Dealing With Harassing Spam Messages and Scam Threats: Evidence Preservation and Cybercrime Reporting

Evidence Preservation, Legal Remedies, and Cybercrime Reporting

Scope and purpose

Harassing spam messages and scam threats now commonly arrive through SMS (“smishing”), messaging apps (Messenger, Viber, WhatsApp, Telegram), email (“phishing”), social media DMs, and even calls (“vishing”). These incidents sit at the intersection of (1) criminal law (threats, fraud, extortion), (2) cybercrime-specific rules (electronic evidence, cybercrime warrants, preservation and disclosure of data), and (3) privacy and telecommunications regulation.

This article explains:

  • how to preserve evidence so it remains usable in court;
  • what Philippine laws may apply depending on the content;
  • where and how to report (PNP, NBI, DOJ Office of Cybercrime, platforms, telcos, NPC); and
  • practical considerations like chain of custody, electronic evidence requirements, and cybercrime warrants.

1) What counts as “harassing spam” and “scam threats”

Not all annoying messages are criminal. Classification matters because it determines what to report and what investigators can lawfully request from telcos/platforms.

A. Harassing spam (annoying, repeated, unwanted)

Examples:

  • repeated sexual messages, insults, intimidation, doxxing warnings;
  • repeated “loan collection” messages sent to the wrong person;
  • repeated “marketing” texts after opt-out, or mass blasts spoofing a sender ID.

Possible legal angles: harassment may rise to unjust vexation-type conduct (under the Revised Penal Code jurisprudence), threats, coercion, grave oral defamation, libel/cyberlibel, or data privacy violations (if personal data is misused).

B. Scam threats (criminally coercive or fraudulent)

Examples:

  • “Pay or we leak your photos,” “Pay or we harm you,” “Pay or we file a case,”
  • “Your parcel/GCash/bank account will be closed—click this link,”
  • impersonation of a bank, government office, delivery company, or a person you know,
  • job/investment scams, fake debt claims, fake arrest warrants.

Common legal angles: estafa (fraud), grave threats, robbery/extortion-related offenses depending on facts, identity theft and other cybercrime offenses, plus potential photo/video voyeurism laws if intimate images are involved.

2) Immediate priorities: safety, containment, and preserving proof

When people panic, they often delete messages, reset phones, or confront the scammer in a way that destroys evidence. The better approach is:

A. Safety first

  • If there is an immediate threat to life or physical safety, prioritize emergency response and personal safety planning.
  • If the scammer has your address or is threatening in-person harm, treat it as a physical security matter too.

B. Containment without destroying evidence

  • Do not click links, open attachments, or install apps sent by the scammer.
  • Do not send additional personal information (IDs, selfies, OTPs, passwords).
  • You may block the sender after preserving evidence, but remember: blocking can hide message threads in some apps. Preserve first.
  • Avoid “negotiating” or making admissions. Keep any replies minimal and factual if needed (“Stop messaging me.”) to reduce escalation, but preservation is still the priority.

C. Preserve evidence immediately (golden rule: capture content + context + metadata)

Evidence that helps investigators isn’t just the threatening line—it’s who, when, where, and how.

Minimum evidence package:

  1. Screenshots of the entire conversation thread (include earlier messages showing the lead-up).
  2. Screen recording scrolling from the start of the thread to the threat, showing timestamps/usernames/numbers.
  3. Sender identifiers: phone number, email address, profile URL/username, account ID, display name, and any “about” info.
  4. Timestamps visible in the app plus your device clock/date settings if relevant.
  5. Links copied as text (do not click). Copy-paste into a note.
  6. Headers for emails (full email headers show routing and originating servers).
  7. Call logs/voicemail if threats were by voice.
  8. Transaction traces if money was demanded/sent: receipts, reference numbers, wallet IDs, bank details.
  9. Device context: model, OS version, SIM, carrier, app versions (a simple note is fine).

3) Evidence preservation in a Philippine legal setting (electronic evidence basics)

Philippine courts accept electronic evidence, but parties must address authenticity, integrity, and reliability.

