Cybercrime complaint procedure PNP versus NBI versus Prosecutor

Comprehensive guide to reporting and prosecuting offenses under the Cybercrime Prevention Act (R.A. 10175) and related laws. For case-specific advice, consult counsel or the appropriate agency.

I. What counts as a “cybercrime”

Typical offenses (often charged with related special laws):

  • Cyber libel, computer-related fraud/forgery, illegal access/interception, data interference, device misuse, aiding/abetting (R.A. 10175).
  • Online gender-based violence/harassment (e.g., R.A. 9995 Anti-Photo and Video Voyeurism, R.A. 9262 VAWC when committed online, Safe Spaces Act).
  • Online sexual exploitation of children (OSEC) (R.A. 9775, R.A. 9208 as amended).
  • Identity theft, phishing, swindling, e-commerce scams, SIM/IMEI-related schemes (plus other special penal laws).
  • Unlawful processing/disclosure of personal data (Data Privacy Act—NPC handles administrative complaints; criminal cases go through prosecutors).

Barangay conciliation is not required for most cybercrimes (penalties generally exceed 1 year and they often involve the State as offended party). Cyber libel is a private offense (initiated by the offended party).

II. Who does what—at a glance

Actor Core role When to go here
PNP – Anti-Cybercrime Group (ACG) & regional cybercrime units First response, investigation, digital forensics, preserving/logging evidence, applying for cyber warrants, filing complaints Urgent threats (ongoing hacks, extortion), scams, social-media crimes, OSEC, online harassment
NBI – Cybercrime Division & regional units Complex/large-scale or multi-jurisdiction cases, forensics, covert ops, MLAT coordination via DOJ High-impact frauds, syndicated activity, cross-border elements, insider threats
Prosecutor’s Office (City/Provincial/DOJ OOC) Inquest for arrests; Preliminary Investigation; filing of Informations in court; mutual legal assistance channel (through DOJ Office of Cybercrime) You already have respondents/evidence; you’re ready to lodge a criminal complaint-affidavit

Concurrency: PNP and NBI have concurrent authority. You may choose either. Cases may be endorsed to the other or to the prosecutor as needed.

III. Evidence first: preserve, don’t “clean up”

  1. Do not edit or delete posts, messages, or files—even if offensive. Take forensic-quality captures:

    • Full-screen screenshots with URL bars, timestamps, and visible system clock.
    • Message exports (e.g., chat downloads), original email files with headers (.eml/.msg).
    • Transaction proofs (bank slips, e-wallet logs), parcel receipts, SIM numbers, device identifiers.
    • For sites/stories, capture source URLs, handles, and archive hashes if available.

  2. Keep original devices/media powered on (or safely off) and unmodified. Avoid “factory reset.”

  3. Prepare a simple chain-of-custody log: who handled what, when, and where; store media in sealed envelopes/USBs labeled with date/time.

  4. Draft a timeline: first contact, money flow, threats, IP/email used, accounts, and any witnesses.

  5. If there’s imminent harm (e.g., OSEC, doxxing with threats, account takeover of a business), report immediately to PNP/NBI for urgent preservation and takedown coordination.

IV. Legal tools investigators use (what to expect)

  • Data preservation orders to service providers (quick freeze of logs/content).

  • Court warrants tailored to cyber data:

    • Disclosure (subscriber info, connection logs, IP mapping, basic metadata).
    • Search, seizure, and examination of computer data (on-prem devices, cloud accounts).
    • Real-time collection/interception of traffic data (content typically needs stricter judicial authorization).

  • Forensic imaging and examination of devices/accounts under chain of custody.

  • Subpoenas for account ownership, KYC files, CCTV, telco activity, bank/e-wallet records (often with AMLA coordination for fund tracing).

Investigators cannot lawfully “just read” your (or a suspect’s) content data without the proper judicial authority. Expect you may be asked to consent (in writing) to access your own accounts/devices.

