Computer-Related Fraud Under RA 10175: Elements, Penalties, and Examples

Computer-related fraud under Republic Act No. 10175 is more specific than an ordinary online scam. It generally involves the unauthorized manipulation of computer data, software, or a computer system to cause loss or other damage with fraudulent intent. This distinction matters because a fake online seller, phishing message, hacked bank account, altered payroll database, and fraudulent e-wallet transaction may fall under different—or overlapping—Philippine criminal laws.

What Is Computer-Related Fraud Under RA 10175?

Section 4(b)(2) of the Cybercrime Prevention Act of 2012 defines computer-related fraud as:

The unauthorized input, alteration, or deletion of computer data or program, or interference in the functioning of a computer system, causing damage thereby with fraudulent intent.

The same provision states that when no damage has yet been caused, the penalty is one degree lower. (Supreme Court E-Library)

A “computer” under the law is not limited to a desktop or laptop. It includes smartphones, mobile phones, computer networks, storage devices, and other devices capable of processing data. “Computer data” includes electronic documents, electronic messages, database entries, software instructions, and information stored locally or online. (Supreme Court E-Library)

The offense therefore focuses on fraud carried out through the manipulation or disruption of data or a computer system—not merely fraud communicated through Facebook, email, text message, or another online platform.

Elements of Computer-Related Fraud

For criminal liability, the prosecution must establish every element beyond reasonable doubt.

1. There Was an Input, Alteration, or Deletion of Data, or Interference With a Computer System

The prohibited act may involve any of the following:

  • Entering unauthorized information into a database;
  • Changing an account number, balance, beneficiary, price, transaction status, or payment instruction;
  • Deleting transaction records or audit logs;
  • Modifying software so that it generates unauthorized credits or payments;
  • Interfering with a system so that it processes a transaction improperly;
  • Manipulating an automated process to obtain money, property, services, or another benefit.

The act does not always require sophisticated “hacking.” An employee with legitimate access may still commit the offense by exceeding the limits of that access—for example, by changing payroll details for personal gain.

2. The Act Was Unauthorized or “Without Right”

The Implementing Rules and Regulations of RA 10175 explain that conduct is “without right” when it is undertaken without authority, beyond the authority given, or without a valid legal justification, defense, excuse, or court order. (Supreme Court E-Library)

This means that lawful access to a computer does not automatically authorize every action performed inside the system.

For example:

  • A payroll officer may be authorized to update employee records but not to substitute their own bank account.
  • A developer may have administrator access for maintenance but not to create fake customer credits.
  • A customer may access their own e-wallet but not exploit a software defect to duplicate funds.
  • A bank employee may view certain records for work but not alter them to conceal unauthorized withdrawals.

3. The Act Caused Damage

There must be a connection between the manipulation or system interference and the resulting damage.

Damage may include:

  • Money taken or diverted;
  • Unauthorized charges or withdrawals;
  • Loss of usable account credits;
  • Corrupted or deleted business records;
  • Costs of restoring systems and data;
  • Business interruption;
  • Loss of access to funds, systems, or services;
  • Payments made because a system displayed false information.

The prosecution should be able to document the loss through account statements, transaction histories, invoices, reconciliation records, system logs, forensic reports, or witness testimony.

Where the prohibited manipulation has already occurred but no loss has yet materialized, Section 4(b)(2) expressly provides for a penalty one degree lower. (Supreme Court E-Library)

4. The Accused Acted With Fraudulent Intent

Fraudulent intent means that the act was performed as part of a dishonest plan—usually to obtain an unlawful benefit, deceive another person, divert property, or cause another party to suffer loss.

Intent is rarely proven through a direct admission. It may be inferred from circumstances such as:

  • Funds being transferred to an account controlled by the accused;
  • Use of fictitious names or accounts;
  • Concealment or deletion of logs;
  • Repeated unauthorized transactions;
  • Changes made immediately before a payout;
  • False explanations about the transaction;
  • Attempts to disable security alerts;
  • Coordination among several accounts or participants.

