Credit Card Fraud and Unauthorized Online Purchases: Legal Steps and Evidence Preservation

Credit card fraud and unauthorized online purchases create two problems at once: loss of money and loss of control over personal data. In the Philippine setting, the victim is often pushed between the bank, the merchant, the card network, law enforcement, and digital platforms. The most effective response is not only to block the card, but to preserve evidence early, document every step, and understand which legal remedies belong to civil, regulatory, and criminal processes.

This article explains the Philippine legal context, the practical steps a victim should take, the evidence that matters, the role of banks and law enforcement, and the risks that can weaken a claim.

1. What counts as credit card fraud or an unauthorized online purchase

At the simplest level, an unauthorized online purchase is a transaction charged to a credit card without the valid consent of the cardholder. That can include:

  • card details stolen and used online
  • compromised one-time passwords or app approvals
  • account takeover in mobile banking or e-wallet linked to a credit card
  • phishing, smishing, vishing, or fake customer support scams
  • card-not-present fraud in e-commerce
  • recurring charges set up without authority
  • subscription traps where consent was unclear or manipulated
  • fraud by family members, employees, or persons with physical access to the card
  • misuse after loss, theft, data breach, or merchant compromise

Not every disputed charge is legally “fraud” in the strict criminal sense. Some disputes involve merchant error, duplicate billing, failure to cancel, non-delivery, deceptive checkout design, or misunderstanding over recurring billing. That matters because the legal route and evidence needed may differ.

2. Why the first 24 hours matter

The first day is usually decisive. In fraud cases, institutions look at timestamps, notice, user behavior, device logs, and whether the cardholder acted promptly after discovering the transaction. Delay can complicate reimbursement, weaken factual credibility, and allow more evidence to disappear.

In practice, the victim should think in three tracks at the same time:

  1. Containment: stop further losses
  2. Documentation: preserve evidence before it changes or disappears
  3. Escalation: notify the bank, platform, merchant, and authorities in a way that creates a paper trail

3. Immediate steps a cardholder in the Philippines should take

A. Freeze or block the card immediately

Use the bank app, hotline, website, or branch. Ask for:

  • temporary card lock if available
  • permanent block if fraud is confirmed or highly likely
  • replacement card with a new number
  • blocking of supplementary cards if necessary
  • deactivation of tokenized cards linked to mobile wallets where appropriate

Write down the exact time of the block request, the channel used, and the reference number.

B. Report the disputed transaction to the issuing bank

This is the most important first formal step. Tell the bank clearly that:

  • the transaction was unauthorized
  • you did not consent
  • you want the transaction disputed and investigated
  • you request charge reversal, provisional credit if applicable, and replacement of the card
  • you want all related alerts, login attempts, device associations, and transaction metadata preserved

Use more than one channel if possible: hotline plus email or secure in-app message. Oral reports are useful, but written reports are stronger.

C. Change credentials linked to the card or account

Change:

  • online banking password
  • email password
  • e-wallet password
  • device PINs and biometrics settings if compromise is suspected
  • recovery email and phone settings
  • SIM PIN if mobile takeover is suspected

If the fraud involved phishing or a fake login page, assume broader compromise.

D. Preserve the transaction evidence before screens change

Take screenshots immediately of:

  • SMS alerts
  • app notifications
  • email receipts
  • bank transaction entries
  • merchant pages
  • subscription dashboards
  • chat messages with merchant or platform support
  • delivery records, if any
  • login alerts and device notices

Do not crop too tightly. The full screen with date, time, URL, sender, and account identifiers is more useful than a partial screenshot.

E. Check for additional suspicious activity

Review:

  • pending charges
  • tokenized cards in Apple Pay, Google Wallet, or similar services
  • e-wallet linkages
  • stored cards in shopping platforms
  • recurring subscriptions
  • email inbox rules or forwarding rules
  • recent password resets
  • telecom service anomalies, especially loss of signal suggesting SIM swap

F. File a police or cybercrime report when appropriate

This is especially important where:

  • the amount is substantial
  • there was phishing, hacking, identity theft, or account takeover
  • the merchant is fictitious or overseas
  • the bank requires a blotter or affidavit
  • the fraud appears systematic
  • there is risk of further impersonation

In the Philippines, the cybercrime component may justify reporting to law enforcement units handling cyber-related offenses.

