Discovering that your Facebook account has been hacked and is now being used to send scam messages to your friends and family can feel like a personal violation. In the Philippines, where Facebook is still the main platform for staying in touch with relatives abroad, coordinating family support, and even informal transactions, these incidents happen frequently. Hackers typically take over an account, change the password or recovery details, then send urgent messages asking for GCash, bank transfers, or personal information under the guise of an “emergency,” a loan, or an investment opportunity.

This article explains what is happening under Philippine law, your rights as the account owner, the exact practical steps to regain control and limit further harm, how to report the incident effectively to authorities, and what victims who sent money can do. It draws on the Cybercrime Prevention Act and real procedures used by the Philippine National Police Anti-Cybercrime Group and the National Bureau of Investigation.

What Happens When a Facebook Account Is Hacked and Used for Scams

Hackers usually gain access through phishing links, weak or reused passwords, compromised email accounts, or malware on a linked device. Once inside, they often immediately change the email, phone number, or password so the real owner loses access. They then use the account’s established trust network to target contacts with personalized scam messages.

Common patterns in the Philippines include messages claiming the owner’s phone was lost or stolen and they need emergency funds “right now,” fake investment or lending offers, or requests for OTPs or personal documents. Because the messages come from a familiar profile with real photos and past conversations, recipients are more likely to respond quickly without verifying through another channel. The hacker may also post scam advertisements on Marketplace or in groups, or send mass messages.

The account owner becomes a victim of unauthorized access and identity misuse, while friends and family become victims of fraud. Both groups have legal remedies, but quick action by the account owner helps stop the spread and protects everyone involved.

Your Legal Rights and Protections Under Philippine Law

You are protected primarily by Republic Act No. 10175, the Cybercrime Prevention Act of 2012. The hacker’s actions typically violate several provisions:

• Illegal Access (Section 4(a)(1)) — Accessing your computer system or account without right.
• Computer-Related Identity Theft (Section 4(b)(3)) — Intentionally acquiring, using, or misusing your identifying information (profile, photos, contacts, message history).
• Computer-Related Fraud (Section 4(b)(2)) — Unauthorized input, alteration, or interference with computer data with fraudulent intent.

If the hacker uses the account to obtain money through deceit, this can also constitute estafa under Article 315 of the Revised Penal Code, with the penalty increased by one degree under Section 6 of RA 10175 because it was committed through information and communications technology. Penalties for the main cybercrime offenses generally include prision mayor (6 years and 1 day to 12 years) or a fine of at least ₱200,000, or both.

The Data Privacy Act of 2012 (RA 10173) may also apply if the hacker accessed or misused your personal data (messages, photos, contact list) without authority.

As the account owner, you are generally not criminally liable for the scams if you did not participate, benefit, or act with gross negligence that directly enabled the hack. Philippine law treats you as a victim. However, you have a practical and legal interest in acting promptly: documenting the hack, warning your contacts, and reporting to authorities creates a clear record that protects you from potential civil claims by victims who might otherwise allege you were negligent in securing your account.

You also have the right to recover your account, remove fraudulent content, and seek civil damages for any harm to your reputation or relationships under the Civil Code (Articles 19, 20, 21, and 2219 on moral damages).

Immediate Steps If Your Facebook Account Was Hacked and Is Sending Scam Messages

Act in the first hours and day. The faster you move, the fewer people get scammed and the stronger your evidence becomes.

1. Secure your linked accounts first. Change the password on the email address connected to your Facebook account and enable two-factor authentication (preferably an authenticator app, not just SMS). Check for suspicious forwarding rules, logged-in devices, or unknown apps with access. Contact your mobile provider immediately if you notice unusual OTPs or if your SIM might have been compromised.

2. Recover your Facebook account. Go directly to the official page at facebook.com/hacked. Use any device or network you previously used to log in. Follow the prompts to identify your account, request a password reset, or verify your identity by uploading a clear photo of a valid government-issued ID (passport, driver’s license, or UMID). Facebook/Meta can force-logout all other sessions and help you regain control even if the hacker changed the recovery email or phone. Once back in, immediately reset your password to a strong, unique one, enable two-factor authentication with an authenticator app, review and remove all unknown devices, emails, phone numbers, and connected apps, and log out everywhere.