An accidental encoding error, ordinary software malfunction, or authorized system change generally does not amount to computer-related fraud without proof of fraudulent intent.

Examples of Computer-Related Fraud

Scenario Likely treatment
A payroll employee changes workers’ bank details so salaries are sent to an account controlled by the employee Strong example of computer-related fraud
A hacker changes an online banking beneficiary and causes funds to be transferred May involve computer-related fraud, illegal access, identity theft, and financial account scamming
An employee deletes electronic sales records to conceal collections they kept May constitute computer-related fraud and other property or falsification offenses
A user exploits a payment-app defect to create duplicate credits and cashes them out Possible computer-related fraud if the manipulation was unauthorized and intentional
A website administrator changes customer refund data and routes refunds to personal accounts Computer-related fraud may apply
A person interferes with an automated billing system so charges are credited to another customer Possible computer-related fraud
A fake Facebook seller receives payment and simply disappears without altering any system or data More commonly estafa or another fraud offense, not automatically computer-related fraud
A scammer sends a false bank message and persuades the victim to transfer money voluntarily May fall under estafa, phishing-related offenses, identity theft, or RA 12010, depending on the facts
A person innocently receives money caused by a system error and immediately reports it Fraudulent intent is likely absent
An authorized employee makes an accidental database entry that causes loss Negligence may exist, but computer-related fraud requires fraudulent intent

Computer-Related Fraud Versus Ordinary Online Estafa

One of the most common mistakes is to assume that every internet scam is computer-related fraud under RA 10175.

Estafa under Article 315 of the Revised Penal Code generally involves deceit or abuse of confidence that causes another person to part with money or property. In a typical fake-selling case, the victim sends payment because of false representations, and the seller disappears. The computer or social media platform may only have been used to communicate the deception.

Computer-related fraud, by contrast, normally requires the unauthorized manipulation of data, software, or a computer system itself.

The distinction can be illustrated this way:

  • Deceiving a person through a computer: usually points toward estafa or another traditional offense committed through information and communications technology.
  • Deceiving or causing loss by manipulating a computer system: may constitute computer-related fraud under Section 4(b)(2).

Section 6 of RA 10175 also covers crimes under the Revised Penal Code or special laws when committed through information and communications technology, with the corresponding penalty generally increased by one degree. Whether Section 4(b)(2), Article 315, Section 6, or another law applies depends on the exact conduct alleged and the evidence available. (Supreme Court E-Library)

Penalties for Computer-Related Fraud

Completed Offense With Damage

A person convicted under Section 4(b)(2) may be punished with:

  • Prision mayor, or imprisonment from six years and one day to twelve years;
  • A fine of at least ₱200,000, up to an amount commensurate with the damage incurred;
  • Or both imprisonment and a fine.

The duration of prision mayor is set by Article 27 of the Revised Penal Code. (Supreme Court E-Library)

The court may also order the accused to pay civil liability, including restitution of the amount taken and compensation for proven damage.

Completed Manipulation but No Damage Yet

If the unauthorized manipulation or interference occurred but no damage has yet been caused, Section 4(b)(2) provides for a penalty one degree lower.

For imprisonment, the penalty one degree below prision mayor is generally prision correccional, which runs from six months and one day to six years. The precise sentence and treatment of any fine depend on the charge, evidence, applicable penalty rules, and judgment of the court. (Lawphil)

Attempt or Aiding and Abetting

A person who willfully attempts to commit computer-related fraud, or knowingly aids another person in committing it, may be prosecuted under Section 5 of RA 10175.

The penalty is:

  • Imprisonment one degree lower than the prescribed penalty for the principal offense;
  • A fine of ₱100,000 to ₱500,000;
  • Or both.

In Disini v. Secretary of Justice, the Supreme Court upheld the application of the provisions on attempt and aiding or abetting to computer-related fraud. (Supreme Court E-Library)

Corporate Liability

A corporation or other juridical entity may face substantial fines when the offense is knowingly committed for its benefit by a person in a leading position.

