An email impersonation scam targeting suppliers can move very fast. A fraudster may copy a real company officer’s name, use a look-alike email address, send fake purchase orders, or instruct a supplier to deliver goods or change bank details. By the time the business discovers the scam, the goods may already be released, the funds transferred, and the fake account deleted. In the Philippines, this can involve cybercrime, estafa, falsification, data privacy issues, banking fraud, and civil claims. The most important thing is to act quickly, preserve evidence properly, notify the right people, and avoid making statements that accidentally weaken your case.

What Is an Email Impersonation Scam Targeting Suppliers?

An email impersonation scam happens when a fraudster pretends to be someone else through email to deceive a supplier, customer, employee, bank, or business partner.

In supplier-related scams, the impostor often pretends to be:

The company president, owner, purchasing head, accounting officer, or warehouse manager
A legitimate customer placing an urgent order
A supplier asking for payment to a “new bank account”
A logistics provider arranging delivery
A foreign buyer or Philippine distributor
A government or corporate procurement officer

These scams are sometimes called business email compromise, BEC scams, email spoofing, CEO fraud, invoice redirection fraud, or supplier impersonation scams.

A common example:

A scammer creates the email address purchasing.companyph@gmail.com or juan.delacruz@cornpany.com.ph, where the letter “m” is replaced by “rn.” The scammer sends a purchase order to a supplier, uses the real company’s logo and address, asks for urgent release of goods, and promises payment after delivery. The supplier delivers the goods to a third-party warehouse. The real company later says it never ordered anything.

Another common version works the other way:

A scammer gains access to or imitates a supplier’s email account and tells the buyer: “Please settle Invoice No. 1023 to our new bank account.” The buyer pays, only to discover later that the real supplier never changed its bank details.

In both situations, the legal question is not only “Who lost money?” but also:

Was there fraud or deceit?
Was a computer system or email account hacked?
Was personal or company data misused?
Did anyone inside the company fail to follow approval procedures?
Can the money or goods still be traced?
Which party is legally responsible for the loss?

Is Email Impersonation a Crime in the Philippines?

Yes. Depending on the facts, an email impersonation scam may involve several Philippine crimes and special laws.

The same act can fall under more than one law. For example, a scammer who uses a fake email, forged documents, and a mule bank account may potentially face cybercrime, estafa, falsification, and financial account scamming charges.

Key Philippine Laws That May Apply

Cybercrime Prevention Act — Republic Act No. 10175

The main Philippine law for online fraud is the Cybercrime Prevention Act of 2012, Republic Act No. 10175.

For email impersonation scams, the most relevant cybercrime offenses are usually:

Possible offense	What it means in a supplier scam
Computer-related forgery	Fake or altered electronic documents, emails, purchase orders, invoices, or payment instructions are created or used to deceive another person.
Computer-related fraud	A computer, email, or electronic system is used to cause financial damage through deception.
Computer-related identity theft	Someone knowingly uses another person’s identifying information without authority.
Illegal access	The scammer hacks into or accesses an email account, cloud drive, messaging account, or system without permission.

RA 10175 also allows authorities to deal with electronic evidence and cybercrime investigations, including preservation and disclosure of computer data through proper legal process.

Revised Penal Code — Estafa, Falsification, and Related Offenses

Even if the scam happened online, traditional crimes under the Revised Penal Code may still apply.

The most common is estafa, or swindling, under Article 315. Estafa generally involves fraud or deceit that causes damage to another person. In supplier scams, this may occur when the impostor uses false pretenses to obtain goods, services, money, or credit.

The Supreme Court has repeatedly described the essence of estafa as fraud or deceit causing damage. For ordinary business owners, the practical point is simple: if the scammer tricked the supplier or buyer into parting with goods or money, estafa may be considered.

Falsification under Articles 171 and 172 may also apply if the scam involves forged purchase orders, delivery receipts, invoices, company IDs, authorization letters, board resolutions, or bank documents.

