Fake BIR Tax Refund Emails in the Philippines: How to Report a Scam

A fake BIR tax refund email usually tries to make you rush: “You are eligible for a refund,” “confirm your bank account,” “click to claim,” or “pay a small processing fee.” In the Philippines, treat this as a possible phishing scam immediately. The Bureau of Internal Revenue has warned the public about malicious emails that appear to come from the BIR and solicit sensitive information such as bank account details and mobile wallet credentials; its advice is simple: do not click links or attachments in suspicious emails.

What a Fake BIR Tax Refund Email Usually Looks Like

A fake BIR tax refund email often uses one or more of these tactics:

  • It says you have an “approved” or “pending” tax refund even if you never filed a refund claim.
  • It asks for your TIN, birthday, address, bank account, card number, CVV, online banking username, password, OTP, or e-wallet PIN.
  • It contains a button like “Claim Refund,” “Verify Now,” “Download Notice,” or “Update Taxpayer Account.”
  • It uses a look-alike domain, such as a misspelled BIR website or a free email account.
  • It threatens that your refund will expire within 24 hours.
  • It asks for a “processing fee,” “documentary stamp,” “release fee,” or “anti-money laundering verification fee.”
  • It includes an attachment pretending to be a tax clearance, tax refund certificate, or BIR notice.

The safest rule is this: do not use the link inside the email to check if it is real. Open a new browser tab and manually type the official BIR website, or contact the BIR through its official contact page.

Is a BIR Tax Refund Email Ever Legitimate?

A real Philippine tax refund normally follows a formal tax process. It is not something you unlock by entering your bank or e-wallet credentials into a link sent by email.

Common legitimate refund situations include:

Situation How it usually happens Why scammers copy it
Employee over-withholding Often handled through employer annualization and payroll adjustment Many employees know the phrase “tax refund” but do not know the process
Excess creditable withholding tax Usually requires a formal claim and supporting documents Businesses and professionals may expect refunds from BIR
VAT refund Subject to strict filing periods, documentary requirements, and BIR processing rules Scammers use “VAT refund” to sound official
Erroneous or excess tax payment Requires administrative claim and proof of payment Scammers pretend the BIR already found an overpayment

For example, BIR Revenue Memorandum Order No. 25-2024 covers processing of claims for tax credit or refund of excess or unutilized creditable withholding taxes under Sections 76(C), 204(C), and 229 of the National Internal Revenue Code, while VAT refunds have separate rules under Section 112.

That is very different from an unsolicited email asking you to “confirm your refund method” by typing your online banking password.

Immediate Steps If You Received a Fake BIR Tax Refund Email

If you did not click anything

  1. Do not reply.

  2. Do not click links or open attachments.

  3. Take screenshots showing:

    • sender email address;
    • subject line;
    • date and time received;
    • suspicious link preview, if visible without clicking;
    • full message body.

  4. Mark the email as phishing or spam in your email provider.

  5. Report it to the BIR and, if appropriate, to cybercrime authorities.

If you clicked the link but did not enter information

  1. Close the page immediately.
  2. Clear your browser history and cache.
  3. Run a security scan on the device.
  4. Change passwords only by going directly to the official websites or apps, not through the email link.
  5. Watch for suspicious login alerts, OTP requests, or unusual bank/e-wallet activity.

If you entered personal or financial details

Act fast. The first few hours matter.

  1. Call your bank or e-wallet provider immediately using the number inside the official app, card, or website.

  2. Ask them to:

    • block or lock the account;
    • freeze the card or online banking access;
    • reverse or hold suspicious transactions if still possible;
    • give you a reference or ticket number.

  3. Change passwords and enable multi-factor authentication.

  4. Report the scam to the CICC hotline 1326, NBI Cybercrime Division, or PNP Anti-Cybercrime Group.

  5. Prepare a complaint-affidavit if money was lost or identity documents were misused.

Under Republic Act No. 12010, or the Anti-Financial Account Scamming Act, social engineering includes using deception or electronic communications to obtain sensitive identifying information that results in unauthorized access or control over a financial account. The law also recognizes disputed transactions and allows financial institutions to temporarily hold funds in proper cases under BSP rules. (Lawphil)

How to Report a Fake BIR Tax Refund Email in the Philippines

1. Report it to the BIR

Use the BIR’s official channels to verify and report the impersonation.