RA 10175 provides for:

  • A fine of at least twice the applicable fine, up to ₱10 million, when a responsible leader knowingly commits the offense for the entity; or
  • A fine of at least twice the applicable fine, up to ₱5 million, when lack of supervision or control made the offense possible.

Corporate liability does not erase the personal criminal liability of the individual who committed the act. (Supreme Court E-Library)

Other Laws That May Apply to the Same Incident

A single cyber-fraud incident may involve several offenses, depending on the conduct of each participant.

Possible additional charges include:

  • Illegal access under Section 4(a)(1) of RA 10175;
  • Data interference under Section 4(a)(3);
  • System interference under Section 4(a)(4);
  • Computer-related forgery under Section 4(b)(1);
  • Computer-related identity theft under Section 4(b)(3);
  • Estafa under Article 315 of the Revised Penal Code;
  • Violations of the Access Devices Regulation Act, RA 8484, as amended by RA 11449;
  • Offenses under the Data Privacy Act of 2012, RA 10173;
  • Money laundering when criminal proceeds are transferred or concealed;
  • Financial account scamming under RA 12010.

The Anti-Financial Account Scamming Act or RA 12010 specifically penalizes money-mule activities and social-engineering schemes involving bank accounts, e-wallets, credit cards, and other financial accounts. Its implementing framework is contained in BSP Circular Nos. 1213, 1214, and 1215, Series of 2025. (Lawphil)

Separate charges are possible when each offense contains legally distinct elements. However, prosecutors and courts must still observe constitutional protections against double jeopardy and duplicative punishment for what is legally the same offense.

What to Do After Discovering Computer-Related Fraud

1. Contact the Bank, E-Wallet, or Payment Provider Immediately

Report the disputed transaction through the institution’s official hotline, app, branch, or fraud-reporting channel.

Ask for:

  • Immediate suspension of compromised access;
  • A temporary hold or trace of the disputed funds;
  • A written complaint or ticket number;
  • Preservation of transaction and access records;
  • Identification of the receiving institution;
  • Written confirmation of the report.

Under RA 12010 and BSP Circular No. 1215, financial institutions have mechanisms for temporarily holding disputed funds and conducting coordinated verification. The statutory holding period may extend up to 30 calendar days, subject to BSP rules and possible court extension. Speed is critical because money may be transferred through several accounts within minutes. (Lawphil)

2. Secure the Compromised Accounts

Change passwords using a clean device, revoke active sessions, enable multi-factor authentication, and notify the institution if your SIM, email, phone, or identity documents may have been compromised.

Do not immediately factory-reset, reformat, or discard the affected phone or computer. Doing so may destroy useful logs, messages, authentication records, malware traces, or other evidence.

3. Preserve the Evidence in Its Original Form

Keep more than screenshots whenever possible.

Preserve:

  • Original emails and message files;
  • Full chat conversations;
  • Website addresses and profile links;
  • Transaction receipts and reference numbers;
  • Bank and e-wallet statements;
  • Text messages, including sender information;
  • Call logs and phone numbers;
  • Device details and IP-address notifications;
  • Password-change and login alerts;
  • Contracts, invoices, or purchase records;
  • Names and identification details supplied by the suspect;
  • Internal audit logs and system reports for business cases.

Screenshots are useful, but editable images may be challenged. Original files, platform records, system logs, metadata, and authenticated business records usually provide stronger proof.

The RA 10175 IRR recognizes forensic images and hash values as tools for demonstrating that digital evidence has not been altered. Investigators should maintain a documented chain of custody showing who collected, copied, examined, transferred, and stored the evidence. (Supreme Court E-Library)

4. Report the Incident to a Cybercrime Unit

RA 10175 identifies the following principal law-enforcement authorities:

  • The Philippine National Police Anti-Cybercrime Group;
  • The National Bureau of Investigation cybercrime units.

The DOJ Office of Cybercrime acts as the central authority for international cooperation, mutual legal assistance, and cybercrime-related extradition matters. The DOJ also maintains an official cybercrime-reporting information page. (Supreme Court E-Library)

Obtain the receiving officer’s name, complaint reference number, and a stamped or emailed acknowledgment.