V. Three pathways to start a case

A. File with the PNP – ACG (or regional cyber unit)

What to bring: government ID, Complaint-Affidavit (or execute one on-site), evidence (digital and printed), devices/USB with copies, chain-of-custody notes, list of accounts/handles, and any payment trails.

What happens next:

  1. Intake & assessment → determine legal theory (e.g., illegal access + estafa, cyber libel, voyeurism, OSEC).
  2. Evidence securing → imaging devices, requesting provider preservation, preparing warrant applications.
  3. Operations → controlled deliveries, decoy buys, or knock-and-talks (as appropriate).
  4. Filing with ProsecutorInquest (if arrest without warrant) or Preliminary Investigation (regular filing) with your Complaint-Affidavit and annexes.

Pros: Faster boots-on-ground response, regional presence, close coordination with local courts and barangays. Cons: Heavy caseloads; complex cross-border tasks may still need NBI/DOJ support.

B. File with the NBI – Cybercrime Division

What to bring: Same as PNP, plus any indicators of scale, syndication, cross-border links (foreign IP, offshore exchanges), or insider threats (enterprise breaches).

What happens next: Similar to PNP flow, with emphasis on complex forensics, undercover operations, and international cooperation (via DOJ). The NBI will endorse to a Prosecutor for charging.

Pros: Strong digital forensics capacity; suited for enterprise breaches and multi-province schemes. Cons: Intake may be centralized; expect scheduling/queuing for device examinations.

C. File directly with the Prosecutor’s Office

Use this route if the respondent is identifiable and your evidence is ready (e.g., the harassing poster used their real identity; you possess full transaction records).

You will submit:

  • Complaint-Affidavit (narrative, elements of the crime), witness affidavits, and Annexes (screenshots, headers, logs, transaction proofs).
  • If electronic evidence authenticity needs support, attach affidavits of IT personnel or request referral to PNP/NBI for forensics.

What happens next:

  • DocketingSubpoena the respondent; counter-affidavit and rejoinders follow under Rule 112.
  • Resolution → Prosecutor dismisses or finds probable cause and files an Information in the appropriate court.
  • For in flagrante arrests, the Prosecutor conducts inquest within hours; absent inquest, the case proceeds by regular preliminary investigation.

Pros: Procedural control, faster movement to court if the case is straightforward. Cons: If you need cyber warrants/forensics, the Prosecutor will often refer to PNP/NBI anyway.

VI. Venue, jurisdiction, and forum picking

  • Venue generally lies where any essential element occurred (where the post was accessed/caused damage, where the complainant resides in some offenses, where the money changed hands, or where devices were seized).
  • Concurrent national jurisdiction: Cyber offenses may be filed where the offended party resides or where content was accessed, depending on the offense.
  • Foreign elements: If data or suspects are abroad, investigators coordinate through the DOJ Office of Cybercrime for MLAT requests or provider cooperation.

Private offenses (e.g., cyber libel) require the offended party’s complaint. For child-related or OSEC cases, law enforcement can initiate even without the parent’s complaint, given the State’s compelling interest.

VII. Building a prosecutable case (practical blueprint)

  1. Map the elements of the target offense (e.g., for illegal access: (a) access without right; (b) into a computer system; (c) with/without intent to gain; (d) resulting damage/prejudice).

  2. Align evidence to each element: logs, screenshots, headers, KYC, IP-to-subscriber mapping, device exams, money trail.

  3. Authenticate electronic evidence:

    • Identify who captured the data, how, and when; include device/app versions.
    • Keep original files (not just images of the screen).
    • Use hash values (MD5/SHA) for forensic images when possible.

  4. Show attribution: tie the act to the account holder and then to the human actor (device possession, contact numbers, delivery addresses, voice/video, admissions).

  5. Quantify damage: peso value, business disruption, emotional distress (for appropriate offenses), medical/therapy receipts, and lost profits if claimed.

  6. Anticipate defenses: mistaken identity, spoofed IP/VPN, hacked account, consent, truth/fair comment (libel), absence of publication, or no intent to gain (fraud cases).

