Seeing a strange credit card charge after clicking a fake bank link, delivery text, online shopping page, or “urgent verification” message is frightening. In the Philippines, unauthorized credit card transactions can be reversed, but reversal is not automatic. The bank or credit card issuer must investigate, and the outcome often depends on how quickly you reported the incident, what evidence you preserved, whether the transaction was truly unauthorized or fraudulent, and whether the bank’s security and consumer-protection controls were properly followed.
This article explains what Philippine law says, how banks should handle credit card phishing complaints, what steps you should take immediately, and how to escalate if the issuer refuses to reverse the charges.
Can Unauthorized Credit Card Charges Be Reversed in the Philippines?
Yes. A credit card charge may be reversed if, after investigation, it is found to be unauthorized, fraudulent, erroneous, or otherwise properly disputable under the bank’s rules, card-network rules, and Philippine financial consumer protection regulations.
In practice, there are three different ideas people often mix together:
| Term | What it usually means |
|---|---|
| Reversal | The bank removes or corrects the disputed charge from your account. |
| Chargeback | The issuer disputes the transaction through the card network and merchant/acquirer process. This is common for online merchant transactions. |
| Provisional credit | A temporary credit while the bank investigates. It can become permanent if your dispute is successful, or be reversed if the bank denies the claim. |
For ordinary cardholders, the important point is this: report the transaction immediately and file a formal dispute in writing. A phone call is useful for blocking the card quickly, but a written complaint creates a clearer record.
Under BSP Circular No. 1003, series of 2018, which implements the Philippine Credit Card Industry Regulation Law, RA 10870, cardholders are given up to 30 calendar days from the statement date to report billing errors or discrepancies. The issuer must act within required periods, investigate, and correct or reverse unauthorized or fraudulent transactions, including related finance charges and fees, if the dispute is found valid.
What Counts as Credit Card Phishing or an Unauthorized Transaction?
Phishing is a scam where someone tricks you into giving sensitive information, such as your credit card number, CVV, online banking password, one-time PIN or OTP, app login, or account recovery details.
Common credit card phishing situations in the Philippines include:
- A fake bank SMS saying your card will be blocked unless you “verify” your account.
- A fake delivery message asking you to pay a small redelivery fee.
- A fake airline, hotel, or online shopping checkout page.
- A scammer pretending to be from the bank’s fraud department.
- A fake Facebook, Viber, WhatsApp, or Telegram message offering a refund, prize, promo, or job payment.
- A malicious link that captures your card details and OTP.
- A scammer convincing you to install an app that allows remote access to your phone.
- Unauthorized card-not-present transactions, where the physical card was never swiped or tapped.
- Repeated small “test” charges followed by a larger charge.
- Foreign currency charges from merchants you do not recognize.
An unauthorized transaction generally means a transaction made without your actual authority or consent. A fraudulent transaction involves deception, false pretenses, or use of your card or account information to obtain money, goods, services, or credit.
The difficult cases are those where the bank says the transaction was “authenticated” because an OTP was used. Under Philippine rules, OTP use is important evidence, but it does not automatically end the discussion. The bank may still need to examine the full circumstances: whether the OTP message was clear, whether the transaction was unusual, whether fraud alerts were triggered, whether device or location patterns were suspicious, whether the bank’s controls worked, and whether the customer promptly reported the scam.
Legal Basis: Your Rights Under Philippine Law
RA 10870 and BSP rules on credit card disputes
The main law for credit cards is the Philippine Credit Card Industry Regulation Law, RA 10870. It gives the Bangko Sentral ng Pilipinas regulatory authority over credit card issuers and acquirers and supports fair treatment of credit cardholders.
Under BSP Circular No. 1003, credit card issuers must have a consumer assistance unit for cardholder complaints. For disputed billing matters:
- The cardholder has 30 calendar days from the statement date to report a billing error or discrepancy.
- The report may be written, verbal, or made through another documented means.
- The issuer must take action within 10 business days from receipt of the notice and relevant documents.
- Within 90 days after receiving the notice, the issuer must investigate, correct records when appropriate, and send a written explanation or clarification before collecting the contested amount, subject to the result of the investigation.
- For lost or stolen cards, transactions before reporting are generally for the cardholder’s account, but the cardholder still has the right to dispute them. If the transaction is found unauthorized or fraudulent, the issuer must correct or reverse it, including finance charges and related fees.
This is why timing matters. Do not wait for the next statement if you already received a fraud alert or app notification. Report immediately, then follow up in writing.
Financial Consumer Protection Act: fair treatment and complaint redress
The Financial Products and Services Consumer Protection Act, RA 11765, strengthened consumer protection for financial products and services, including digital financial services. It recognizes important consumer rights such as:
- Fair and equitable treatment.