Examples of possible falsified documents include:

A fake purchase order using the company logo
A fabricated secretary’s certificate
A fake authorization letter for pickup of goods
A modified invoice showing a different bank account
A fake delivery instruction allegedly signed by an officer
A forged acknowledgment receipt

Electronic Commerce Act — Republic Act No. 8792

The Electronic Commerce Act of 2000, Republic Act No. 8792, recognizes electronic documents and electronic signatures in commercial and non-commercial transactions.

This matters because many businesses still ask, “Can emails be used as evidence?”

Generally, yes. Emails, electronic purchase orders, PDFs, screenshots, metadata, chat logs, and system records may be relevant evidence if properly identified, preserved, and authenticated under the Rules on Electronic Evidence and court procedure.

RA 8792 also penalizes certain hacking or unauthorized access acts, although RA 10175 is usually the more specific modern cybercrime law.

Access Devices Regulation Act — RA 8484, as Amended by RA 11449

The Access Devices Regulation Act of 1998, Republic Act No. 8484, as strengthened by Republic Act No. 11449, may apply when the scam involves bank accounts, account numbers, cards, codes, credentials, or other means of account access used to obtain money or initiate fund transfers.

This becomes relevant when scammers use:

Mule bank accounts
Compromised online banking credentials
Unauthorized use of account details
Fraudulent fund transfer instructions
Stolen card or account information

Anti-Financial Account Scamming Act — Republic Act No. 12010

The Anti-Financial Account Scamming Act, Republic Act No. 12010, signed in 2024, directly addresses modern financial scams, including money mule activity and social engineering schemes.

This law is important for supplier impersonation scams because many fraudsters cannot receive stolen funds under their real names. They often use money mules — people or accounts used to receive, transfer, or withdraw scam proceeds.

Under RA 12010, prohibited acts include money muling and social engineering schemes involving financial accounts. A scam can be considered economic sabotage when committed by three or more persons, against three or more victims, using mass mailers, or through human trafficking.

Data Privacy Act — Republic Act No. 10173

If the scam involved unauthorized access, disclosure, or misuse of personal data, the Data Privacy Act of 2012, Republic Act No. 10173, may also apply.

This is especially relevant when the impostor used:

Names, signatures, mobile numbers, email addresses, or IDs of company officers
Supplier contact databases
Employee directories
Customer records
Tax identification numbers
Bank details
Copies of government IDs
Internal documents containing personal data

If a business reasonably believes that sensitive personal information or data that can enable identity fraud was acquired by an unauthorized person and there is real risk of serious harm, breach notification duties may arise. The National Privacy Commission’s guidance on breach reporting explains the 72-hour notification period in covered cases.

Civil Code — Damages and Negligence

Apart from criminal liability, the injured party may also consider civil claims.

Relevant Civil Code provisions include:

Article 19 — every person must act with justice, give everyone his due, and observe honesty and good faith.
Article 20 — a person who violates the law and causes damage must indemnify the injured party.
Article 21 — a person who willfully causes loss or injury contrary to morals, good customs, or public policy must compensate the injured party.
Article 1170 — those guilty of fraud, negligence, delay, or breach of obligation may be liable for damages.

This matters in disputes between the real company and the supplier. Even if both were victims of the scammer, one side may argue that the other failed to observe reasonable verification procedures.

First 24 Hours: What a Business Should Do Immediately

Time is critical. Banks, email providers, logistics companies, and law enforcement have better chances of helping when the report is made quickly.

1. Stop the transaction immediately

If goods have not yet been released, instruct the warehouse, courier, broker, or logistics provider in writing to hold delivery.

If money has been sent, contact the bank, e-wallet provider, or payment platform immediately and request:

Account freeze or hold, if legally available
Recall or reversal attempt
Fraud investigation ticket
Written acknowledgment of the report
Trace of destination account, subject to bank procedure and law

Do not rely only on a phone call. Send an email or written report so there is a timestamp.

2. Preserve the evidence before deleting anything

Do not delete the fake email, even if it looks dangerous. Do not forward it repeatedly without preserving the original. Do not edit filenames or clean up inbox folders before evidence is copied.

