Credit Card Fraud in the Philippines: What Case to File and What Evidence Is Needed

When an unauthorized credit card transaction appears on your statement, the first question is usually practical: “What case do I file, and what proof do I need?” In the Philippines, the usual criminal case is access device fraud under Republic Act No. 8484, as amended by Republic Act No. 11449, especially when someone used your credit card number, physical card, online credit card account, OTP, or card details without authority. If the fraud was done online, through phishing, hacked accounts, fake links, malware, or stolen digital credentials, the complaint may also include cybercrime offenses under Republic Act No. 10175 and, in some cases, financial account scamming under Republic Act No. 12010. The practical goal is to move fast: block the card, dispute the charge with the bank, preserve digital evidence, and file a complaint with the proper law enforcement or prosecutor’s office.

What counts as credit card fraud in the Philippines?

Credit card fraud is not limited to a stranger physically swiping your lost card. Philippine law treats a credit card, card number, account number, code, PIN, or similar account-access identifier as an access device if it can be used to obtain money, goods, services, credit, or initiate a transfer of funds. RA 8484 defines “access device” broadly, and RA 11449 expanded the law to address modern schemes involving online accounts, skimming, hacking, payment cards, applications, and online banking. (Lawphil)

In real life, credit card fraud cases commonly involve:

  • Online purchases charged to your card without your consent
  • Fraudulent cash advances
  • Use of a lost or stolen card
  • Use of your card details after phishing or a fake bank call
  • Unauthorized transactions after a SIM swap or compromised OTP
  • Skimming or cloning of a card
  • Unauthorized access to your online credit card account
  • Fraudulent credit card applications using another person’s identity
  • Merchant-related fraud, such as false or duplicated transaction slips

The law focuses on the fraudulent use of the access device and the intent to defraud. That means the case is not simply “I lost money.” The evidence should show that a card, account, credential, or related payment instrument was used or accessed without authority and that the transaction was not yours.

What case should be filed for credit card fraud?

The correct case depends on how the fraud happened. More than one offense may apply in the same incident.

Situation Possible case to file Why it applies
Someone used your credit card or card details without permission Access device fraud under RA 8484, as amended by RA 11449 The law penalizes unauthorized or fraudulent use of credit cards and access devices.
Someone accessed your online credit card account fraudulently Access device fraud under RA 8484/RA 11449 RA 11449 specifically covers fraudulent access to a credit card account, with or without monetary loss. (Supreme Court E-Library)
Fraud happened through phishing, hacked email, malware, fake payment link, or stolen login credentials Computer-related fraud and/or computer-related identity theft under RA 10175 RA 10175 penalizes computer-related fraud and identity theft involving unauthorized use of identifying information. (Supreme Court E-Library)
Scammer obtained your card or account details through deception, fake calls, SMS, email, or chat Financial account scamming under RA 12010 RA 12010 covers social engineering schemes involving sensitive identifying information and unauthorized access to financial accounts, including credit card accounts. (Lawphil)
Bank, employee, merchant, or third party mishandled cardholder data Possible data privacy complaint and related criminal/civil liability Cardholder data is confidential, and disclosure may trigger obligations under banking, credit card, and data privacy rules. (Supreme Court E-Library)
You mainly want reversal of the charge, not criminal prosecution Bank dispute/chargeback and BSP consumer complaint This is separate from the criminal case and is usually the fastest route to stop collection of the disputed charge. (Bangko Sentral ng Pilipinas)

For most victims, the practical answer is: file a dispute with the credit card issuer immediately, then file a criminal complaint for access device fraud if the amount is significant, the bank requires a police/NBI report, the transaction pattern shows a scammer, or the bank refuses to treat it as unauthorized.

Legal basis: RA 8484 and RA 11449

RA 8484, the Access Devices Regulation Act of 1998, is the main Philippine law for credit card fraud. It prohibits acts such as using an unauthorized access device, using an access device fraudulently applied for, possessing counterfeit access devices, disclosing card information without authority, altering sales slips, and using access devices issued to another person to receive payment or value. (Lawphil)

RA 11449 strengthened RA 8484 by adding modern fraud methods. It expressly covers skimming, copying, or counterfeiting credit cards, payment cards, or debit cards, possession of software or hardware used for those acts, fraudulent access to online banking or credit card accounts, and hacking-related conduct. (Supreme Court E-Library)

