name and contact information;
- account number or masked account details;
- date and time of the phishing incident;
- date and time of each unauthorized transaction;
- amount lost;
- transaction reference numbers;
- receiving account or e-wallet details, if visible;
- summary of how the scam happened;
- what you reported to the bank and when;
- request for investigation, temporary holding, tracing, and restitution;
- all attachments.
Under BSP Circular No. 1215, supporting documents for extended temporary holding may include a sworn complaint, affidavit, police report, or other supporting documents explaining the circumstances and reasons for the disputed transaction.
5. Report to law enforcement
For criminal investigation, victims commonly report to:
- PNP Anti-Cybercrime Group;
- NBI Cybercrime Division;
- local police station, especially for an initial police blotter or report.
The police or NBI report can help support the bank complaint and may be useful if the bank needs additional documents to justify an extended hold. It also creates an official record that the incident was reported as a cybercrime.
6. Escalate to BSP if the bank does not resolve it
If the bank’s response is delayed, incomplete, or unsatisfactory, the complaint may be elevated to the BSP.
Under BSP Circular No. 1169, a consumer complaint filed with BSP should show that the consumer first used the bank’s own Financial Consumer Protection Assistance Mechanism. If the consumer has not done so, BSP may direct the consumer to raise it first with the bank.
Complaints may be filed through BSP’s consumer channels, including the BSP Online Buddy or BOB, email, postal or courier submission, or personal filing through BSP offices. (Bureau of the Treasury)
Documents and evidence to prepare
| Document or evidence | Why it matters |
|---|---|
| Valid government ID or passport | Confirms identity of the account owner |
| Bank statements or screenshots | Shows the unauthorized debit and remaining balance |
| Transaction reference numbers | Helps the bank trace the fund flow |
| Phishing SMS, email, URL, or chat screenshots | Shows the method of deception |
| Call logs and bank complaint reference numbers | Proves when the bank was notified |
| Written complaint to the bank | Starts a clear paper trail |
| Sworn affidavit or sworn complaint | Useful for extended holding and later proceedings |
| Police, PNP, or NBI report | Supports the fraud claim and criminal investigation |
| Bank replies and investigation result | Shows whether the bank acted properly |
| Proof of damages | Supports recovery of actual losses, fees, interest, or other consequences |
| Special power of attorney, if represented | Needed when an OFW, foreigner, company officer, or family member acts through a representative |
| Apostilled or consularized documents, if signed abroad | Helps Philippine institutions accept documents executed outside the Philippines |
Temporary holding of disputed funds
The Anti-Financial Account Scamming Act allows institutions to temporarily hold funds that are subject of a disputed transaction, including transactions facilitated through social engineering schemes. The general maximum is 30 calendar days unless extended by court order. (Lawphil)
BSP Circular No. 1215 gives more detailed rules:
| Stage | Practical meaning |
|---|---|
| Initial report | The victim reports through the bank’s 24/7 fraud reporting channel |
| Initial hold | The originating or receiving institution may hold disputed funds for up to 5 calendar days |
| Supporting documents | The victim may submit a sworn complaint, affidavit, police report, or other supporting documents |
| Extended hold | The initial hold may be extended by up to 25 more days, for a total of 30 calendar days |
| Court extension | A hold beyond 30 days generally requires court action |
| Coordinated verification | Banks and other institutions in the transaction chain share information and verify the disputed transfer |
| Release or return | Funds may be released to the proper beneficial owner depending on the verification result |
The bank that first receives the complaint is expected to verify key details such as the transaction reference number, source account, amount, mode of transfer, date and time, receiving institution, and beneficiary account information if known.
The originating institution must also update the source account owner on whether funds were held and what next steps are available.
BSP complaint, mediation, and adjudication
BSP rules provide a structured process for financial consumer complaints.
| Step | Typical timeline or rule |
|---|---|
| Complaint to bank | File first with the bank’s consumer assistance channel |
| Escalation to BSP | If unresolved or unsatisfactory, file with BSP consumer channels |
| Bank answer through BSP process | The bank generally answers directly to the complainant within 15 days from BSP’s directive |
| Consumer reply | The complainant may reply within 30 days from receiving the bank’s answer |
| Bank rejoinder | The bank may file a rejoinder within 10 days |
| Mediation | Voluntary and confidential; usually completed within 30 days from initial conference |
| BSP adjudication | Available for purely civil financial consumer claims for payment or reimbursement not exceeding ₱10 million, subject to BSP rules |
| Decision timeline | BSP adjudication decision is generally issued within 60 days from submission for resolution, extendable for good cause |
These procedures are under BSP Circular No. 1169, which implements the consumer redress powers under the Financial Products and Services Consumer Protection Act.