4. The main Philippine legal framework

A Philippine fraud case can touch multiple legal sources at once. The most relevant usually include contract law, banking regulation, consumer protection, data privacy, and criminal law.

A. The cardholder agreement and bank terms

The first governing document is usually the cardholder agreement. It defines:

  • how to report unauthorized use
  • time limits for disputes
  • temporary or permanent liability allocations
  • duties to protect PINs, passwords, OTPs, and the physical card
  • treatment of supplementary cards
  • treatment of card-not-present transactions
  • arbitration, venue, and billing error procedures

These terms matter, but they do not operate in a vacuum. Bank practices remain subject to Philippine law and regulation.

B. Bangko Sentral ng Pilipinas regulation

Banks and electronic money issuers in the Philippines operate under BSP supervision. In fraud disputes, BSP rules and consumer protection principles can be relevant to:

  • complaint handling
  • disclosure duties
  • security controls
  • fraud monitoring
  • investigation of disputed electronic transactions
  • fair treatment of financial consumers

The practical effect is that a victim may pursue the complaint internally with the bank first, then escalate through the bank’s complaint channels and, if unresolved, through appropriate BSP consumer assistance mechanisms.

C. Data Privacy Act

Where card details, account credentials, or personal data were compromised, the Data Privacy Act may enter the picture. This matters especially if:

  • a merchant stored card details insecurely
  • a platform suffered a breach
  • personal information was wrongfully disclosed
  • identity documents were misused to open or alter accounts
  • a company failed to protect customer information with reasonable security measures

The data privacy angle is not always the main path for getting money back, but it can be important for accountability and for proving how the compromise occurred.

D. Cybercrime and penal law

Depending on the method used, criminal laws may be implicated by acts such as:

  • illegal access
  • computer-related fraud
  • identity theft-related conduct
  • phishing schemes
  • online deception
  • falsification-related conduct
  • use of stolen access credentials
  • unlawful acquisition or misuse of card information

In some cases, the Revised Penal Code provisions on estafa may also become relevant, especially where deceit and unlawful taking of value are involved.

E. E-commerce and consumer protection principles

If the charge was tied to misleading online sales conduct, fake merchants, non-delivery, deceptive subscriptions, or manipulated consent, consumer protection concepts also matter. The dispute may be part fraud, part unfair commercial conduct.

5. The legal theories that usually arise

A victim’s case can rest on one or more of these theories:

A. Unauthorized transaction

The cardholder never consented to the purchase. The core question becomes whether the bank or merchant can show a valid authorization process.

B. Negligent security or weak controls

If the institution failed to maintain reasonable safeguards, the case may involve a claim that the loss was facilitated by inadequate authentication, monitoring, or incident response.

C. Billing error or processing error

Some cases are not true fraud but are still legally disputable because the charge was duplicated, incorrectly posted, continued after cancellation, or processed under mistaken merchant coding.

D. Deceptive or manipulated consent

A purchase may appear technically authorized but was induced through phishing, spoofing, fake customer care, malicious checkout design, or hidden recurring terms.

E. Data misuse or privacy breach

Where exposed personal data enabled the fraud, liability and reporting obligations can extend beyond the mere transaction.

6. What banks usually investigate

When a cardholder disputes an online charge, the bank typically examines:

  • transaction date and time
  • merchant category and country
  • whether the transaction was card-present or card-not-present
  • whether 3D Secure or similar authentication was used
  • whether OTP or app approval was sent and entered
  • device fingerprinting or login history
  • IP-related or geolocation-related indicators
  • prior fraud alerts
  • cardholder notification timing
  • history of similar purchases with the same merchant
  • whether the physical card was in the cardholder’s possession
  • whether credentials may have been voluntarily disclosed

The bank will often look for “gross negligence” or security lapses by the customer. The victim’s documentation should therefore focus not only on the fraudulent charge, but on proving prompt notice, lack of consent, and reasonable care.

7. The most important evidence to preserve

Evidence preservation is not just a technical step. It is often the difference between a reimbursed dispute and a denied claim.