For an ordinary unauthorized credit card use, RA 11449 provides penalties that may include imprisonment and fines, without prejudice to civil liability. For fraudulent use of a credit card, the law provides imprisonment of not less than four years and not more than six years and a fine of twice the value fraudulently obtained. Other access-device offenses may carry heavier penalties, especially where there are multiple access devices, skimming, hacking, or economic sabotage. (Supreme Court E-Library)

A crucial detail: RA 11449 also requires companies engaged in issuing access devices, including banks and financial institutions, and partner merchants to conduct an initial investigation on reported access device fraud and furnish real-time reports to the National Bureau of Investigation (NBI) and the PNP Anti-Cybercrime Group (PNP-ACG). The report should narrate the fraud and identify the perpetrator if feasible, and it can serve as the complaint needed for further investigation and prosecution. (Supreme Court E-Library)

When RA 10175 cybercrime charges may apply

If the fraudulent transaction involved a computer system, online account, app, phishing link, unauthorized login, hacked email, malware, or stolen digital credentials, the complaint may include offenses under the Cybercrime Prevention Act of 2012, or RA 10175.

The most relevant provisions are usually:

  • Computer-related fraud — unauthorized input, alteration, or deletion of computer data or program, or interference in a computer system, causing damage with fraudulent intent.
  • Computer-related identity theft — intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person or entity, without right.
  • Illegal access — access to any part of a computer system without right. (Supreme Court E-Library)

RA 10175 also allows law enforcement, with proper legal process, to deal with digital evidence such as subscriber information, traffic data, logs, and computer data. For example, disclosure of computer data generally requires a court warrant, and evidence obtained without a valid warrant or beyond its authority may be inadmissible. (Supreme Court E-Library)

This is why victims should not rely only on screenshots. Screenshots are useful, but investigators may also need bank logs, IP addresses, merchant records, device fingerprints, OTP records, delivery addresses, CCTV, courier details, or telco records. Many of these are not available to the victim directly and must be obtained through law enforcement, the prosecutor, or court processes.

When RA 12010 may apply to credit card scams

Republic Act No. 12010, the Anti-Financial Account Scamming Act, is important for newer scams. It covers financial accounts, including credit card accounts, e-wallets, deposit accounts, and similar accounts used for financial products or services. It penalizes social engineering schemes where a person obtains sensitive identifying information through deception or fraud, resulting in unauthorized access and control over a financial account. (Lawphil)

This may matter when the fraud started with:

  • A fake bank representative calling you
  • A phishing email or SMS asking you to “verify” your card
  • A fake delivery, customs, or subscription payment link
  • A fake fraud alert asking for your OTP
  • A scammer posing as a bank employee through Viber, Messenger, WhatsApp, Telegram, or email

RA 12010 also requires institutions regulated by the Bangko Sentral ng Pilipinas to protect access to clients’ financial accounts through adequate risk management systems and controls such as multi-factor authentication and fraud management systems. (Lawphil)

Criminal complaint vs. bank dispute: know the difference

Victims often confuse two separate tracks:

Track Purpose Where filed Result you want
Bank dispute / chargeback Reverse or suspend the unauthorized transaction Credit card issuer, then BSP if unresolved Temporary credit, reversal, waiver of charges, correction of statement
Criminal complaint Investigate and prosecute the offender NBI Cybercrime Division, PNP-ACG, or prosecutor’s office Identification, indictment, arrest, prosecution, restitution or civil liability
BSP consumer complaint Escalate poor handling by a bank or BSP-supervised institution BSP Consumer Assistance Mechanism Bank response, mediation, adjudication, consumer redress
Civil claim Recover damages or contest liability Court, or as civil action implied in the criminal case Payment of actual damages, moral damages where proper, attorney’s fees where justified

The bank dispute is usually the first urgent step because it can stop the transaction from becoming a collectible balance while the investigation is ongoing. A criminal complaint is stronger when you have enough evidence to identify the transaction, show you did not authorize it, and trace how the fraud occurred.

What to do immediately after discovering the fraud

  1. Call the card issuer immediately and block the card. Ask for a reference number. Record the date, time, hotline used, and name or ID of the agent if given. Under RA 8484, a cardholder who reports a lost access device and fully complies with the issuer’s procedure is absolved from financial liability for fraudulent use from the time the loss or theft is reported. (Lawphil)

  2. Dispute the transaction in writing. Do not rely only on a hotline call. Send the bank’s dispute form or an email stating that the transaction is unauthorized. Attach the statement, transaction alert, screenshots, and proof that you still had the card, were in another place, or did not receive the goods or services.