A. Rules on Electronic Evidence (conceptual requirements)

In practice, the issue isn’t “Can screenshots be used?” but “Can you show they are authentic and not altered?”

You strengthen authenticity by:

  • capturing the message on the original device;
  • recording screen capture/video showing navigation into the thread;
  • saving original files (images, voice notes, attachments) rather than only screenshots;
  • maintaining a clean timeline log of what you did and when.

B. Chain of custody (for civilians: keep it simple but consistent)

You do not need forensic perfection, but you should be able to explain:

  • where the evidence came from;
  • who handled it;
  • whether it was altered.

Practical steps:

  • Do not edit screenshots (no cropping that removes sender/time; no markup on the master copy).

  • Export originals to a folder labeled with date/time.

  • Make two copies:

    • a “Master” folder (read-only, never edit), and
    • a “Working” folder (for printing, redacting personal info for non-law enforcement sharing).

  • Compute hashes (optional but helpful): SHA-256 of key files using a hashing tool. Record the hash values in a log.

  • Store copies in two locations (e.g., encrypted USB + cloud drive).

C. Affidavits and “who will testify”

In real complaints, investigators and prosecutors often look for:

  • the complainant’s affidavit narrating events;
  • attachments: screenshots, recordings, email headers, receipts;
  • a simple evidence index (Exhibit “A,” “B,” etc.);
  • if needed later, a person who can testify how the screenshots were created and that they reflect what appeared on the device.

D. Anti-Wiretapping concerns (recording calls)

Philippine law generally penalizes recording private communications without authorization. As a practical matter, be careful with call recording and covert audio capture. If you already have threatening voice notes/voicemails sent to you (i.e., the other party transmitted them to you), preserve them; that is different from secretly recording a private call. When in doubt, preserve what you received and rely on lawful investigative processes for further collection.

4) Applicable Philippine laws (common scenarios)

Different messages trigger different offenses. Below are the most relevant legal frameworks often used in these cases.

A. Republic Act No. 10175 — Cybercrime Prevention Act of 2012

RA 10175 covers offenses committed through ICT and includes:

  • computer-related fraud, identity theft, and related acts;
  • cyber-enabled versions of certain crimes (notably cyberlibel, when defamatory content is published through a computer system);
  • procedural tools: preservation, disclosure, search and seizure of computer data via special warrants.

If the harassing or threatening conduct uses a “computer system” (phones and online accounts generally qualify), RA 10175 is commonly invoked alongside the Revised Penal Code.

B. Revised Penal Code (RPC) — threats, coercion, fraud, defamation

Depending on message content:

  • Grave threats / light threats: threats of a wrong (harm, injury, arson, etc.) may fall here.
  • Coercion: forcing someone to do something against their will.
  • Estafa (fraud): deception causing damage, common in payment or investment scams.
  • Libel/defamation: imputations that damage reputation; online publication may become cyberlibel issues.
  • Other harassment-type conduct can be framed depending on facts (patterned annoyance and disturbance).

C. Republic Act No. 10173 — Data Privacy Act of 2012

If the harasser/scammer:

  • misuses your personal data (address, contacts, workplace, IDs),
  • doxxes you (publishes personal info),
  • obtained your data through improper disclosure,
  • or a company/agent processes your data without lawful basis,

then there may be Data Privacy Act violations and/or remedies through the National Privacy Commission (NPC) (particularly against companies, lending apps, collection agencies, or entities misusing contact lists).

D. Republic Act No. 9995 — Anti-Photo and Video Voyeurism Act

If threats involve:

  • intimate images/videos taken or shared without consent,
  • “sextortion” threats (“pay or we leak your nudes”), this law may apply alongside cybercrime provisions.

E. Republic Act No. 8792 — E-Commerce Act

Often used to support recognition of electronic documents and signatures and complements electronic evidence handling.

F. Special contexts

  • Child-related sexual content: very serious, with separate laws and mandatory reporting implications.
  • Impersonation of government agencies: may add other criminal angles (forgery, falsification, etc.) depending on acts.