A. Core transaction records

Preserve:

  • statement entries
  • pending transaction screenshots
  • transaction reference numbers
  • merchant name as displayed
  • date, time, amount, currency
  • foreign exchange conversion details if any
  • installment or recurring charge indicators
  • replacement card issuance records

B. Bank communications

Keep:

  • hotline recordings if available
  • email confirmations
  • case numbers
  • complaint reference numbers
  • chat transcripts
  • in-app secure messages
  • letters sent to the bank
  • notices of provisional credit or denial

After a phone call, send an email summarizing the conversation. That converts an oral event into a timestamped written record.

C. Device and account evidence

Preserve:

  • screenshots of login alerts
  • device management pages showing linked devices
  • email security activity
  • password reset notices
  • telecom notices about SIM replacement or signal loss
  • antivirus or security alerts
  • browser history related to phishing pages, if relevant

D. Merchant and platform evidence

If the fraud involved an e-commerce site or app, preserve:

  • product listing
  • checkout pages
  • order number
  • delivery address used
  • invoices
  • merchant messages
  • store profile and contact information
  • proof that the merchant is fake, unreachable, or refuses cancellation

If the transaction involves a known platform, preserve the user account details and whether the card was stored there.

E. Proof of non-participation

This is often overlooked. A victim should preserve evidence showing they did not make the purchase, such as:

  • proof they were elsewhere at the time
  • proof that the card was in their possession
  • absence of matching device or browser history
  • travel or work records inconsistent with the transaction
  • testimony from persons who were with them
  • proof the shipping address was unfamiliar

F. Evidence of phishing or social engineering

Keep:

  • scam texts
  • emails with headers if possible
  • phone numbers used by scammers
  • recorded calls if lawfully obtained
  • URLs of fake sites
  • screenshots of spoofed bank pages
  • social media profiles used in the scam
  • delivery information and rider contacts if goods were shipped

G. Affidavits

A sworn statement can be helpful, especially where institutions ask for a formal declaration that:

  • the transaction was unauthorized
  • the card was not voluntarily shared
  • OTP or approval was not knowingly given for the charge
  • the cardholder discovered and reported the issue promptly
  • any phishing or hacking circumstances are described in detail

8. Best practices for preserving digital evidence

The goal is authenticity, completeness, and traceability.

A. Preserve the original form whenever possible

Do not rely only on pasted text. Keep original files, screenshots, and exported records.

B. Keep metadata where you can

Dates, times, sender information, full URLs, and filenames matter. A clean screenshot with status bar, full message thread, and visible timestamps is stronger than a cropped image.

C. Create an incident timeline

Make a single document listing:

  • when you first noticed the charge
  • when alerts arrived
  • when you called the bank
  • what the bank told you
  • when you blocked the card
  • when you contacted the merchant
  • when you changed passwords
  • when you filed a report

A clear chronology makes complex facts easier to evaluate.

D. Save evidence in multiple secure places

Use an encrypted folder or at least a secure cloud backup and a local copy.

E. Do not alter content unnecessarily

Do not edit screenshots except possibly to redact publicly before sharing outside the dispute. Keep the originals untouched.

F. Preserve headers and technical details if available

Email headers, message source data, or app logs can matter in tracing spoofing or account takeover.

G. Avoid deleting suspected scam messages

Even if disturbing, they may contain identifiers useful to investigators.

9. What to say in the written dispute to the bank

A strong written dispute should include:

  • your full name and account/card details in safe partial form
  • disputed transaction details
  • clear statement that the transaction was unauthorized
  • date and time you discovered it
  • date and time you reported it
  • statement that the card was in your possession, if true
  • statement that you did not receive or did not knowingly authorize any OTP/app approval, if true
  • description of phishing, hacking, or suspicious events, if applicable
  • request for investigation and reversal
  • request to preserve all logs and records related to the transaction
  • attached evidence list

A weak complaint says: “This is not mine.” A strong complaint says: “I discovered on 22 April 2026 at 9:14 p.m. a card-not-present transaction for ₱18,450 posted by [merchant]. I did not authorize it, my card remained in my possession, and I reported it through your hotline at 9:19 p.m. under reference no. ____. Please investigate, reverse the charge, replace the card, and preserve all related authentication, login, device, and transaction records.”