- Disclosure and transparency.
- Protection of consumer assets against fraud and misuse.
- Data privacy and protection.
- Timely handling and redress of complaints.
BSP-supervised financial institutions must maintain a Financial Consumer Protection Assistance Mechanism, often called an FCPAM. Under BSP Circular No. 1160, series of 2022, this is the bank’s first-level complaint channel. It should be accessible, free of charge, and available through oral, written, and digital channels.
For fraud-related concerns, banks are expected to provide dedicated channels, including a 24/7 customer-care telephone line. Consumers should receive immediate acknowledgment, and the bank should provide clear information on actions taken or to be taken.
If a transaction is found unauthorized or fraudulent, BSP rules require the financial institution to correct or reverse the transaction and related interest, charges, or fees, or make a provisional credit permanent when applicable.
Anti-Financial Account Scamming Act: phishing, social engineering, and account fraud
The Anti-Financial Account Scamming Act, RA 12010, is especially relevant to phishing and social engineering. It covers financial accounts, including credit card accounts, deposit accounts, transaction accounts, and e-wallets.
The law recognizes social engineering schemes, where scammers obtain sensitive identifying information through deception or fraud, resulting in unauthorized access to or control over a financial account. Sensitive identifying information includes usernames, passwords, bank account details, credit card information, e-wallet information, electronic credentials, and personal information that may be used to access an account.
RA 12010 also requires financial institutions to maintain risk management systems and controls, such as multi-factor authentication, fraud management systems, and verification procedures appropriate to their size, complexity, and risk profile.
A practical note: ordinary merchant credit card purchase disputes are still usually handled through the credit card issuer’s dispute and chargeback process. However, RA 12010 and BSP Circular No. 1215, series of 2025 may become very important when the phishing incident involves account takeover, electronic transfers, e-wallet movement, cash advances, or traceable “disputed funds.”
Criminal laws may also apply
Credit card phishing may also involve criminal offenses.
Under the Access Devices Regulation Act, RA 8484, as amended by RA 11449, illegal acts involving access devices may include unauthorized use of credit card information, fraudulent access to a credit card account, skimming, counterfeiting, and obtaining card information with intent to defraud.
Under the Cybercrime Prevention Act, RA 10175, phishing may also involve computer-related fraud or computer-related identity theft.
If the problem involves misuse, leakage, or compromise of personal information, the Data Privacy Act of 2012, RA 10173, may also be relevant, especially where a personal information controller failed to protect data or notify affected individuals when required.
How the Supreme Court views credit card transactions
The Supreme Court has explained that a credit card transaction usually involves several legal relationships: the sale between the cardholder and merchant, the credit relationship between issuer and cardholder, and the issuer’s undertaking to pay the merchant. This was discussed in cases such as Bankard, Inc. v. Alarte and Rico v. Union Bank of the Philippines.
This matters because your dispute with the bank is not always just a “merchant refund” issue. The issuer must also handle your complaint according to the credit card agreement, BSP rules, and financial consumer protection standards.
What To Do Immediately After a Suspected Credit Card Phishing Transaction
Act fast. In fraud cases, hours matter.
Lock or block the card immediately. Use the bank app if available, then call the bank’s fraud hotline. Ask for card blocking, replacement, and blocking of online, international, cash advance, or recurring transactions if needed.
Report the incident through the official bank channel. Use only the number, app, website, or email found on the back of your card, the bank’s official website, or the bank’s verified app. Do not use numbers or links sent by the suspected scammer.
Get a reference number. Record the date, time, name or ID of the agent if provided, and exact instructions given to you.
File a written dispute the same day. A phone report helps stop further loss. A written complaint helps prove that you formally disputed the charge.
Preserve all evidence. Do not delete the phishing SMS, email, link, screenshots, call logs, OTP messages, bank alerts, or app notifications. Screenshot the sender, timestamp, full message, URL, and transaction details.
Change passwords and secure your devices. Change your bank app, email, and e-wallet passwords. Remove trusted devices you do not recognize. Turn on biometric login and stronger authentication. Check if your email has suspicious forwarding rules.
Call your telco if SIM takeover is possible. If your phone lost signal, your SIM was replaced without your permission, or OTPs stopped arriving, report possible SIM compromise immediately.
Prepare a transaction list. For each disputed charge, note the date, time, amount, currency, merchant name, transaction ID if available, and whether you received or entered an OTP.
Ask for suspension of fees and finance charges on the disputed amount. Pay the undisputed portion of your bill before the due date. This reduces the risk of late payment issues while the contested charge is under investigation.