The BIR contact page lists the BIR Contact Center at (02) 8538-3200 and contact_us@bir.gov.ph. (Bureau of Internal Revenue) The BIR also has an eComplaint page with categories such as NO-OR, DISIPLINA, R.A.T.E., and Others. (Bureau of Internal Revenue)

When reporting to BIR, include:

  • screenshot of the email;
  • sender address;
  • subject line;
  • date and time received;
  • link shown in the email, copied without opening it;
  • whether you clicked, entered information, or paid money;
  • your contact details for follow-up.

Avoid sending passwords, OTPs, full card numbers, or screenshots that expose your entire bank account. Redact sensitive details unless an investigator specifically tells you how to submit them securely.

2. Report online scam activity to CICC Hotline 1326

For phishing, email scams, caller ID spoofing, and other online scams, the government’s Inter-Agency Response Center can be reached through 1326. The Philippine News Agency has described 1326 as a 24/7 hotline for reporting scams, including phishing scams and email scams. (Philippine News Agency)

ScamWatch Pilipinas also lists 1326 and alternative I-ARC numbers for Smart, Globe, and DITO users, and describes I-ARC as a joint project involving DICT, CICC, NPC, and NTC to centralize online scam reporting. (ScamWatch Pilipinas)

Use this especially if:

  • you already sent money;
  • your bank or e-wallet account was accessed;
  • the same scam is being sent to many people;
  • the scammer is using Philippine mobile numbers, e-wallets, or bank accounts.

3. File a cybercrime complaint with NBI or PNP-ACG

For investigation, evidence preservation, tracing, and possible prosecution, report to the NBI Cybercrime Division or the PNP Anti-Cybercrime Group.

The NBI Citizen’s Charter for “Investigative Assistance for Victims of Computer Crimes” states that the general public may proceed to the Cybercrime Division to file a complaint or request investigation; the process includes a preliminary interview, sworn statements, and submission of supporting documents. (National Bureau of Investigation) An NBI FOI response also directs complainants to the NBI Complaints and Assessment Division for NCR residents, the nearest NBI Regional or District Office for provincial complainants, or the NBI online reporting channel. (www.foi.gov.ph)

A PNP FOI response has directed cybercrime complainants to the PNP-ACG eComplaint portal or the PNP-ACG complaint email. (www.foi.gov.ph)

4. Report unauthorized bank or e-wallet transactions to your financial institution first

If the scam caused an unauthorized transfer, report first to your bank, e-money issuer, or payment provider. Ask for the fraud ticket number and a written acknowledgment.

The BSP’s consumer assistance guidance says financial consumers should first report concerns to the BSP-supervised institution’s Financial Consumer Protection Assistance Mechanism or customer service channel. If the response is unsatisfactory, the complaint may be escalated to the BSP through BSP Online Buddy or by email to consumeraffairs@bsp.gov.ph with supporting documents. (Bangko Sentral ng Pilipinas)

Under RA 12010, institutions under BSP supervision must protect access to client financial accounts using adequate risk management systems and controls, such as multi-factor authentication and fraud management systems. The law also provides that conviction is not a prerequisite to restitution where the institution failed to employ adequate controls or the highest degree of diligence required by law. (Lawphil)

5. Report misuse of personal data to the National Privacy Commission

If you gave a copy of your ID, TIN, passport, selfie, signature, address, or other personal information, consider reporting the data privacy aspect to the National Privacy Commission.

The Data Privacy Act of 2012, Republic Act No. 10173, requires personal information to be processed fairly, lawfully, and for legitimate purposes. It penalizes unauthorized processing, unauthorized access or intentional breach, malicious disclosure, and unauthorized disclosure. (National Privacy Commission)

The NPC states that a formal complaint may be filed using its complaint form, notarized, and submitted in person, by courier, or by scanned email to complaints@privacy.gov.ph. (National Privacy Commission)

Evidence You Should Preserve Before Reporting

Do not rely only on screenshots if money was lost. Screenshots help, but cybercrime investigators often need more.