Preserve:

Full email thread
Email headers, not just screenshots
Purchase orders and invoices
Delivery receipts
Payment confirmations
Bank deposit slips or transfer receipts
Chat messages
Call logs
CCTV footage of pickup or delivery
Courier waybills
IP logs, sign-in logs, and admin logs
Domain registration details, if available
Internal approval records

For emails, ask your IT staff or provider to export the message with full headers. Screenshots are helpful for quick review, but headers and server logs are often more useful for tracing.

3. Warn the real supplier, customer, or company being impersonated

Send a short factual notice:

State that a suspected impersonation email is circulating.
Identify the fake email address or domain.
Tell recipients not to release goods or send payment based on that email.
Provide verified contact channels.
Avoid blaming anyone until the facts are confirmed.

This protects your company and may prevent additional victims.

4. Disable compromised accounts and change credentials

If there is any possibility that an email account was hacked:

Reset passwords immediately.
Revoke active sessions.
Turn on multi-factor authentication.
Check forwarding rules.
Check mailbox delegates.
Review recently created app passwords.
Review admin accounts.
Check whether files were downloaded from cloud storage.

A common business email compromise technique is to create a hidden forwarding rule so the scammer continues receiving messages even after the password is changed.

5. Make an internal incident report

The report should include:

Date and time the scam was discovered
Person who discovered it
Fake email address or account used
Amount involved
Goods involved
People who communicated with the scammer
Bank accounts or delivery addresses used
Immediate actions taken
Evidence preserved

This report helps management, lawyers, insurers, auditors, banks, and investigators understand the timeline.

Where to Report an Email Impersonation Scam in the Philippines

A business may need to report to more than one office, depending on the facts.

Office or institution	When to approach them	Practical notes
Your bank or e-wallet provider	Money was transferred or account details were misused	Report immediately. Ask for a fraud ticket number and written acknowledgment.
PNP Anti-Cybercrime Group	Cybercrime complaint, email impersonation, hacking, online fraud	Bring printed and digital evidence. Regional cybercrime units may assist depending on location.
NBI Cybercrime Division	Cybercrime investigation, digital forensics, scam tracing	The NBI lists cybercrime services through its official site, including its Cybercrime Division.
DOJ Office of Cybercrime	Cybercrime coordination, preservation concerns, cross-border cybercrime matters	The DOJ has an official page for reporting cybercrime incidents.
National Privacy Commission	Personal data breach involving risk of serious harm	Use NPC breach reporting procedures where mandatory notification applies.
Insurance provider	Cyber insurance, fidelity bond, crime policy, goods-in-transit policy	Notify early because late notice may affect coverage.
Corporate counsel or external counsel	Demand letters, criminal complaint-affidavit, civil recovery, evidence review	Legal review helps avoid inconsistent statements.

How to File a Criminal Complaint

The exact process may vary, but a typical Philippine cybercrime or estafa complaint involves these steps.

1. Prepare a clear complaint-affidavit

A complaint-affidavit is a sworn written statement explaining what happened, who was involved, what evidence supports the complaint, and what crimes may have been committed.

It usually includes:

Name, address, and contact details of the complainant
Authority of the company representative to file
Narrative of events in chronological order
Identification of suspects, if known
Description of the fake emails, accounts, documents, bank accounts, or delivery addresses used
Amount of loss or value of goods
List of attachments
Statement that the facts are based on personal knowledge or authentic records

The affidavit must generally be notarized.

For companies, attach proof that the person signing is authorized, such as a secretary’s certificate, board resolution, special power of attorney, or corporate secretary certification.

2. Attach documentary and electronic evidence

Useful attachments include:

SEC registration, DTI registration, mayor’s permit, or business registration documents
Company ID or government ID of the complainant representative
Screenshots of emails and chat messages
Full email headers
Original email files, where available
Purchase orders, invoices, delivery receipts, waybills
Proof of delivery or pickup
Bank transfer confirmations
Fraud reports submitted to banks
Internal incident report
IT logs or certification from the IT administrator
Photos, CCTV screenshots, or access logs
Written statements of employees involved

When possible, submit both printed copies and digital copies in a USB drive or other accepted format. Keep your own duplicate set.