Escalate if the bank is not acting. If the bank fails to acknowledge, delays without explanation, continues collection pressure, or denies the dispute without a clear basis, you may raise the matter through the BSP consumer assistance channels.
How to File a Strong Credit Card Dispute With the Bank
Your written dispute should be clear, factual, and complete. Avoid emotional accusations. The goal is to give the issuer enough information to investigate and make it difficult for the complaint to be dismissed as vague.
Include these details:
- Your full name.
- Last four digits of the credit card.
- Statement date and billing cycle, if already available.
- Date and time you discovered the transaction.
- Date and time you reported it to the bank.
- Reference number from the hotline or app.
- Full list of disputed transactions.
- Short explanation of what happened.
- Whether the card was in your possession.
- Whether you clicked a link, received a call, entered card details, or entered an OTP.
- Whether the transaction was domestic or foreign.
- Whether you have any relationship with the merchant.
- Your request for reversal, suspension of related fees, replacement card, and written investigation result.
A practical wording may look like this:
I am formally disputing the following credit card transactions as unauthorized and fraudulent. I did not authorize these transactions, did not receive the goods or services, and reported the incident immediately upon discovery. I request reversal of the disputed charges, including related finance charges, late fees, foreign exchange charges, and other fees, subject to your investigation. Please also preserve the transaction logs, authentication records, merchant/acquirer information, and fraud review notes relevant to this complaint.
If the bank provides a dispute form, fill it out fully. If an affidavit is required, make sure it is consistent with your written complaint. If you are abroad, the bank may accept scanned documents first, but for formal affidavits it may ask for consular acknowledgment, notarization, or apostille depending on the document and the bank’s requirements.
Timelines You Should Know
| Stage | Timeline | What it means in practice |
|---|---|---|
| Immediate fraud report | Same day, preferably within hours | Block the card, stop further charges, and create a record. |
| Billing dispute period | 30 calendar days from statement date | Under BSP credit card rules, report billing errors or discrepancies within this period. |
| Bank action after notice and documents | 10 business days | The issuer must take action after receiving your notice and relevant documents. |
| Bank investigation and written explanation | Within 90 days from notice | The issuer should investigate, correct records when proper, and explain the result before collecting the contested amount, subject to investigation. |
| Bank notice after investigation conclusion | Within 3 banking days under financial consumer protection rules | For covered unauthorized transaction complaints, the bank should formally inform you of the result. |
| BSP Consumer Assistance Mechanism | Often around 55 to 65 days from receipt to termination | Available after you first report to the bank’s FCPAM. |
| BSP mediation | Often around 50 to 60 days from referral to termination | Used when appropriate under BSP’s consumer assistance and dispute resolution process. |
| AFASA temporary holding of disputed funds, if applicable | Initial hold up to 5 calendar days, extendible up to a total of 30 calendar days | Most relevant when the scam involves traceable disputed funds, transfers, or financial account movement. |
Do not wait for the 30th day. File immediately. Card network deadlines and merchant response periods may be shorter or more complex than what appears on your statement.
Documents and Evidence That Help Your Case
| Document or evidence | Why it matters |
|---|---|
| Government-issued ID | Confirms your identity as cardholder. |
| Credit card statement or app screenshot | Shows the disputed transaction details. |
| Bank SMS, email, or app alerts | Proves when you learned of the charge. |
| Phishing SMS, email, URL, or screenshot | Helps show deception and social engineering. |
| OTP messages | Shows whether OTPs were requested, what the message said, and whether the amount or merchant was clear. |
| Call logs | Useful if a scammer pretended to be from the bank. |
| Written bank complaint and reference number | Proves that you reported and disputed the transaction. |
| Dispute form | Often required by the issuer for chargeback processing. |
| Affidavit or sworn statement | Useful for formal investigation, especially for larger amounts. |
| Police, NBI, or PNP report | Helpful for criminal investigation and bank escalation, especially in phishing, identity theft, or account takeover cases. |
| Proof of location or travel | Useful if the transaction happened in a place where you could not have been. |
| Merchant communication | Helps if the issue involves a fake merchant, non-delivery, duplicate billing, or subscription charge. |
| Device security screenshots | May help show account takeover, unknown devices, or unauthorized logins. |
A police or NBI report is useful, but you should not wait for it before informing the bank. Report to the bank first to stop the loss and preserve your dispute rights. You may file a cybercrime complaint through the NBI Cybercrime Division or the appropriate PNP anti-cybercrime office when the facts justify it.
Common Scenarios and Practical Issues
“I entered my OTP. Can the bank still reverse the charge?”