10. Chargebacks and card network disputes

Although consumers often speak in terms of “refunds,” many card fraud cases are processed through a dispute or chargeback framework. The card issuer may seek reversal through the card network and merchant acquirer based on reasons such as:

  • fraud
  • no authorization
  • card-not-present misuse
  • cancelled recurring transaction
  • merchant processing error
  • non-receipt of goods or services, depending on the facts

From the cardholder’s perspective, the main practical points are:

  • report early
  • provide complete evidence
  • respond quickly to requests for forms or affidavits
  • watch deadlines closely
  • distinguish between pending and posted transactions

The merchant may submit evidence of authentication, prior customer relationship, matching device signals, or prior recurring consent. That is why precision matters from the start.

11. Time limits and delay risks

Many disputes fail because of delay, not because the victim is wrong. Practical deadlines can arise from:

  • cardholder agreement notice periods
  • statement review periods
  • bank internal complaint windows
  • platform complaint deadlines
  • network chargeback timing rules
  • prescription periods for legal actions

Even without citing exact numbers, the safest rule is immediate notice. A victim should not wait for the next monthly statement if an alert already shows the unauthorized charge.

12. When police, NBI, or cybercrime reporting becomes important

Formal reporting is especially useful when:

  • there is identity theft
  • there are multiple victims
  • credentials were stolen through hacking or phishing
  • there is a fake online store
  • goods were shipped to identifiable recipients
  • telecom fraud or SIM swap may be involved
  • the bank disputes the victim’s version and asks for independent reporting

The value of a report is not only criminal prosecution. It also helps document seriousness, preserve evidence, and support the narrative that the victim acted diligently.

13. The role of affidavits and sworn statements

In Philippine practice, institutions often ask for a notarized affidavit or sworn dispute form. This may include:

  • denial of authorization
  • description of how the fraud was discovered
  • confirmation that the physical card was or was not lost
  • confirmation regarding OTP/PIN disclosure
  • statement on prior relationship with the merchant
  • statement on any phishing event

A carefully written affidavit should be accurate and restrained. Overstatement can hurt credibility. If you do not know how the fraud happened, say so plainly. Do not guess.

14. What if the bank says the transaction was authenticated

This is common. Banks may point to OTP use, 3D Secure, app approval, known device matching, or successful credential entry. But authentication does not automatically end the issue.

A victim may still argue:

  • the authentication was induced by phishing or spoofing
  • the OTP was intercepted or the device was compromised
  • the app approval was triggered by account takeover
  • the transaction description in the approval prompt was misleading or incomplete
  • the merchant or bank authentication trail is insufficient
  • there were red flags the bank should have detected
  • the customer acted under deception rather than true informed consent

The central legal question is not only whether a code was entered, but whether there was genuine, informed, and valid authorization attributable to the cardholder.

15. Gross negligence: the recurring danger in fraud claims

Banks often invoke customer negligence. The severity matters.

Ordinary carelessness is one thing. Gross negligence is another. In real disputes, the outcome can turn on whether the customer:

  • willingly gave OTPs to an impostor
  • shared passwords, CVV, PINs, or full card details recklessly
  • ignored repeated fraud warnings
  • delayed reporting after clear notice
  • stored credentials insecurely in obvious ways

But even where a customer made a mistake, that does not automatically eliminate every remedy. The facts must still be weighed carefully, especially where the fraud involved sophisticated deception or weak institutional safeguards.

16. Merchant-side disputes versus bank-side disputes

The cardholder may have to proceed on two tracks:

A. Against the bank or issuer

This focuses on unauthorized billing, fraud handling, reimbursement, and account security.

B. Against the merchant or platform

This focuses on:

  • cancellation
  • fraudulent storefront activity
  • non-delivery
  • deceptive subscriptions
  • false representations
  • use of stored card details without proper consent

The merchant may be easier to reach in obvious service failures, while the bank is the primary party for true unauthorized card use.

17. Special issues in recurring charges and subscriptions

Some of the hardest disputes involve subscriptions because the charge looks “authorized” in the merchant system.