Evidence Why it matters
Full email headers Helps trace sending servers and technical details
Screenshot of sender, subject, and date Shows the exact message received
Screenshot of the fake website Shows impersonation of BIR or a bank/e-wallet
URL of the phishing page Helps authorities and platforms block it
Bank/e-wallet transaction receipts Proves amount, date, reference number, and receiving account
OTP or login alerts Shows attempted or completed account takeover
Conversation with scammer Shows deceit, instructions, and identity used
Ticket numbers from bank/e-wallet Proves timely reporting
Valid ID of complainant Usually needed for formal complaint filing
Complaint-affidavit Needed for formal investigation or prosecution

For Gmail, use “Show original” to view technical headers. For Outlook, use message source or message details. If you are not comfortable doing this, preserve the email and let the investigator or IT support assist you.

Legal Basis: Why Fake BIR Refund Emails Can Be a Crime

Cybercrime Prevention Act of 2012

Republic Act No. 10175, the Cybercrime Prevention Act of 2012, penalizes several acts that may apply to fake BIR tax refund emails:

  • Illegal access if a scammer enters your email, bank, e-wallet, or device without right.
  • Computer-related forgery if fake digital data is created or used as if authentic.
  • Computer-related fraud if unauthorized input, alteration, deletion, or system interference causes damage with fraudulent intent.
  • Computer-related identity theft if someone intentionally acquires, uses, misuses, transfers, possesses, alters, or deletes identifying information belonging to another without right. (Supreme Court E-Library)

The law also provides that crimes under the Revised Penal Code or special laws committed through information and communications technology are covered by RA 10175, with the penalty generally one degree higher. (Supreme Court E-Library)

Estafa under the Revised Penal Code

If the scammer deceived you into sending money, the facts may also support estafa, or swindling, under Article 315 of the Revised Penal Code.

In People v. Mateo, the Supreme Court summarized estafa by deceit under Article 315(2)(a): there must be a false pretense or fraudulent representation, made before or at the same time as the fraud, relied upon by the victim, causing the victim to part with money or property and suffer damage. (Supreme Court E-Library)

A fake BIR refund email fits this pattern when the scammer pretends to have authority from BIR, convinces the victim to pay a fee or reveal credentials, and the victim loses money.

Anti-Financial Account Scamming Act

RA 12010 is especially relevant when the scam involves bank accounts, e-wallets, card accounts, or money mule accounts. It covers money muling, social engineering schemes, and economic sabotage. It also penalizes opening accounts under fictitious names, using another person’s identity documents, buying or selling financial accounts, and aiding or attempting the prohibited acts. (Lawphil)

For social engineering schemes, penalties may reach imprisonment of 10 to 12 years and fines of ₱500,000 to ₱1,000,000, with higher penalties if the victim is a senior citizen. Economic sabotage can be punished by life imprisonment or a fine of ₱1,000,000 to ₱5,000,000, or both, depending on the court. (Lawphil)

Data Privacy Act of 2012

If the scammer collects, stores, sells, or uses your TIN, ID, address, selfie, passport, or other personal data, RA 10173 may apply. This is important because identity theft may continue even after the first scam. Your information may be used to open e-wallets, create fake accounts, apply for loans, or scam other people.

Practical Timelines and What to Expect

Stage Typical timing What usually happens
Bank/e-wallet fraud report Immediately to same day Account lock, dispute ticket, possible hold or investigation
CICC 1326 report Same day Intake, guidance, referral or coordination
NBI/PNP cybercrime complaint Same day to several days Interview, sworn statement, evidence review
NBI initial assistance process About 1 hour 10 minutes in its Citizen’s Charter Intake and preliminary steps, not full case resolution
BSP escalation After bank/e-wallet response is unsatisfactory Consumer assistance review and referral to financial institution
NPC complaint After preparing notarized complaint Docketing, evaluation, possible mediation or investigation

The biggest bottlenecks are usually incomplete evidence, delayed reporting to the financial institution, unverified recipient account details, and victims deleting the original email before technical data is preserved.

Special Notes for OFWs, Foreigners, and Filipinos Abroad

If you are outside the Philippines and receive a supposed BIR tax refund email, be extra careful if you do not have current Philippine tax filings, a Philippine TIN, a Philippine employer, or a Philippine business.