  3. Ask the bank to preserve records. Request preservation of transaction logs, merchant records, authentication records, OTP logs, IP/device data, delivery information, and internal investigation results. Some records are held for limited periods, and delay can make tracing harder.

  4. Change passwords and secure related accounts. Change passwords for online banking, email, shopping apps, and phone account portals. If you suspect SIM swap or compromised mobile number, report it to your telco.

  5. Prepare an evidence folder. Save files in original form where possible. Do not edit screenshots. Keep emails with full headers if available. Export SMS or chat messages if possible. Keep the physical card, envelope, receipts, and any suspicious delivery labels.

  6. File with NBI Cybercrime Division or PNP-ACG if the fraud is serious or online-based. The NBI provides investigative assistance for victims of computer crimes through its Cybercrime Division, while the DOJ Office of Cybercrime is the central authority created under RA 10175. (National Bureau of Investigation)

  7. Escalate to BSP if the bank mishandles the dispute. BSP instructs consumers to raise the concern first with the financial institution’s Financial Consumer Protection Assistance Mechanism. If unresolved, the complaint may be escalated through BSP consumer assistance channels such as BSP Online Buddy. (Bangko Sentral ng Pilipinas)

Evidence needed for a credit card fraud complaint

A strong complaint is not just a story. It should be organized so an investigator or prosecutor can quickly see the timeline, the unauthorized transaction, the proof of non-consent, and the trail pointing to the perpetrator.

Evidence Why it matters Practical tip
Credit card statement or app screenshot showing the charge Identifies the date, amount, merchant, currency, and transaction reference Highlight the disputed transactions but keep the full statement copy
Bank SMS/email transaction alerts Shows when you first learned of the fraud Save the original SMS/email, not just a cropped screenshot
Dispute report and bank reference numbers Proves timely reporting Keep call logs, email acknowledgments, ticket numbers
Copy of the card and proof it remained with you Useful for card-not-present fraud Mask middle digits if sharing copies, but keep full proof for law enforcement if required
Proof of location or impossibility Helps show you could not have made the purchase Examples: passport stamps, boarding pass, time records, CCTV, GPS/location history, receipts
Phishing emails, fake links, SMS, or chat messages Shows method of deception Preserve sender number, email headers, URLs, and timestamps
OTP messages or telco records Important in account takeover or SIM swap cases Note if OTP was received, not received, or shared due to deception
Merchant details Helps trace goods, delivery address, account used, IP/device data Ask the bank if it can request merchant documents through the card network
Police blotter, NBI/PNP complaint receipt, or affidavit Often requested by banks for chargeback or fraud investigation A blotter is not the same as a criminal complaint, but it helps document the report
Affidavit of complaint Required for prosecutor-level filing State facts in chronological order and attach exhibits

For electronic evidence, Philippine courts follow the Rules on Electronic Evidence. The Supreme Court has stated that an electronic document must comply with admissibility rules and be authenticated in the required manner. (Lawphil)

How to write the complaint-affidavit

A complaint-affidavit is the sworn statement used to start a criminal complaint before law enforcement or the prosecutor. It should be factual, chronological, and supported by attachments.

Include:

  1. Your identity and contact details Name, address, email, mobile number, and government ID details.

  2. Credit card details needed to identify the account Bank name, last four digits of the card, type of card, and whether the physical card was lost, stolen, or remained with you. Avoid casually spreading the full card number.

  3. Timeline of events State when you discovered the transaction, when you called the bank, when the card was blocked, when you filed the dispute, and what the bank said.

  4. List of unauthorized transactions For each transaction, state date, time, amount, merchant, reference number, and currency.

  5. Statement of non-consent Clearly say you did not authorize, benefit from, receive, or participate in the transaction.

  6. Fraud method, if known Mention phishing, fake bank call, lost card, compromised email, SIM swap, hacked account, or unknown method.

  7. Evidence attached Label exhibits: “Annex A – Credit card statement,” “Annex B – SMS alert,” “Annex C – Bank dispute acknowledgment,” and so on.

  8. Relief requested Ask for investigation and prosecution for access device fraud under RA 8484 as amended by RA 11449, and other applicable offenses such as RA 10175 or RA 12010 depending on the facts.

The affidavit should be notarized. If executed abroad, a Philippine embassy/consulate acknowledgment or apostille may be needed depending on where it will be used and what the receiving office requires.