VIII. Inquest vs. Preliminary Investigation

  • Inquest (warrantless arrest): Prosecutor decides within hours whether to file in court; the respondent may opt for PI and be released upon posting bail if allowable.
  • Preliminary Investigation: Paper-based exchange (complaint → counter-affidavit → reply); resolution typically within weeks to months depending on docket.

IX. Parallel/ancillary remedies

  • Data Privacy Act complaint (NPC) for unlawful processing/leaks (administrative sanctions; separate from criminal case).
  • Civil action for damages (may be deemed instituted with the criminal case unless waived/reserved).
  • Protection orders (e.g., under VAWC/Safe Spaces) for stalking, threats, or intimate image abuse.
  • Platform takedowns: Continue to report to platforms; retain all tickets/IDs for your annexes.
  • Asset freezing/AMLA coordination for fraud rings and mule accounts.

X. Special offense notes

  • Cyber libel: needs identifiable imputation, publication, malice, and venue rules observed; defense of truth and privileged communication may apply.
  • E-commerce scams: blend of estafa and computer-related fraud; emphasize inducing deceit at inception and money trail to the accused or money mules.
  • OSEC/child sexual abuse materials: report immediately; do not share or forward the contraband—secure metadata and let law enforcement handle images under strict protocols.
  • Account takeovers/illegal access: log IP addresses, login alerts, password reset emails, and device IDs; quickly change credentials and enable MFA while keeping evidence.

XI. Timelines & expectations

  • Preservation orders can be obtained quickly; warrants depend on court dockets but are prioritized when harm is ongoing.
  • Platform responses vary; some providers respond only to law-enforcement legal requests.
  • Forensic exams of devices can take time; ask for receipts and status updates.

XII. Checklists

A. Complainant’s packet

  • ✅ Government ID, contact details
  • Complaint-Affidavit (narrative + elements matched)
  • Annexes: screenshots w/ URLs & timestamps, email files w/ headers, chat exports, bank/e-wallet receipts, courier docs, SIM numbers
  • Chain-of-custody log and storage media (USB/DVD)
  • ✅ Device(s) (if needed) and passwords in a sealed note for imaging (hand over only against receipt)
  • ✅ List of respondent handles, phone numbers, and known addresses
  • ✅ List of witnesses; brief of expected testimony

B. Agency triage questions to prepare for

  • What exactly happened, when, where accessed?
  • What accounts/devices are involved? Who controls them?
  • Money trail? To which account? Proof?
  • Any ongoing risk to minors/sensitive data?
  • Any prior reports to platforms/banks/telcos? Ticket/Case IDs?

XIII. Model Complaint-Affidavit (skeleton)

I, [Name], Filipino, [status], of [address], state:

1. On [date/timezone], using my [device/app], I received [message/post URL]. Screenshots with URLs and timestamps are attached as Annexes A–C. Original files are in USB-1.

2. The account [@handle/number], later confirmed via [provider response/bank KYC/delivery receipt], belongs to [Respondent] who demanded [amount] and sent [instructions].

3. Relying on these misrepresentations, I transferred ₱[amount] to [account], Annex D (bank proof). The goods/services were never delivered.

4. I suffered loss of ₱[amount] and [other harm]. I request investigation and prosecution for [specific offenses and related laws].

5. I attest the annexed files are true and correct. I executed this to support charges and to request preservation and warrants as necessary.

[Signature over printed name]

Bottom line

  • Pick a door and start: PNP-ACG or NBI if you need preservation, warrants, or forensics; Prosecutor if your case is documented and respondent-identified.
  • Preserve evidence meticulously; chain of custody and authenticity win cyber cases.
  • Expect judicially-authorized data actions (preservation, disclosure, search/exam, interception) and a Rule 112 prosecution flow.
  • Use parallel remedies (privacy, civil, protective orders) to contain harm while the criminal case proceeds.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login