Common patterns include:

  • free trial turning into paid plan without clear disclosure
  • hard-to-cancel subscription paths
  • recurring charge after cancellation
  • subscription created by account takeover
  • in-app purchase linked to stored card credentials
  • family or household member using a device account without permission

Evidence here should focus on:

  • cancellation attempts
  • screenshots of subscription settings
  • email confirmations
  • dates of termination requests
  • absence of use after cancellation
  • mismatch between disclosed and charged terms

18. Fraud involving delivery of physical goods

Where goods were delivered, useful evidence includes:

  • delivery address
  • recipient name
  • courier logs
  • CCTV from the delivery site if available
  • proof the address is unknown to the cardholder
  • platform chat history
  • seller profile and product listing
  • pickup records

This can turn a purely digital dispute into an identifiable fraud trail.

19. Fraud involving foreign merchants or cross-border platforms

Cross-border transactions add complications:

  • foreign currency conversion
  • harder merchant contact
  • different platform complaint systems
  • delayed posting
  • higher difficulty in criminal tracing

Still, the cardholder’s main rights and duties remain centered on prompt reporting and documentation with the issuing bank in the Philippines.

20. Relationship between criminal complaint and reimbursement

Victims sometimes assume that getting reimbursed requires a criminal case, or that filing a criminal case guarantees reimbursement. Neither is automatically true.

  • Reimbursement/dispute resolution can proceed through the bank and card dispute system.
  • Criminal liability concerns punishment of the offender.
  • Regulatory complaint concerns compliance and consumer treatment.
  • Civil action concerns recovery of damages or contractual relief.

These tracks may overlap, but they are distinct.

21. Possible remedies available to the victim

Depending on the facts, a victim may seek:

  • reversal of unauthorized charges
  • waiver of finance charges or penalties related to the disputed amount
  • cancellation of recurring billing
  • replacement card and account hardening
  • correction of account records
  • written fraud investigation results
  • damages in appropriate civil proceedings
  • regulatory assistance or complaint handling relief
  • criminal investigation and prosecution of offenders

In some cases, the victim may also seek relief relating to misuse of personal data.

22. When finance charges, late fees, and collection calls become part of the problem

A common secondary injury is that the disputed amount continues to accrue interest or triggers delinquency measures. The victim should expressly request:

  • suspension or reversal of finance charges related to the disputed transaction
  • hold on collection activity for the disputed amount while investigation is ongoing
  • correction of adverse internal records if the charge is reversed
  • clarification on minimum payment expectations excluding the disputed amount, where applicable

This should be requested in writing.

23. Escalation path when the bank response is unsatisfactory

A disciplined escalation path usually looks like this:

  1. initial fraud report through hotline/app
  2. formal written dispute with attachments
  3. follow-up with fraud/disputes department
  4. complaint to higher bank escalation or consumer assistance channel
  5. resort to regulatory or adjudicative avenues where justified
  6. separate criminal complaint if fraud facts warrant it

Every escalation should attach the full chronology and all reference numbers. Repetition without organization weakens the case; structured escalation strengthens it.

24. Data privacy issues after the fraud

A victim should think beyond the charge itself. If personal information was exposed, additional harm may follow:

  • identity theft
  • unauthorized loan applications
  • account recovery takeovers
  • fake Know-Your-Customer updates
  • misuse of IDs or selfies
  • future phishing targeted with personal details

Practical next steps may include:

  • monitoring credit and account activity
  • changing linked credentials
  • replacing compromised IDs only where necessary
  • notifying affected institutions
  • documenting suspected source of the data leak

25. Employer-issued cards, corporate cards, and supplementary cards

Liability can become more complex where the card is:

  • company-issued
  • used by multiple authorized persons
  • attached to a family account
  • used by a supplementary holder
  • stored on a shared device

The investigation may center on scope of authority, access controls, and internal policies. The same evidence principles apply, but the victim should also preserve authorization rules, user assignments, and internal communications.

26. Common mistakes that weaken a fraud case

The most common damaging mistakes are:

  • waiting too long to report
  • deleting scam messages or emails
  • failing to document the first notice to the bank
  • giving inconsistent versions of events
  • admitting authorization by careless wording when the real issue is deception
  • focusing only on screenshots of the charge and not on the surrounding context
  • not preserving device/account security alerts
  • not reading the merchant terms in recurring billing disputes
  • not keeping proof of cancellation attempts
  • using social media posts as a substitute for formal complaint channels

27. How to write the facts clearly

In fraud disputes, precision beats emotion. The best style is chronological and factual:

  • what happened
  • when you discovered it
  • what you did immediately
  • what the bank and merchant said
  • what evidence you have
  • what relief you request

Avoid speculation such as “the bank must have leaked my data” unless you have a basis. State facts first, inference second.