Where to file the complaint

Office Best for Notes
Credit card issuer / bank Blocking card, dispute, chargeback, transaction investigation File immediately; ask for written acknowledgment
NBI Cybercrime Division Online fraud, phishing, hacked accounts, digital evidence The NBI’s citizen charter provides investigative assistance for victims of computer crimes. (National Bureau of Investigation)
PNP Anti-Cybercrime Group Cyber-enabled fraud and urgent law enforcement assistance Especially useful where digital tracing, coordination, or police action is needed
City or provincial prosecutor’s office Formal criminal complaint when respondent is known or evidence is ready Prosecutor determines whether to file information in court
BSP Consumer Assistance Mechanism Unresolved complaint against a bank or BSP-supervised institution Use after first raising the matter with the bank’s own consumer assistance mechanism. (Bangko Sentral ng Pilipinas)
National Privacy Commission Mishandling or unauthorized disclosure of personal/cardholder data More relevant when the issue is data breach or negligent handling of personal data

If the suspect is unknown, many victims start with NBI Cybercrime Division or PNP-ACG because investigators may need to request or preserve technical records. If the suspect is known, such as a merchant employee, household member, co-worker, or identifiable recipient of the goods, a complaint may be filed with the prosecutor’s office with supporting affidavits.

Typical timeline and bottlenecks

Timelines vary widely, but in practice:

  • Card blocking should happen immediately after reporting.
  • Bank dispute review may take days to several weeks, depending on the issuer, merchant, card network, and whether documents are complete.
  • BSP escalation usually starts only after the bank has had the chance to resolve the complaint through its own consumer assistance mechanism.
  • NBI/PNP investigation can take weeks or months, especially if records must be obtained from banks, merchants, telcos, platforms, or foreign entities.
  • Preliminary investigation at the prosecutor level depends on docket congestion, completeness of evidence, respondent participation, and whether further investigation is required.

The biggest bottlenecks are usually incomplete bank records, delayed merchant responses, anonymous online accounts, foreign merchants, missing IP/device logs, victims deleting messages, and confusion between a bank chargeback request and a criminal complaint.

Common mistakes that weaken a credit card fraud case

Waiting too long to report

Delay can affect the bank dispute and may cause digital logs to disappear. Report as soon as you discover the transaction, even if you are still gathering documents.

Only calling the bank and not filing anything in writing

A hotline call is useful, but written proof is stronger. Send an email or submit the bank’s dispute form and keep the acknowledgment.

Deleting phishing messages or blocking the scammer too early

Do not delete messages, emails, call logs, URLs, or screenshots. Preserve them first. Blocking may be necessary for safety, but save the evidence before doing so.

Editing screenshots

Do not crop, annotate, or alter your only copy. Keep the original screenshot, then make a separate annotated copy if needed.

Filing the wrong theory of the case

Not every unauthorized transaction is “estafa” under the Revised Penal Code. In many credit card cases, the more specific and practical charge is access device fraud under RA 8484 as amended by RA 11449. If the fraud was online, RA 10175 and RA 12010 may also apply.

Assuming the bank’s reversal ends the criminal case

A bank reversal solves the billing problem, but it does not automatically identify or prosecute the offender. If the fraud is large, repeated, organized, or identity-related, a criminal complaint may still be appropriate.

Ignoring supplementary cards and authorized users

If the transaction was made by a supplementary cardholder or someone you previously allowed to use the card, the case becomes more fact-sensitive. The issue may shift from “unauthorized access device fraud” to whether the use exceeded authority, involved deceit, or created a civil debt.

Special situations for OFWs and foreigners

If you are abroad

You can still dispute the transaction with the Philippine card issuer by email, app, hotline, or secure message. For a sworn complaint-affidavit, Philippine authorities may require notarization at a Philippine embassy or consulate, or an apostilled document if executed in a country that is part of the Apostille Convention and the receiving office accepts it.

If the fraudulent merchant is outside the Philippines

The Philippine bank may still process a dispute or chargeback through the card network, but criminal investigation becomes harder because merchant records, delivery details, and platform data may be abroad. The local complaint should still identify the Philippine account, phone number, IP evidence, delivery address, or person who benefited, if any.

If a foreigner’s Philippine-issued card was used fraudulently

A foreigner can file a dispute with the Philippine issuer and may file a complaint with Philippine authorities if the transaction, account, bank, suspect, merchant, or evidence has a Philippine connection. Bring passport copies, immigration stamps if relevant, local address or hotel details, and proof that you were not in the transaction location.