3. File with the proper law enforcement office or prosecutor

For many cybercrime complaints, businesses first approach the PNP Anti-Cybercrime Group or NBI Cybercrime Division for investigation. In some cases, a complaint may also be filed with the Office of the City Prosecutor or Provincial Prosecutor for preliminary investigation.

A preliminary investigation is the process where the prosecutor determines whether there is probable cause to charge a person in court.

If the suspect is unknown, law enforcement investigation is often needed first to identify account holders, IP logs, SIM registration data, delivery recipients, CCTV leads, and bank account links.

4. Expect follow-up requests

Investigators or prosecutors may ask for:

Better copies of emails
Original devices for forensic examination
Clarification of company approval process
Proof of authority of the signatory
Additional witness affidavits
Bank certifications
Courier certifications
CCTV certification
Chain-of-custody details for electronic evidence

A common bottleneck is incomplete evidence. Another is the delay in obtaining information from banks, telcos, platforms, or foreign service providers because privacy laws and court processes may be involved.

Can the Business Recover the Money or Goods?

Sometimes, but speed matters.

If money was transferred

The best chance of recovery is within the first hours after transfer. The business should immediately:

Call the bank’s fraud hotline.
Email the bank’s fraud or customer protection unit.
Request a freeze, hold, or recall where available.
File a formal complaint with supporting documents.
Request written acknowledgment.
Report to law enforcement.

Banks cannot simply disclose account owner information to the victim because of bank secrecy, data privacy, and internal rules. However, they may coordinate with law enforcement and comply with lawful orders.

If goods were delivered

Act quickly to trace:

Delivery address
Receiving person
Plate number of pickup vehicle
Courier rider details
Warehouse CCTV
Gate pass records
Contact number used for delivery
GPS or tracking logs
Marketplace or logistics platform records

If the goods are still in transit or at a warehouse, a written hold request may prevent release. If goods were resold, recovery becomes harder, but delivery and resale trails can still help identify suspects.

Who Bears the Loss: The Supplier or the Buyer?

This is often the hardest business question.

There is no automatic answer. Liability depends on contracts, purchase procedures, communications, negligence, and who was in the best position to detect the fraud.

Scenario 1: Fake buyer orders goods from a supplier

If the supplier released goods based only on an unverified email from a fake buyer, the real company may deny liability because it never authorized the order.

The supplier will need to prove that the real company, through authorized representatives, actually placed or ratified the order. A logo, email signature, or similar-looking address may not be enough.

Scenario 2: Scammer impersonates supplier and changes bank details

If the buyer paid a fake account after receiving a fraudulent “change of bank details” email, the real supplier may still demand payment, arguing that it never received the money.

The buyer may argue that the supplier’s email system was compromised or that the supplier failed to secure its communications. The result depends on proof.

Scenario 3: Real employee was negligent

If an employee ignored required controls — for example, releasing goods without a signed PO, failing to call verified numbers, or approving a bank account change without confirmation — the company may consider internal disciplinary action. If the employee participated in the fraud, criminal liability may also arise.

Scenario 4: Both sides were careless

In practice, many disputes settle commercially because both sides missed red flags. A supplier may have released goods too quickly, while a buyer may have failed to warn partners after discovering a compromised email account.

Red Flags in Supplier Email Impersonation Scams

Watch for these warning signs:

Slightly misspelled domain names
Sudden change in bank account details
Urgent payment or delivery pressure
Refusal to use official procurement channels
New Gmail, Yahoo, Outlook, or Proton account claiming to represent a company
Poor grammar from a person who normally writes professionally
Request to bypass usual documents
Delivery address unrelated to the company
Pickup by an unknown third party
“Confidential” instruction not to call others
Email sent outside usual business hours
New contact number not matching company records
Invoice amount just below internal approval threshold
Inconsistent TIN, business address, or bank account name

The most dangerous scams are not always obvious. Many use real logos, real employee names, copied email signatures, and previous transaction details.

Practical Prevention Measures for Philippine Businesses

1. Require call-back verification for bank changes

Any request to change bank details should be verified through a previously known phone number, not the number provided in the suspicious email.