Possibly, but it will be harder.
Banks often deny disputes by saying the transaction was authenticated by OTP, 3-D Secure, device binding, or app approval. However, OTP use does not automatically prove that you knowingly authorized a fraudulent transaction. The key question is whether you were deceived and whether the bank’s security controls and warnings were adequate under the circumstances.
Useful facts include:
- Did the OTP message clearly state the merchant, amount, and purpose?
- Was the merchant name recognizable or masked?
- Was the transaction unusually large or foreign?
- Were there multiple failed attempts before approval?
- Did the bank send a real-time alert?
- Did you report immediately?
- Was your phone, SIM, email, or banking app compromised?
- Did the scammer pretend to be the bank or use a fake bank page?
- Did the bank’s fraud system flag or ignore unusual behavior?
Be honest in your affidavit. If you entered an OTP because a scammer deceived you, say so clearly. Inconsistent statements are often worse than admitting the facts.
“The bank says the transaction was valid because the card was used online.”
Ask for a written explanation. You may request the basis of the denial, including what authentication was used, what merchant was involved, and why the bank concluded that the transaction was authorized.
The bank may not give you every internal fraud-system detail, but it should provide a clear enough explanation for you to understand the decision and respond meaningfully.
“The fraudulent merchant is abroad.”
Foreign merchant disputes can take longer because the issuer may need to coordinate with the card network, merchant bank, or foreign acquirer. This is common for card-not-present transactions involving online ads, fake shopping pages, travel bookings, gaming platforms, app purchases, or subscription merchants.
Report quickly. International chargeback rules have deadlines, and delay may weaken the dispute.
“The bank is charging interest while the dispute is pending.”
Ask the bank in writing to suspend interest, penalties, and late fees on the disputed amount while the investigation is ongoing. Pay the undisputed portion of the bill on time.
Under BSP financial consumer protection rules, banks should provide reasonable accommodations in unauthorized transaction disputes when applicable, including suspension of interest or fees and provisional credit or holds, depending on the case.
“Collections are calling me even though I disputed the charge.”
Tell the collector that the amount is formally disputed and provide the bank reference number. Keep a log of collection calls, messages, and emails.
RA 10870 and BSP credit card rules also regulate unfair collection practices. Collection activity should not involve harassment, threats, misrepresentation, or disclosure of your debt to unauthorized third parties.
“The charge was made before I reported my card lost.”
For lost or stolen cards, pre-report transactions are commonly treated as the cardholder’s responsibility. However, BSP credit card rules still allow the cardholder to dispute the transaction. If the investigation shows that the transaction was unauthorized or fraudulent, it should be corrected or reversed, including related finance charges and fees.
This is why immediate reporting is crucial. Once you know the card is lost, stolen, compromised, or used without permission, report it right away.
“The card is supplementary. Who should file the dispute?”
Usually, the principal cardholder should file the formal dispute because the account is under the principal cardholder’s name. However, the supplementary cardholder may need to provide a statement or affidavit explaining what happened.
If the transaction was made by a family member or household member who had permission to use the card, the bank may treat the issue differently from external fraud. Unauthorized use within families can become a factual dispute and may not always qualify for reversal through the card issuer.
“I am an OFW or foreigner outside the Philippines.”
You can usually report and dispute remotely through the bank’s hotline, app, secure message center, or official email. Keep evidence showing your location and time zone if relevant.
If the bank requires notarized documents, ask whether it will accept scanned copies first. For documents executed abroad, the bank may require notarization, consular acknowledgment, or apostille depending on the country and the document. Requirements vary, so confirm with the issuer, but do not delay the initial fraud report.
When to Escalate Beyond the Bank
Escalate to BSP
Before going to the BSP, you should first report the issue to the bank’s Financial Consumer Protection Assistance Mechanism. If the bank does not act, gives no clear explanation, delays unreasonably, or continues billing disputed amounts despite your formal complaint, you may use the BSP Online Buddy and other BSP consumer assistance channels.
BSP may require details such as:
- Your name and contact details.
- Bank name.
- Complaint reference number.
- Timeline of events.
- Copies of your complaint, bank responses, statements, and evidence.
- The specific relief you want, such as reversal, fee waiver, correction of credit record, or written explanation.
Under RA 11765, financial regulators may handle consumer redress, mediation, and adjudication for certain financial consumer claims. BSP’s adjudicatory authority may cover purely civil financial transaction claims where the amount of payment or reimbursement does not exceed ₱10,000,000.
Report to NBI or PNP for cybercrime investigation
Consider a cybercrime report if there is phishing, identity theft, fake websites, scammer phone numbers, mule accounts, SIM compromise, or organized fraud. A law enforcement report may help preserve evidence and support your bank dispute, especially for large losses.
