Facebook Account Hacked and Used for Scams

With the Philippines consistently ranking among the top countries for social media usage, the compromise of a Facebook account is no longer just a personal inconvenience—it is a significant legal incident. When a hacked account is used to perpetrate scams (such as investment fraud, fake emergencies, or unauthorized solicitations), both civil and criminal liabilities are triggered under Philippine laws.

This article outlines the governing laws, criminal liabilities, legal defenses for victims, and the procedural steps for recourse in the Philippine jurisdiction.

1. Governing Laws and Criminal Offenses

The legal framework addressing hacked accounts and subsequent scams is primarily governed by the Cybercrime Prevention Act of 2012 (Republic Act No. 10175), alongside the Revised Penal Code (RPC) and the Data Privacy Act of 2012 (Republic Act No. 10173).

Cybercrime Prevention Act of 2012 (R.A. 10175)

The act of hacking and using an account for fraudulent purposes constitutes several distinct cybercrimes:

  • Illegal Access (Section 4(a)(1)): The unauthorized access to the Facebook account itself, bypassing security measures.
  • Computer-related Identity Theft (Section 4(b)(3)): The intentional, unauthorized acquisition, use, misuse, transfer, or deletion of personal identifying data of another person. Using a victim’s profile picture and name to deceive others falls squarely under this provision.
  • Computer-related Fraud (Section 4(b)(2)): The unauthorized input, alteration, or deletion of computer data with fraudulent intent to cause economic damage, such as messaging a victim’s contact list asking for money.

Revised Penal Code (RPC) & Swindling (Estafa)

When a hacker successfully deceives a third party into sending money, the crime committed against that third party is Estafa under Article 315 of the RPC, read in conjunction with Section 6 of R.A. 10175. Section 6 imposes a penalty one degree higher than that prescribed by the RPC because a computer system was used to commit the felony.

Data Privacy Act of 2012 (R.A. 10173)

Hacking involves the unauthorized processing and access of personal information. Under Section 29 of the Data Privacy Act, unauthorized access or intentional breach is a punishable offense, especially if it compromises sensitive personal information.

2. Criminal and Civil Liabilities: Who is Accountable?

A critical point of confusion in these situations is distinguishing the liability of the actual hacker from the potential liability of the legitimate account owner.

Liability of the Perpetrator (The Hacker)

The hacker faces severe criminal penalties. Under R.A. 10175, computer-related identity theft and fraud carry a penalty of prision mayor (6 years and 1 day to 12 years imprisonment) or a fine of at least ₱200,000.00, or both. If Estafa via cyber-means is proven, the prison sentence can be significantly higher depending on the amount defrauded.

Liability of the Legitimate Account Owner

A common fear among victims of hacking is that they will be held legally responsible for the scams perpetrated through their compromised profiles.

  • Criminal Liability: In Philippine criminal law, criminal intent (mens rea) or gross negligence is required. If an account owner genuinely had their account stolen without their knowledge or participation, they cannot be held criminally liable as a principal, accomplice, or accessory to the scams.
  • Civil Liability: Under Article 2176 of the Civil Code (Quasi-Delict/Negligence), a person can theoretically be held liable for damages if their sheer negligence caused injury to another. However, for a third party to successfully sue the account owner, they must prove that the owner's failure to secure their account amounted to actionable negligence that directly caused the scam. Generally, being a victim of a cyberattack does not equate to civil negligence.

3. Crucial Legal Defenses for the Hacking Victim

If a victim's account is used to scam others, they must immediately establish a paper trail to build a legal defense against potential complaints from defrauded individuals:

  • Defense of Absence of Control: Proving that the account was accessed from an unusual IP address or device not owned by the user. Facebook’s "Where You're Logged In" history is a vital piece of electronic evidence.
  • Prompt Notice / Mitigation of Damages: Showing that upon discovery, the owner took immediate steps to report the compromise to Facebook, post public warnings on other platforms, and alert contacts. This disproves any implied conspiracy or condonation of the scam.

4. Remedial and Legal Steps to Take

If your Facebook account is hacked and used for scams in the Philippines, you should execute the following steps to protect yourself legally:

Step 1: Preserve Electronic Evidence

Do not immediately delete everything if you regain access. Under the Rules on Electronic Evidence (A.M. No. 01-7-01-SC), screenshots and digital logs are admissible.

  • Take screenshots of the compromised account showing changed email addresses, unauthorized posts, and scam messages.
  • Save the URL of the hacked profile.
  • Download login history logs if still accessible.

Step 2: Immediate Public Clarification

Issue a public notice on alternative social media platforms, via SMS, or through friends, stating that the account has been compromised and that any solicitations for money or investments are fraudulent. This serves as a vital legal defense demonstrating good faith and active mitigation.

Step 3: Secure Technical Remediation

Report the compromise to Meta/Facebook through their dedicated portal ([facebook.com/hacked](https://facebook.com/hacked)) to initiate the account recovery or termination process.

Step 4: File Official Law Enforcement Reports

To secure formal immunity from the scams committed under your name, file an official report with Philippine cybercrime units. You will need to bring your preserved evidence and a valid ID:

  • PNP Anti-Cybercrime Group (PNP-ACG): Headquartered in Camp Crame, Quezon City, with regional units nationwide.
  • NBI Cybercrime Division (NBI-CCD): Located at the NBI Taft Avenue office, Manila, or regional offices.

The law enforcement agency will issue a Blotter Report or an Official Certification that you reported the hack. This document serves as your primary legal shield if a defrauded individual files a lawsuit against you.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login