Use this simple rule:

No bank account change is valid until confirmed through an independent, pre-existing contact channel.

2. Use maker-checker approval

For payments and release of goods, one person prepares and another person approves. This is especially important for:

New suppliers
First-time buyers
Large orders
Rush deliveries
Change of bank details
Unusual delivery locations

3. Maintain an approved supplier and customer master list

Keep verified records of:

Official company name
SEC or DTI registration
TIN
Authorized representatives
Official email domains
Bank account name and number
Usual delivery addresses
Verified phone numbers

Any deviation should trigger additional verification.

4. Register similar domains defensively

If your company uses company.com.ph, consider monitoring or registering confusingly similar domains where commercially reasonable. Scammers often use look-alike domains.

Examples:

cornpany.com.ph instead of company.com.ph
company-ph.com
companypurchasing.com
company.com.co
cornpany.net

5. Enable email security controls

Ask IT to review:

Multi-factor authentication
SPF, DKIM, and DMARC records
Login alerts
Admin account restrictions
Email forwarding rules
Conditional access policies
Anti-phishing filters
Password reset controls
Device management
Cloud file-sharing permissions

These are not only technical best practices. They can also become important evidence that the company exercised reasonable care.

6. Train accounting, sales, warehouse, and procurement teams

Supplier scams often succeed because frontline teams are pressured to move quickly.

Train staff to pause and verify when they see:

Rush release requests
New bank accounts
New delivery addresses
Unusual email domains
Requests to skip documents
Orders from unfamiliar contacts using familiar company names

Warehouse and delivery staff should be included. Many scams fail at the last step if the pickup person is asked for proper authorization.

Suggested Internal Policy for Supplier and Payment Verification

A simple written policy can prevent expensive disputes.

Transaction type	Minimum verification
New customer order	Verify company registration, official email domain, authorized representative, and delivery address.
First large order	Require management approval and independent call-back verification.
Change of bank details	Require signed request, call-back to known number, and approval by finance head.
Rush delivery	Require written approval and verification of pickup person.
Third-party pickup	Require authorization letter, valid ID, vehicle details, and CCTV documentation.
Unusual delivery address	Verify with authorized contact and document reason for change.
Suspicious email	Escalate to IT, finance, and management before acting.

Documents to Prepare Before Reporting

Document	Why it matters
Complaint-affidavit	Main sworn statement explaining the fraud.
Secretary’s certificate or board resolution	Shows the company representative has authority to file.
Government ID of affiant	Required for notarization and identification.
Business registration documents	Proves legal identity of the business.
Emails with full headers	Helps trace source, routing, and authenticity.
Screenshots	Useful visual summary, but should not replace original files.
Purchase orders and invoices	Shows the transaction relied upon.
Delivery receipts and waybills	Proves release or movement of goods.
Bank transfer records	Proves payment and destination account details.
Internal incident report	Establishes timeline and response.
Witness affidavits	Supports who received, approved, released, or paid.
IT certification or logs	Helps prove account compromise or attempted intrusion.

Timelines and Practical Bottlenecks

The first 24 to 72 hours are usually the most important for freezing funds, stopping deliveries, preserving logs, and notifying affected parties.

However, full investigation can take longer because:

Banks must follow legal and internal procedures.
Email providers may be abroad.
Some subscriber or account information may require lawful process.
Suspects may use fake IDs, money mules, or layered transfers.
CCTV footage may be overwritten within days.
Employees may accidentally delete or alter evidence.
Prosecutors may require clearer affidavits and supporting documents.

A realistic internal timeline looks like this:

Time from discovery	Recommended action
First hour	Stop payment or delivery, alert bank/logistics, preserve emails.
Same day	Notify real business partner, disable compromised accounts, collect evidence.
Within 24 hours	Prepare incident report, secure CCTV, request bank action in writing.
Within 24–72 hours	File reports with law enforcement and assess NPC breach notification if personal data is involved.
Following days	Prepare complaint-affidavits, witness statements, IT reports, and demand letters if needed.
Following weeks	Cooperate with investigation, respond to prosecutor or investigator requests, pursue recovery or settlement options.