5. Prepare a Complaint-Affidavit

A complaint-affidavit should present the events chronologically and identify:

  1. The complainant and respondent, if known;
  2. The accounts, devices, applications, or systems involved;
  3. What data was entered, altered, deleted, or manipulated;
  4. Why the act was unauthorized;
  5. When and where each event occurred;
  6. The resulting financial or operational damage;
  7. Facts showing fraudulent intent;
  8. The destination of the funds or benefit;
  9. The attached documentary and digital evidence;
  10. The witnesses who can authenticate the records.

The DOJ’s checklist for filing a complaint for preliminary investigation includes an investigation data form, a sworn complaint-affidavit, witness affidavits, and supporting documents, with the required number of copies depending on the number of respondents. (Department of Justice)

Because computer-related fraud carries penalties far exceeding one year of imprisonment and ₱5,000 in fines, prior barangay conciliation is generally not required under Section 408 of the Local Government Code. (Lawphil)

6. Participate in the Preliminary Investigation

The prosecutor determines whether there is sufficient basis to file an Information in court.

The respondent will ordinarily be given an opportunity to submit a counter-affidavit. The complainant may be permitted or directed to file a reply, after which the prosecutor evaluates the affidavits, digital records, financial documents, forensic findings, and applicable laws.

There is no reliable universal completion time. A straightforward case with identified local accounts may move within several months, while cases involving anonymous profiles, multiple financial institutions, forensic examinations, or foreign service providers may take considerably longer.

Documents Commonly Needed

Document or evidence Why it matters
Government-issued identification Establishes the complainant’s identity
Complaint-affidavit Provides the sworn factual basis of the case
Witness affidavits Supports authentication and important events
Bank or e-wallet statements Shows the amount, time, sender, recipient, and reference number
Institution complaint records Proves prompt reporting and follow-up
Original messages or emails Shows representations, instructions, links, or admissions
Screenshots and screen recordings Visually documents the incident
System, server, or audit logs May show access, alteration, deletion, or interference
Device or forensic report Connects conduct to a phone, computer, account, or user
Proof of ownership or authority Shows who had the right to control the data or system
Damage computation Supports the criminal allegation and civil claim
Corporate authorization Needed when a corporation files through an authorized representative

Filing, certification, notarization, copying, and forensic-examination costs vary. The DOJ publishes an official schedule of fees, but the receiving prosecutor’s office should confirm the current amount and required copies. (Department of Justice)

How Investigators Obtain Account and Platform Records

Victims usually cannot personally compel a bank, telecommunications company, social-media platform, or internet service provider to disclose confidential subscriber data.

Law-enforcement authorities may seek cybercrime warrants for:

  • Preservation of computer data;
  • Disclosure of subscriber information and traffic data;
  • Interception when legally authorized;
  • Search, seizure, and examination of computer data;
  • Forensic examination of devices or storage media.

Under RA 10175, a person or service provider ordered under a valid disclosure warrant may be required to submit relevant data within 72 hours of receiving the order. Service providers must also preserve specified categories of data for statutory periods, which is one reason victims should report promptly. (Supreme Court E-Library)

In EastWest Rural Bank v. PNP Anti-Cybercrime Group, the Supreme Court held that a bank offering digital services may qualify as a service provider under RA 10175. The Court distinguished protected bank-deposit details from basic information needed to identify an account holder, which may be disclosed under a properly issued cybercrime warrant. (Supreme Court E-Library)

Jurisdiction, Venue, and Cross-Border Cases

The Regional Trial Court has jurisdiction over violations of RA 10175.

Philippine jurisdiction may exist when:

  • Any element of the offense occurred in the Philippines;
  • A computer system used in the offense was wholly or partly situated in the Philippines;
  • The victim was in the Philippines when the damage occurred; or
  • The offense was committed by a Filipino national, even outside the Philippines.