5) Where to report in the Philippines (and what each office is for)

A good reporting strategy matches your goal:

  • stopping ongoing harassment,
  • identifying the suspect,
  • freezing money trails,
  • building a prosecutable case.

A. Law enforcement cyber units

  1. PNP Anti-Cybercrime Group (ACG)

    • Common first stop for cyber complaints nationwide.
    • Can receive complaints, conduct investigation, coordinate preservation/disclosure requests and cybercrime warrants (through proper legal channels).

  2. NBI Cybercrime Division

    • Often handles more complex cases, identity fraud, organized groups, and may coordinate with platforms and financial institutions.

Either PNP ACG or NBI can be appropriate; choice may depend on location, urgency, complexity, and existing coordination.

B. Department of Justice — Office of Cybercrime (OOC)

The DOJ OOC has roles in cybercrime implementation and coordination, and can be relevant especially when matters proceed toward prosecution, inter-agency requests, and procedural compliance under the cybercrime framework.

C. Prosecutor’s Office (for filing complaints)

For criminal cases, the end-to-end path usually involves:

  • complaint + affidavits + attachments
  • evaluation for inquest (if arrest without warrant is involved) or regular preliminary investigation
  • filing of Information in court if probable cause is found.

D. National Privacy Commission (NPC)

Especially relevant if:

  • the actor is a company or organized lender/collection group,
  • your personal data was processed or disclosed unlawfully,
  • doxxing or contact-harassment arises from data misuse.

NPC processes complaints and can impose administrative sanctions and recommend prosecution for certain violations.

E. Telecommunications / SIM-related reporting

  • Your mobile carrier (telco): report spam/scam numbers, spoofing, and request blocking/escalation.
  • SIM Registration context: if properly pursued by law enforcement, subscriber information may be obtainable through lawful processes. Individuals usually cannot compel disclosure directly.

F. Platform reporting (parallel track)

Report the account/message to:

  • Facebook/Instagram, WhatsApp, Telegram, Viber, etc. This can result in account takedown and preservation of internal logs (though law enforcement typically must request non-public records).

6) How to prepare a report that investigators can act on

The fastest way to stall a case is a vague report (“Someone threatened me on Messenger”). Provide a structured packet.

A. Incident summary (1 page)

Include:

  • your full name and contact info,
  • platform used (SMS, Messenger, etc.),
  • dates/times (with timezone),
  • what was demanded or threatened,
  • why you believe it’s a scam/harassment,
  • whether money was sent and how,
  • whether you know the suspect.

B. Evidence index (simple exhibit list)

Example format:

  • Exhibit A: Screenshot set (thread from start to threat)
  • Exhibit B: Screen recording (MP4)
  • Exhibit C: Profile page capture (URL, username, user ID)
  • Exhibit D: Email headers (if email)
  • Exhibit E: Payment receipts / reference numbers
  • Exhibit F: Device info + SIM/telco details
  • Exhibit G: Timeline log

C. Timeline log (highly persuasive in practice)

Create a table in your notes (even plain text) with:

  • Date/time received
  • Sender/account
  • Message summary (verbatim for key threats)
  • Action taken (saved screenshot, reported to platform, blocked, etc.)

D. Preserve originals

Bring:

  • the phone itself (if safe)
  • charger and SIM info
  • copies of the evidence (USB) Law enforcement may need to view messages on-device to validate authenticity.

7) Cybercrime warrants and what they mean for your case

A frequent misunderstanding: victims expect investigators to immediately “trace” an account or get subscriber details. In reality, access to certain data typically requires legal processes.

Under the cybercrime legal framework, investigators may seek court authority for things like:

  • preservation of computer data,
  • disclosure of subscriber information or traffic data,
  • search, seizure, and examination of devices and stored content.

For victims, the takeaway is:

  • preserve what you can lawfully access (your received messages, your logs, your transactions);
  • report quickly so preservation requests can be made before logs expire;
  • avoid actions that compromise later legal steps (deleting threads, resetting devices).