For claims above ₱10 million, BSP adjudication may not be available unless the excess is waived. Otherwise, the matter may need to be pursued in court or another proper forum.
Common phishing scenarios and how liability may be viewed
“I clicked a fake bank link and entered my OTP”
This is one of the hardest but most common scenarios. The bank may argue that the OTP proves customer authorization. The customer may respond that the OTP was obtained through deception and that the bank still failed to detect an abnormal transaction.
Important facts include:
- Was it a new device?
- Was it a new payee?
- Was the transfer unusually large?
- Were there multiple transfers?
- Did the bank send alerts before or only after the transfer?
- Did the bank warn that it would never ask for OTPs through links?
- Did the bank act quickly after the report?
“I never received an OTP or alert”
This may be stronger for the customer. If money left the account without an OTP, without a push notification, or without any meaningful alert, the bank may need to explain how the transfer passed authentication.
Useful evidence includes telco records, screenshots of notification settings, bank app history, and proof that your contact details were correct before the incident.
“The scammer changed my mobile number or email first”
This may suggest account takeover. The bank’s controls for changing registered mobile numbers, email addresses, devices, or passwords become important. A change in contact details followed by transfers should usually be treated as a serious fraud red flag.
“The receiving account was in another bank or e-wallet”
The originating bank usually remains the customer’s main point of contact, but receiving banks and e-wallet providers may also have duties in tracing, holding, and coordinated verification.
BSP Circular No. 1215 requires participating institutions in the disputed transaction chain to cooperate in coordinated verification, whether or not funds remain with them.
“The bank said bank secrecy prevents disclosure”
Bank secrecy is often misunderstood. Under the Anti-Financial Account Scamming Act and BSP rules, bank secrecy, foreign currency deposit secrecy, and data privacy restrictions do not prevent coordinated verification of disputed transactions, although the information must still be handled securely and only for the proper purpose. (Lawphil)
This does not mean the bank will freely give the victim all personal information about the receiving account holder. But it does mean institutions cannot simply refuse to coordinate verification by invoking secrecy laws.
“The victim is an OFW or foreigner”
OFWs and foreigners can still report and pursue claims involving Philippine bank accounts. Practical issues usually involve documents and identity verification.
Common requirements include:
- passport or government ID;
- Philippine account details;
- Philippine mobile number or registered email;
- written complaint with transaction details;
- authorization letter or special power of attorney if someone in the Philippines will act for the victim;
- notarized, consularized, or apostilled documents if signed abroad, depending on the country and the institution’s requirements.
A foreigner with a Philippine bank account should also keep records of visa status, address, registered local mobile number, and email changes, because banks may request additional identity verification during fraud investigations.
“The account belongs to a corporation or business”
For business accounts, banks and BSP proceedings usually require proof that the person complaining has authority to act for the company. BSP rules on adjudication require juridical entities to act through authorized representatives, with appropriate board or secretary documents where applicable.
Typical documents include:
- secretary’s certificate;
- board resolution;
- authorized signatory documents;
- corporate ID or government ID of the representative;
- business registration documents;
- internal incident report;
- accounting records showing the loss.
What losses may be recoverable?
Depending on the forum and facts, a victim may seek:
- the amount actually lost;
- reversal or restitution of the unauthorized transfer;
- interest, where allowed;
- reimbursement of related bank charges;
- attorney’s fees and costs in proper cases;
- moral or other damages in court, if the legal requirements are met.
Civil Code provisions allow legal interest and, in appropriate cases, attorney’s fees, moral damages, and damages arising from bad faith or breach of obligation. (Lawphil)
However, BSP adjudication is narrower than a full civil court case. Under BSP Circular No. 1169, adjudication covers purely civil financial consumer complaints where the relief is payment or reimbursement not exceeding ₱10 million, exclusive of legal interest, attorney’s fees, and costs. Claims for broader damages may require court action.