Special Issues for Foreign Companies and Expats

Foreign companies and expats dealing with Philippine suppliers should pay attention to documentation.

If a foreign company will file a complaint or authorize a Philippine representative, it may need:

Board resolution or corporate authorization
Special power of attorney
Passport or ID copies of authorized signatories
Company registration documents from the foreign jurisdiction
Apostille or consular authentication, depending on where the document was issued
Certified translations if documents are not in English

The Philippines is a party to the Apostille Convention. For many foreign public documents, an apostille may replace consular authentication, but requirements still depend on the receiving office and the type of document.

Foreign complainants should also expect practical issues such as local notarization requirements, availability of representatives for affidavits, and coordination with Philippine banks, couriers, and investigators.

Frequently Asked Questions

Is email impersonation punishable in the Philippines?

Yes. It may be punishable under the Cybercrime Prevention Act, Revised Penal Code provisions on estafa or falsification, the Access Devices Regulation Act, the Anti-Financial Account Scamming Act, and other laws depending on the facts.

What should I do first if my company paid a fake supplier bank account?

Contact your bank immediately and request fraud handling, recall, freeze, or hold procedures where available. Then preserve all emails and payment records, notify the real supplier, prepare an incident report, and report to cybercrime authorities.

Can screenshots of emails be used as evidence?

Screenshots can help, but they are usually not enough by themselves. Preserve the original email, full headers, attachments, server logs, and related files. Electronic evidence is stronger when it can be authenticated and its source can be explained.

Should we delete the phishing email?

No. Do not delete it until evidence has been preserved. Ask IT to isolate it safely, export the message with full headers, and check whether the account was compromised.

Can we force the bank to reveal the scammer’s account name?

Usually, the bank cannot simply disclose account information directly to a private complainant because of banking, privacy, and internal rules. Law enforcement, prosecutors, and courts may obtain relevant information through proper legal processes.

Is the real company liable if scammers used its name and logo?

Not automatically. The supplier must prove that the real company authorized, ratified, or became legally bound by the transaction. However, if the scam was enabled by the real company’s compromised systems or negligence, liability may become a factual and legal issue.

What if an employee released goods without verifying the email?

The company should investigate whether the employee violated internal controls. Depending on the facts, this may lead to disciplinary action, civil liability, or even criminal liability if there was participation in the fraud.

Do we need to notify the National Privacy Commission?

Only some incidents require mandatory notification. If personal data, especially sensitive personal information or information that can enable identity fraud, was acquired by an unauthorized person and there is real risk of serious harm, NPC notification may be required within the applicable period. Even non-notifiable incidents should be documented internally.

Can a barangay handle this kind of scam?

A barangay may help with local disputes between known individuals, but email impersonation scams involving cybercrime, banks, fake accounts, or unknown suspects usually require law enforcement, prosecutors, banks, and possibly cybercrime warrants or digital investigation.

How can suppliers protect themselves from fake purchase orders?

Suppliers should verify new buyers, confirm orders through official contact channels, check email domains carefully, require signed purchase documents, validate delivery addresses, document third-party pickups, and avoid releasing high-value goods based only on urgent email instructions.

Key Takeaways

Email impersonation scams targeting suppliers may involve cybercrime, estafa, falsification, data privacy violations, banking fraud, and civil liability.
The first 24 hours are crucial: stop payment or delivery, preserve evidence, notify banks and partners, and secure compromised accounts.
Screenshots help, but original emails, full headers, logs, bank records, and delivery documents are much stronger evidence.
Report serious incidents to the bank, PNP Anti-Cybercrime Group, NBI Cybercrime Division, DOJ Office of Cybercrime, and National Privacy Commission when appropriate.
Businesses should require independent verification for bank account changes, unusual delivery instructions, rush orders, and third-party pickups.
The real company, supplier, buyer, employee, bank account holder, or scammer may have different levels of responsibility depending on authorization, negligence, and proof.
Strong internal controls are not just good cybersecurity practice; they can also protect the business legally if a dispute reaches investigators, prosecutors, insurers, or court.