If the card was issued abroad but fraud happened in the Philippines

Report to the foreign card issuer immediately and ask whether it requires a local police/NBI report. If the suspect, merchant, delivery address, ATM, or transaction point is in the Philippines, local law enforcement may still receive a complaint, but coordination with the foreign issuer is often needed.

Frequently Asked Questions

What case do I file for unauthorized credit card transactions in the Philippines?

The usual case is access device fraud under RA 8484, as amended by RA 11449. If the transaction involved phishing, hacking, stolen login credentials, or online deception, the complaint may also include RA 10175 cybercrime offenses and possibly RA 12010 financial account scamming.

Is a police blotter enough for credit card fraud?

A blotter is useful proof that you reported the incident, but it is not always enough. For investigation and prosecution, you usually need a complaint-affidavit, transaction records, bank dispute documents, screenshots or digital evidence, and supporting affidavits or records.

Should I file with the NBI or PNP Anti-Cybercrime Group?

For online credit card fraud, phishing, hacked accounts, or digital evidence, either the NBI Cybercrime Division or PNP Anti-Cybercrime Group may be appropriate. If the bank or merchant is already investigating, ask for copies or reference details that can help NBI or PNP trace the transaction.

Can I refuse to pay the disputed credit card charge?

You should formally dispute the charge and ask the bank in writing to suspend collection, interest, penalties, and negative credit reporting on the disputed amount while the investigation is pending. Do not simply ignore the statement, because the bank may treat it as delinquency unless the dispute is properly recorded.

What if the bank says the transaction was OTP-authenticated?

An OTP record is important, but it does not automatically prove that you knowingly authorized the transaction. Many scams involve phishing, fake bank calls, SIM swap, malware, or social engineering. Ask the bank for details: when the OTP was sent, to what number, what device or IP was used, what merchant received payment, and whether the transaction matched your normal pattern.

Can the bank be liable for unauthorized credit card transactions?

The bank’s liability depends on the facts, the card contract, BSP regulations, consumer protection rules, and whether the bank acted with proper security, fair treatment, timely handling, and effective recourse. RA 11765 and BSP regulations require financial service providers to maintain consumer assistance mechanisms and protect consumers against fraud and misuse. (Supreme Court E-Library)

What if a family member used my credit card without permission?

It can still be unauthorized if you did not consent, but these cases are fact-sensitive. Investigators will look at prior permission, access to the card, household arrangements, whether the person knew the PIN or OTP, whether you previously allowed similar use, and whether the transaction was genuinely fraudulent or a private debt dispute.

Can I file a case if the bank already reversed the charge?

Yes, if the facts show a crime and you want law enforcement to investigate the offender. The reversal may reduce your financial loss, but it does not erase the fraudulent act. Keep the reversal notice as part of your evidence.

What evidence is strongest in online credit card fraud?

The strongest evidence usually includes the bank statement, transaction reference numbers, bank dispute acknowledgment, SMS/email alerts, phishing messages or URLs, proof you did not authorize the transaction, merchant or delivery details, and law-enforcement-obtained records such as IP logs, device data, subscriber information, and CCTV where available.

How long do I have to dispute a credit card transaction?

Credit card contracts and bank rules commonly impose short dispute periods from statement date, so report immediately. RA 10870 and BSP credit card regulations focus on transparency, fair credit card practices, and regulation of credit card issuers, while BSP consumer channels exist for unresolved complaints against BSP-supervised institutions. (Lawphil)

Key Takeaways

  • The main criminal case for credit card fraud in the Philippines is usually access device fraud under RA 8484, as amended by RA 11449.
  • If the fraud was done online, also consider RA 10175 cybercrime offenses such as computer-related fraud or identity theft.
  • If the scam involved phishing, fake bank calls, fake messages, or social engineering to obtain card details, RA 12010 may also apply.
  • File a bank dispute immediately; this is separate from filing a criminal complaint.
  • Preserve all evidence: statements, alerts, emails, SMS, screenshots, URLs, call logs, dispute forms, and bank reference numbers.
  • For online or digital fraud, the NBI Cybercrime Division or PNP Anti-Cybercrime Group is often the practical starting point.
  • If the bank mishandles the complaint or refuses to act properly, escalate through the BSP Consumer Assistance Mechanism after first reporting to the bank.
  • A strong case depends on a clear timeline, proof of non-consent, transaction records, and preserved digital evidence.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.