Practical points:

  • A foreigner with no Philippine tax record should treat an unsolicited BIR refund email as highly suspicious.
  • OFWs and former Philippine employees should verify through their employer, withholding agent, or relevant BIR office instead of replying to the email.
  • If a formal Philippine complaint-affidavit is needed, documents signed abroad may need notarization and, depending on where they are executed and where they will be used, apostille or consular acknowledgment. The DFA’s apostille guidance notes that the Philippines became a party to the Apostille Convention on 14 May 2019. (Apostille Services)
  • If your passport or foreign ID was submitted to the scammer, report possible identity misuse in your country of residence as well.

Common Mistakes That Make Scam Reports Weaker

  • Clicking the link again “to check.”
  • Sending the scam email to friends without warning.
  • Deleting the original email before saving headers.
  • Reporting only to BIR when money was already transferred through a bank or e-wallet.
  • Reporting only to the bank and not to cybercrime authorities when identity documents were stolen.
  • Waiting several days before calling the bank or e-wallet provider.
  • Posting full account numbers, IDs, or screenshots with personal data on social media.
  • Paying a second “recovery fee” to someone claiming they can retrieve the money.

A barangay blotter may help document that you reported an incident locally, but it is not a substitute for reporting cybercrime to NBI, PNP-ACG, CICC, or the financial institution involved. Many phishing cases involve unknown offenders, out-of-area offenders, or offenses beyond barangay conciliation.

Frequently Asked Questions

How do I report a fake BIR tax refund email?

Report it to the BIR through its official contact channels or eComplaint page, then report the cybercrime aspect to CICC 1326, NBI Cybercrime Division, or PNP-ACG. If you lost money through a bank or e-wallet, report to the financial institution immediately before filing escalation complaints.

What should I do if I clicked a fake BIR refund link?

Close the page, do not enter more information, run a device security check, and change passwords directly through official apps or websites. If you entered banking, card, or e-wallet details, call your financial institution immediately and ask them to lock or monitor the account.

Can the BIR send tax refund emails?

The BIR may use email for some official taxpayer communications, but a legitimate refund is not claimed by entering passwords, OTPs, card details, or e-wallet credentials into a random link. Verify independently through the official BIR website, BIR Contact Center, your RDO, or your employer/withholding agent.

Is a fake BIR email a cybercrime?

It can be. Depending on the facts, it may involve computer-related fraud, identity theft, illegal access, estafa, social engineering under RA 12010, and data privacy violations under RA 10173.

Can I get my money back after a phishing scam?

It depends on how quickly you reported, where the money went, whether the receiving account can still be frozen, and whether the financial institution complied with its fraud controls. Report to your bank or e-wallet immediately and ask for a written ticket number. Escalate to BSP if the institution’s response is unsatisfactory.

Should I report even if I did not lose money?

Yes. Reporting helps BIR and cybercrime authorities identify active phishing campaigns, block fake sites, warn the public, and connect similar complaints. Preserve screenshots and the original email if possible.

What if the scammer used my TIN or ID?

Report possible identity theft to cybercrime authorities and consider a complaint with the National Privacy Commission if your personal data was misused. Also monitor e-wallets, bank accounts, credit-related notices, loan apps, and messages from people who may be contacted by impersonators using your name.

Do I need a lawyer to report a fake BIR tax refund email?

For basic reporting, no. You can report to BIR, CICC, your bank/e-wallet, NBI, PNP-ACG, BSP, or NPC yourself. For complex cases involving large losses, multiple victims, business accounts, foreign documents, or suspected insider participation, the documents and legal strategy may need more careful preparation.

Key Takeaways

  • Fake BIR tax refund emails are usually phishing attempts designed to steal money, passwords, OTPs, IDs, TINs, bank details, or e-wallet credentials.
  • Do not click links or attachments in suspicious BIR-branded emails.
  • Preserve evidence before deleting: screenshots, full email headers, URLs, transaction records, and bank/e-wallet ticket numbers.
  • Report to BIR for impersonation, CICC 1326 or NBI/PNP-ACG for cybercrime, your bank/e-wallet for urgent account protection, BSP for unresolved financial institution complaints, and NPC for personal data misuse.
  • Philippine law may treat the scam as cybercrime, estafa, financial account scamming, and/or a data privacy violation depending on what happened.
  • Speed matters most when money or account access is involved: report to the financial institution immediately and document every step.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login