3. Warn your network immediately and publicly. Use every other channel you have — Viber groups, family chats, Instagram, TikTok, SMS, email, workplace or school channels, or even a temporary new Facebook account. Post or send a clear notice such as: “PUBLIC NOTICE: My Facebook account [your name/profile link] was compromised on [exact date and approximate time]. I lost access. Any messages, posts, or requests for money, loans, or personal information sent from it after that time are fraudulent and NOT from me. Please do not click links, send money, or share information. Report suspicious messages to me here or to authorities and preserve screenshots.” Ask everyone to forward you any scam messages they received.

4. Preserve every piece of evidence. Take full-screen screenshots (with timestamps visible) of Facebook security emails about password or email changes, all scam conversations (include the profile URL and any unique user ID if visible), transaction receipts if any money moved, and your recovery attempts. Create a simple chronological timeline on paper or a document noting when you discovered the hack, when you lost access, when scam messages started, and every step you took. Do not delete anything from the account until you have screenshots. Ask victims to send you their chat logs and receipts as well.

5. Report the compromised account to Facebook/Meta. Use the in-app reporting tools or the hacked account flow to flag that the account was taken over and is being used for fraud. After recovery, review Messenger, posts, Marketplace listings, and any ads or pages you manage. Remove fraudulent content only after preserving evidence.

6. Secure or dispute any linked financial accounts. If the hacker accessed or used any GCash, Maya, bank, or e-wallet linked to the same email or phone, contact those providers immediately, change passwords, enable additional security, and dispute any unauthorized transactions. Provide them with your police or cybercrime report reference once you have it.

7. File a report with the proper authorities. Do not rely only on a regular barangay or police blotter for complex cyber incidents. Go to the Philippine National Police Anti-Cybercrime Group (PNP-ACG) or the National Bureau of Investigation Cybercrime Division (NBI-CCD). You can start with an online report or CyberTip through acg.pnp.gov.ph, their official Facebook page/messenger, or by calling their hotline at (02) 8723-0401 (or check the latest number on their verified channels). In-person filing at Camp Crame in Quezon City or regional units is often most effective for serious cases. The NBI-CCD can be reached through nbi.gov.ph or their Taft Avenue office. Bring printed high-resolution screenshots, your timeline, two valid government IDs, and transaction details if any money was involved. Investigators can request preservation of records from Meta, GCash, banks, and other platforms.

If You Were Scammed by Messages from a Hacked Facebook Account

If you or someone you know sent money after receiving a message from what turned out to be a compromised account, act quickly on the financial side while also supporting the criminal report.

Contact the payment provider (GCash, Maya, bank, or remittance service) right away with full transaction details, reference numbers, screenshots of the chat, and the recipient account information. Many have fraud reporting channels and short windows for disputes or reversals. Provide the account owner’s police or cybercrime report reference when available.

File or join a complaint with PNP-ACG or NBI-CCD. The authorities can issue preservation requests or, with court process, obtain subscriber information from the platforms and financial institutions to help identify the perpetrator. You can also pursue a civil case for recovery of the amount under the Civil Code, though actual collection depends on locating and having assets from the responsible person.

Common Challenges and Practical Realities

Tracing hackers is often difficult because they use VPNs, foreign numbers, mule accounts, or quickly move funds through multiple e-wallets. Investigations can take weeks or months, and not every case results in an identified and arrested suspect. This is why your prompt evidence preservation and public warning are so important — they limit damage even if the hacker is never caught.

Some victims may initially blame the account owner or file complaints at the barangay level. Bring your police or cybercrime report, screenshots showing the timeline of the hack, and your public warning messages. Most barangay officials will understand once they see clear proof that you were also a victim and took immediate steps.

Another challenge is emotional stress. Friends and family may feel betrayed or anxious. Clear, repeated communication through multiple channels helps rebuild trust.

Foreigners whose accounts are hacked while in the Philippines, or who are scammed while dealing with someone in the Philippines, can still report to PNP-ACG or NBI. If you are abroad, you may need to execute an affidavit before a Philippine embassy or consulate (with apostille if required for use in the Philippines) or coordinate through counsel.