Practical mistakes that weaken a phishing claim
Avoid these common mistakes:
- waiting days before reporting the unauthorized transfer;
- reporting only by phone and not following up in writing;
- deleting the phishing message;
- failing to save transaction reference numbers;
- using unofficial bank hotlines found in suspicious messages;
- giving incomplete timelines;
- refusing to cooperate with the bank’s investigation;
- ignoring requests for affidavit, police report, or supporting documents;
- posting sensitive account details publicly on social media;
- accepting a vague denial without asking for the bank’s written basis.
A strong complaint is specific. It does not just say, “My money was stolen.” It states exactly when the fraud happened, when the bank was notified, what the bank did or failed to do, and why the transaction should be treated as unauthorized or improperly handled.
Frequently Asked Questions
Can a bank refuse to refund me because I clicked a phishing link?
The bank may argue that clicking the link or entering credentials was your fault, but that does not automatically end the matter. The bank’s own systems and response must still be examined. If the bank lacked adequate controls, ignored red flags, delayed action, or failed to exercise the highest degree of diligence, liability may still arise.
Is giving an OTP always considered negligence?
Giving an OTP to a scammer is a serious fact that can weaken a claim. But it is not always the whole story. The scam may have involved spoofed messages, account takeover, device compromise, or transactions so unusual that the bank’s fraud systems should have intervened. The result depends on the evidence.
What if I did not receive any OTP or alert?
That may support an argument that the transaction was unauthorized and that the bank’s authentication or notification system failed. Save screenshots, telco records if available, notification settings, and bank statements. Ask the bank in writing how the transaction was authenticated.
How fast should I report the phishing scam?
Report it immediately, ideally within minutes. The first few hours are critical because banks and e-wallets may still be able to hold funds. BSP rules allow temporary holding of disputed funds, but the chance of recovery decreases once money moves through multiple accounts.
Can BSP order the bank to reimburse me?
BSP has consumer redress, mediation, and adjudication powers under the Financial Products and Services Consumer Protection Act and BSP Circular No. 1169. For qualifying purely civil financial consumer complaints, BSP adjudication may cover claims for payment or reimbursement not exceeding ₱10 million.
Should I file with the bank, BSP, PNP, or NBI?
Usually, file with the bank first and immediately because the bank can freeze access, trace transactions, and initiate temporary holding. File with PNP or NBI for criminal investigation. Escalate to BSP if the bank does not resolve the complaint or gives an unsatisfactory response.
Can the receiving bank or e-wallet be responsible too?
Possibly. The receiving institution may have duties relating to suspicious accounts, money mule activity, and coordinated verification. Under BSP rules, institutions in the disputed transaction chain must participate in verification even if the funds are no longer with them.
Does bank secrecy stop the tracing of stolen funds?
No, not during coordinated verification under the Anti-Financial Account Scamming Act and BSP Circular No. 1215. Bank secrecy, foreign currency deposit secrecy, and data privacy rules do not prevent the required verification process, although information must still be handled securely.
How long do I have to file a complaint?
Under the Financial Products and Services Consumer Protection Act, actions under the law generally prescribe after five years from the transaction or discovery of the violation, and in any event not later than ten years from the violation.
What if the bank says its investigation is final?
Ask for the written findings, the factual basis, the authentication logs or explanation available to you, and the reason for denial. If the answer remains unsatisfactory, you may elevate the complaint to BSP after using the bank’s consumer assistance mechanism.
Key Takeaways
- A bank can be liable for phishing losses in the Philippines, but liability depends on the facts and evidence.
- The strongest claims usually involve weak bank security, suspicious transactions, account takeover, lack of alerts, or delayed action after notice.
- Philippine banks are required to exercise a very high degree of diligence because banking is affected with public interest.
- Republic Act No. 12010 directly addresses social engineering schemes, disputed transactions, temporary holding of funds, and restitution.
- Report the fraud immediately through the bank’s official 24/7 fraud channel and get a reference number.
- Submit a written complaint with screenshots, transaction details, affidavit or sworn complaint, and police or NBI/PNP report where available.
- BSP may handle unresolved financial consumer complaints after the bank’s complaint process is used.
- Clicking a phishing link or entering an OTP may weaken a claim, but it does not automatically remove the bank’s possible liability.
- Bank secrecy and data privacy rules do not prevent coordinated verification of disputed scam transactions under current law.
- The most important practical proof is a clear timeline showing what happened, when the bank was notified, and how the bank responded.