28. Practical document set a victim should prepare

A complete case file should ideally contain:

  1. summary incident timeline
  2. written dispute letter to bank
  3. screenshots of transactions and alerts
  4. bank acknowledgment and reference numbers
  5. merchant/platform correspondence
  6. screenshots of suspicious messages or spoofed pages
  7. password change and account security records
  8. affidavit or sworn statement
  9. police or cybercrime report, if filed
  10. copies of statements showing disputed charge and any finance charges
  11. proof of cancellation, if subscription-related
  12. proof of card possession or non-participation, if available

29. Standard of proof and realistic expectations

In criminal proceedings, the burden is high. In banking disputes and administrative complaints, the inquiry is more practical and document-driven. The victim does not always need to identify the thief personally to obtain relief. Often, the key issues are:

  • was the transaction unauthorized
  • did the cardholder act promptly
  • is there evidence of compromise or deception
  • was the institution’s response reasonable
  • who should bear the loss under the circumstances

That is why good documentation can matter more than dramatic proof.

30. A note on consent, deception, and phishing

Some victims hesitate to report because they clicked a link or gave a code during a scam call. Legally and factually, that does not always end the matter. Fraudsters exploit trust, urgency, and imitation of legitimate institutions. The correct analysis is not simplistic blame, but whether the apparent authorization was truly informed, voluntary, and attributable in a legally meaningful way.

Still, the closer the facts move toward voluntary disclosure of sensitive credentials, the more important it becomes to present the full deception context accurately and immediately.

31. Preventive measures that also help future legal claims

Prevention is not only about safety. It also helps later proof. Good practices include:

  • enabling real-time alerts
  • using card lock controls when not in use
  • maintaining separate cards for subscriptions and major spending
  • avoiding storage of card details on too many platforms
  • reviewing statements frequently
  • using unique passwords and two-factor security on email and banking
  • keeping telco account security strong to reduce SIM-swap risk
  • documenting cancellations in writing

A person who can show disciplined security practices often presents a stronger credibility profile in a dispute.

32. When legal counsel becomes more important

Lawyer involvement becomes especially useful when:

  • the amount is large
  • the bank refuses reversal despite substantial evidence
  • there are repeated unauthorized charges
  • identity theft is spreading across accounts
  • there is a complex phishing or account-takeover scheme
  • a civil claim for damages is being considered
  • a formal criminal complaint is to be prepared
  • multiple institutions are involved

33. Bottom line in the Philippine context

In the Philippines, credit card fraud and unauthorized online purchase cases are rarely solved by one single action. The strongest response combines immediate notice to the issuing bank, careful preservation of digital evidence, formal written complaint, strategic escalation, and where needed, cybercrime or police reporting.

The victim’s practical legal position improves dramatically when they can prove five things:

  1. the charge was not validly authorized
  2. they discovered it and acted quickly
  3. they preserved evidence before it disappeared
  4. they communicated clearly and consistently
  5. they pursued the proper bank, platform, regulatory, and criminal channels in an organized way

Fraud cases are often won or lost in the first records created after discovery. In that sense, evidence preservation is not a side issue. It is the legal foundation of the case.

34. Sample incident checklist

For a Philippine cardholder who discovers an unauthorized online purchase, the safest sequence is:

  • block the card immediately
  • record the exact time of discovery
  • call the bank and obtain a reference number
  • send a written dispute the same day
  • take full screenshots of all alerts and charges
  • change credentials tied to the account, email, and device
  • check for additional pending or recurring transactions
  • contact the merchant or platform if identifiable
  • prepare an incident timeline
  • execute an affidavit if requested
  • file a cybercrime or police report when warranted
  • monitor statements for reversals, finance charges, and new fraud attempts

That disciplined sequence is often more important than any single legal label attached to the event.

35. Final legal principle

The core legal principle is simple: unauthorized charges must be challenged quickly, and facts must be preserved before systems overwrite them. In modern online fraud, the law and the evidence are inseparable. A cardholder who responds fast, keeps complete records, and frames the case properly stands in the best position to obtain reversal, accountability, and protection from further harm.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login