Report to the National Privacy Commission when personal data is involved
If the incident suggests a personal data breach by a bank, merchant, employer, platform, or other personal information controller, the National Privacy Commission may be relevant. This is different from an ordinary scam where only the scammer stole your data directly. The key issue is whether an organization responsible for protecting your personal data may have failed in its obligations under the Data Privacy Act.
Court action may be needed in serious cases
Some cases may require civil, criminal, or regulatory action beyond the bank dispute process, especially where the amount is large, the bank’s denial is unsupported, collection pressure continues, or there are serious facts showing negligence, bad faith, identity theft, or organized fraud.
For criminal liability under laws such as RA 8484, RA 10175, or RA 12010, investigation and prosecution generally involve law enforcement and prosecutors. For civil recovery, the available route depends on the amount, parties, evidence, and whether the matter is better handled through BSP adjudication, regular courts, or another forum.
Frequently Asked Questions
Can a credit card phishing charge be reversed in the Philippines?
Yes, if the transaction is found to be unauthorized or fraudulent after investigation. The bank or credit card issuer should correct or reverse the charge, including related finance charges and fees, when the dispute is valid under BSP rules and applicable card procedures.
How long do I have to dispute an unauthorized credit card transaction?
Under BSP credit card rules, cardholders have up to 30 calendar days from the statement date to report billing errors or discrepancies. Report earlier if you discover the transaction before the statement arrives.
Should I pay the disputed amount while the bank investigates?
Ask the bank to suspend interest and fees on the disputed amount. As a practical step, pay the undisputed portion of your bill before the due date to avoid late fees, delinquency tagging, or credit record issues on amounts you are not contesting.
What if I clicked a phishing link and entered my OTP?
Your case may be more difficult, but it is not automatically hopeless. The bank should still consider the full facts, including deception, transaction pattern, OTP message content, fraud alerts, bank controls, your reporting speed, and whether the transaction was truly authorized.
What if my card was lost or stolen?
Report immediately. Transactions before reporting are often treated as the cardholder’s responsibility, but you still have the right to dispute them. If they are found unauthorized or fraudulent, BSP rules require correction or reversal, including related charges and fees.
Do I need a police or NBI report before filing a bank dispute?
No. You should report to the bank immediately first. A police, PNP, or NBI report may be useful or requested later, especially for phishing, identity theft, account takeover, or large losses, but waiting for that report can waste valuable time.
Can the bank keep charging late fees and interest during the dispute?
You should ask the bank in writing to suspend fees, penalties, and finance charges on the disputed amount while the investigation is pending. BSP consumer protection rules support reasonable handling of unauthorized transaction complaints, including correction or reversal of related charges when fraud is confirmed.
What can I do if the bank denies my dispute?
Ask for a written explanation and the factual basis of the denial. Respond with any missing evidence. If the bank’s answer is unclear, delayed, or unsupported, escalate through the BSP consumer assistance process after first using the bank’s complaint mechanism.
Are OFWs and foreigners protected by Philippine credit card rules?
Yes, if the credit card account or issuer is covered by Philippine regulation. OFWs and foreigners can usually dispute remotely through official bank channels. If documents are signed abroad, the bank may require additional formalities such as notarization, consular acknowledgment, or apostille.
Can I recover damages from the scammer or the bank?
Possibly, depending on the facts and evidence. Scammers may face criminal liability under laws such as RA 8484, RA 10175, or RA 12010. A bank may face regulatory or civil consequences if it failed to follow applicable consumer protection, fraud management, or complaint-handling duties.
Key Takeaways
- Unauthorized credit card charges can be reversed in the Philippines, but the bank must investigate first.
- Report suspected phishing or unauthorized transactions immediately through the bank’s official fraud channel.
- File a written dispute and preserve screenshots, OTP messages, phishing links, bank alerts, and call logs.
- Under BSP credit card rules, billing errors or discrepancies should be reported within 30 calendar days from the statement date.
- The issuer must act on the complaint, investigate, and provide a written explanation within required timelines.
- If the transaction is found unauthorized or fraudulent, the bank should reverse the charge and related finance charges or fees.
- OTP use makes a case harder, but it does not automatically prove genuine authorization in a phishing or social engineering situation.
- Pay the undisputed portion of your bill while asking the bank to suspend fees and interest on the disputed amount.
- Escalate to BSP if the bank delays, denies without adequate explanation, or fails to handle the complaint properly.
- For phishing, identity theft, fake websites, mule accounts, or account takeover, a report to NBI or PNP cybercrime authorities may also be important.