8) Common scenarios and the best Philippine-context response

Scenario 1: “Pay or we will harm you / your family”

Likely: threats/extortion-related conduct. Best response:

  • preserve all messages and any proof the sender knows your address,
  • report to local police and cyber unit,
  • avoid paying (payment often triggers repeat demands),
  • consider immediate safety steps and documentation.

Scenario 2: “Pay or we will leak your nude photos” (sextortion)

Potential: anti-voyeurism offenses + cybercrime angles + threats/coercion. Best response:

  • preserve the threats and any images sent (do not forward widely),
  • report to cyber units promptly,
  • also report to the platform for takedown and safety measures,
  • if the offender is known, preserve relationship context and any prior consent boundaries.

Scenario 3: Smishing link pretending to be a bank/e-wallet/delivery

Potential: computer-related fraud, identity theft attempts. Best response:

  • do not click; capture the link text and sender,
  • report to the institution being impersonated and to the telco,
  • monitor accounts; change passwords using a clean device if compromise is suspected,
  • file report if credentials were entered or funds moved.

Scenario 4: Harassment from unknown numbers (sexual, insulting, repeated)

Potential: threats/harassment-type conduct; sometimes doxxing/privacy issues. Best response:

  • preserve, block after capture,
  • report to telco and platform (if app-based),
  • if persistent, report to cyber unit with a compiled log showing frequency and impact.

Scenario 5: Loan app / collection harassment (wrong person or abusive tactics)

Potential: Data Privacy Act issues; coercion/threats depending on content. Best response:

  • document how they got your number (screenshots of messages naming the borrower),
  • preserve abusive language/threats, frequency, and any disclosure of your data,
  • consider NPC complaint (especially if an entity is processing data unlawfully),
  • also report to cyber units if threats are grave or coordinated.

9) Practical “do’s and don’ts” that protect your case

Do

  • Keep communications intact; capture full threads.
  • Maintain a single narrative: consistent dates, facts, and actions.
  • Keep receipts and references for any payments or attempted transfers.
  • Store evidence in unaltered original form and create working copies.

Don’t

  • Don’t delete or factory reset before preserving.
  • Don’t rely on cropped screenshots that remove the sender/time.
  • Don’t publicly post the offender’s alleged identity without legal advice; it can create defamation and evidentiary complications.
  • Don’t send intimate images to “prove” anything or comply with escalating demands.

10) What remedies are realistically available (and timelines in practice)

Outcomes vary by evidence quality and traceability, but typical remedies include:

  • platform account takedown and blocking,
  • telco-level blocking/escalation,
  • investigation to identify suspects through lawful data requests,
  • prosecution if probable cause is established,
  • in appropriate cases, data privacy enforcement actions and orders against entities misusing personal data.

The strongest cases usually share three traits:

  1. early reporting (before logs expire),
  2. preserved originals and a clean timeline, and
  3. a clear legal theory (threats, fraud, extortion, privacy misuse) supported by exhibits.

11) A simple affidavit-ready narrative outline (Philippine practice friendly)

When you eventually write a sworn statement, structure helps:

  1. Background: who you are, where you reside, contact number/email.
  2. How it started: first contact, platform, date/time.
  3. Progression: key messages in order (quote the most important threats verbatim).
  4. Demand/Threat: what the offender required and what harm was threatened.
  5. Your actions: preserved evidence, reported to platform/telco, blocked, monitored accounts.
  6. Damages/impact: fear, reputational harm, attempted/actual financial loss.
  7. Attachments: identify exhibits (screenshots, recordings, receipts, headers).
  8. Request: ask for investigation and prosecution of responsible persons.

12) Closing note on confidentiality and minimizing harm

When handling threats involving sensitive content, treat your evidence like confidential legal material:

  • limit sharing to law enforcement, counsel, and essential support persons,
  • redact identifiers when circulating to platforms or third parties unless required,
  • avoid forwarding intimate content; preserve it securely and minimally.

Harassing spam and scam threats are best handled as both an evidence problem and a process problem: preserve clean proof early, then route it through the right reporting channels so lawful preservation/disclosure can occur before data disappears.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login