Frequently Asked Questions

How do I recover my hacked Facebook account if the hacker changed the email and phone number?
Visit facebook.com/hacked on a trusted device. Choose the option to verify your identity with a government-issued photo ID. Facebook can review it and help you regain access, force-logout other sessions, and reset security settings. Act as soon as possible.

Am I legally responsible if my hacked Facebook account was used to scam my friends?
Generally no, if you did not participate or benefit from the scams. Philippine law under RA 10175 treats the hacker as the offender. Promptly reporting the hack, warning your contacts, and filing a cybercrime complaint creates a strong record that you were a victim and acted responsibly.

What evidence should I prepare before reporting to PNP-ACG or NBI?
Full-screen screenshots of scam messages (with timestamps and profile URL), Facebook security notifications about changes to your account, your timeline of events, printed copies of any transaction receipts, and two valid government-issued IDs. A sworn complaint-affidavit detailing the facts will be prepared with the investigator’s assistance.

Can I get my money back if I sent it after receiving a message from a hacked account?
It depends on how fast you act and the payment method. Contact GCash, Maya, or your bank immediately to dispute the transaction and request a reversal or freeze. Success is higher if reported within hours or the same day. File a cybercrime complaint at the same time so authorities can help trace the recipient accounts.

How long does a cybercrime investigation usually take?
Initial intake and evidence review by PNP-ACG or NBI can happen within days. Preservation requests to platforms move relatively quickly. Preliminary investigation at the prosecutor’s office follows standard periods under the rules (often 10 to 60 days depending on complexity). Full prosecution and trial, if charges are filed in a Special Cybercrime Court, can take longer.

Should I post a public warning even if it feels embarrassing?
Yes. A clear, factual public notice on other platforms helps prevent more people from being scammed and creates an official record of the date you lost control of the account. It also protects you from misunderstandings.

What if I cannot recover the account at all?
Ask close friends to report the account to Facebook as compromised and used for fraud. Still file a detailed report with PNP-ACG or NBI, including all evidence of the hack and scam activity. Use the complaint reference when dealing with payment providers or any follow-up with Meta.

Can a foreigner whose account was hacked or who was scammed report this in the Philippines?
Yes. PNP-ACG and NBI accept reports from foreigners. If you are outside the country, you can submit initial reports online or through email and follow up with a notarized or apostilled affidavit. Jurisdiction generally exists when the damage occurred in the Philippines or the computer system was accessed here.

What penalties can the person who hacked and used my account face?
Under RA 10175, illegal access, computer-related identity theft, and computer-related fraud are each punishable by prision mayor (6 years and 1 day to 12 years imprisonment) or a fine of at least ₱200,000, or both. If estafa was committed through the hacked account, the penalty is increased by one degree. Additional violations of the Data Privacy Act may apply.

Is it enough to just change my Facebook password and warn a few people?
No. Changing the password alone does not address the scam messages already sent or create an official record. You should complete the full recovery process, issue a clear public warning, preserve evidence, and file a formal report with cybercrime authorities, especially if any money changed hands.

Key Takeaways

• Your hacked Facebook account makes you a victim of cybercrime under RA 10175 (illegal access, identity theft, and computer-related fraud). The hacker, not you, bears criminal liability in almost all cases.
• Act within the first hours: secure your linked email and phone, recover the account at facebook.com/hacked (use ID verification if needed), warn your entire network publicly through other channels, and take comprehensive screenshots with timestamps.
• File a formal report with PNP-ACG or NBI Cybercrime Division rather than relying only on a regular police blotter. Bring printed evidence, IDs, and a clear timeline.
• Victims who sent money should immediately dispute the transactions with GCash, Maya, or their bank and join or file a cybercrime complaint to support tracing and potential recovery.
• Prompt documentation and public warnings protect you from misunderstandings and limit further harm even when tracing the hacker proves difficult.
• Keep records of every step. These create the paper trail needed for authorities, payment providers, and any future civil action.

By following these steps methodically, you regain control of your digital presence, help protect the people who trust you, and contribute to holding cybercriminals accountable under Philippine law.