A criminal case may generally be filed in the RTC of the city or province where an element occurred, where part of the computer system was located, or where the damage took place. The court where the case is first properly filed acquires jurisdiction to the exclusion of other courts. (Supreme Court E-Library)

Foreign victims may still report a case when Philippine accounts, systems, offenders, or victims are involved. Evidence held abroad may require cooperation through the DOJ Office of Cybercrime, mutual legal assistance procedures, foreign law-enforcement agencies, or direct preservation channels maintained by service providers.

A complaint-affidavit signed abroad may need to be notarized at a Philippine embassy or consulate, or notarized locally and apostilled when executed in a country covered by the Apostille Convention. Documents from non-Apostille countries may require consular authentication. The receiving prosecutor should confirm the form required for that particular filing. (Philippine Embassy New Delhi)

Frequently Asked Questions

Is every online scam computer-related fraud?

No. The offense normally requires unauthorized manipulation of computer data, a program, or a computer system. A scam carried out only through false messages may instead be estafa, financial account scamming, identity theft, or another offense.

Does the offender need to be a hacker?

No. An employee, contractor, customer, system administrator, or other authorized user can commit computer-related fraud by exceeding their authority and manipulating data for a fraudulent purpose.

Can computer-related fraud be filed together with estafa?

Possibly. Separate charges may be justified when each offense has different elements. The prosecutor must examine whether the conduct constitutes genuinely distinct crimes and whether multiple charges would violate protections against double jeopardy.

What if the attempted transaction failed?

The person may still face liability. RA 10175 provides a reduced penalty when no damage has yet been caused, and Section 5 separately penalizes a willful attempt to commit a cybercrime.

Are screenshots enough to file a complaint?

They may be enough to begin reporting, but stronger evidence is usually needed for prosecution. Preserve original messages, account records, transaction histories, profile links, devices, logs, and metadata whenever possible.

Can the police identify an anonymous account?

Investigators may apply for warrants or disclosure orders to obtain subscriber information, traffic data, account-registration details, IP information, and other relevant records. Identification may be harder when false credentials, foreign platforms, VPNs, compromised accounts, or money mules are used.

Can the bank freeze the recipient’s account?

Under RA 12010 and BSP rules, a financial institution may temporarily hold disputed funds and coordinate verification when the legal and regulatory conditions are met. Report the transaction immediately; delay significantly reduces the likelihood that the money remains traceable.

Where is the criminal case filed?

Computer-related fraud cases fall under RTC jurisdiction. Venue may be based on where an element occurred, where part of the computer system was located, or where the damage occurred.

How long do I have to file a complaint?

RA 10175 does not provide a special prescriptive period specifically for computer-related fraud. Prescription under special-law principles can involve technical questions about the applicable period, discovery of the offense, and interruption by the filing of proceedings. Evidence may disappear much earlier than the legal deadline, so prompt reporting is important.

Can a company be held liable for an employee’s cyber fraud?

Yes, in limited circumstances. A juridical entity may face corporate fines when the crime was knowingly committed for its benefit by a person in a leading position, or when inadequate supervision made the offense possible. The individual offender remains personally liable.

Key Takeaways

  • Computer-related fraud requires unauthorized manipulation of data, software, or a computer system, coupled with damage and fraudulent intent.
  • An ordinary online deception is not automatically computer-related fraud; it may instead be estafa or another cyber-enabled offense.
  • The principal penalty is prision mayor, a fine of at least ₱200,000 up to an amount commensurate with the damage, or both.
  • Attempt, aiding and abetting, identity theft, illegal access, estafa, and financial account scamming may create additional liability.
  • Report unauthorized financial transactions immediately so institutions can trace or temporarily hold disputed funds.
  • Preserve original digital evidence and avoid resetting or discarding affected devices.
  • Complaints may be investigated by the PNP Anti-Cybercrime Group or NBI cybercrime units and prosecuted before the Regional Trial Court.
  • Cross-border cases remain possible when Philippine victims, accounts, systems, offenders, or other jurisdictional connections are involved.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.