Hacked Facebook Account Used for Scam

In the Philippines, Facebook has evolved from a simple social networking site into an essential infrastructure for personal communication, commercial enterprise, and digital identity. However, this high level of integration makes users exceptionally vulnerable to cybercrime. A rapidly growing modus operandi involves the unauthorized access (hacking) of a legitimate user's account, followed by the deployment of social engineering or financial scams targeting the victim’s contacts or the public.

When this happens, a complex legal knot emerges involving two distinct victims: the account owner whose digital identity was stolen, and the defrauded third party who parted with money.

The Constitutional and Legal Landscape

The Philippine legal framework provides a robust matrix of special penal laws and traditional criminal statutes to address cyber hijacking and subsequent fraud.

1. Republic Act No. 10175: The Cybercrime Prevention Act of 2012

This is the primary legislation governing the unauthorized takeover of digital accounts. A hacker who hijacks a Facebook account to perpetrate a scam commits multiple distinct offenses under Section 4:

  • Illegal Access (Sec. 4(a)(1)): The mere act of accessing a computer system or social media account without right or authority.
  • Computer-related Identity Theft (Sec. 4(b)(3)): The unauthorized acquisition, use, or misuse of another person’s identifying information (such as a Facebook profile name, photos, and credentials) with intent to commit fraud or cause harm.
  • Computer-related Fraud (Sec. 4(b)(2)): The unauthorized alteration, deletion, or manipulation of computer data, or any interference with the functioning of a computer system, with fraudulent intent to cause economic damage.

2. Republic Act No. 12010: The Anti-Financial Account Scamming Act (AFASA)

Enacted to aggressively combat evolving cyber-fraud ecosystems, AFASA directly targets social engineering schemes. If a hacker uses a compromised account to trick targets into revealing sensitive financial credentials, e-wallet details (e.g., GCash, Maya), or bank information, they face harsh penalties. Furthermore, AFASA criminalizes "money mules"—individuals who allow their financial accounts to be used to receive or funnel the proceeds of these Facebook scams.

3. Act No. 3815: The Revised Penal Code (RPC)

The traditional crime of Estafa or Swindling (Article 315) remains applicable when cybercriminals use deceit or false pretenses (impersonating the true account owner) to induce a victim to part with money or property. When committed via information and communications technology (ICT), the penalty is raised by one degree under Section 6 of RA 10175.

4. Republic Act No. 10173: The Data Privacy Act of 2012

A hacked account constitutes a malicious data breach. The unauthorized processing, access, and disclosure of the private messages, contact lists, and personal data contained within the Facebook account violate the Data Privacy Act, exposing perpetrators to independent criminal penalties and administrative fines from the National Privacy Commission (NPC).

Exoneration vs. Liability: The Account Owner’s Predicament

A primary point of anxiety for the legitimate account owner is whether they can be held criminally or civilly liable for the scams executed under their name.

General Rule of Non-Liability: Under Philippine criminal law, liability is personal. An individual cannot be held criminally liable for a crime they did not commit, authorize, or participate in. If the owner can prove their account was hijacked, they are considered a victim of identity theft, not a co-conspirator.

However, the burden of evidence practically shifts to the account owner to clear their name, especially if the swindled victims file complaints with the Barangay or law enforcement. The owner must establish that:

  1. They lost control of the account prior to the fraudulent acts.
  2. The destination accounts (GCash, bank accounts) where the stolen money was sent do not belong to them.
  3. They took prompt, reasonable steps to mitigate the damage and warn their network upon discovery.

Evidentiary Requirements under the Rules on Electronic Evidence

To file a successful criminal complaint or to legally shield oneself from liability, parties must comply with the Rules on Electronic Evidence (A.M. No. 01-7-01-SC). Digital evidence must be preserved immediately before it is altered or deleted by the hacker.

  • Screenshots: Capture the exact messages where money was solicited, including the profile URL and unique account ID of the compromised profile.
  • System Logs/Alerts: Save emails from Meta indicating unauthorized logins from unrecognized devices, unusual locations, or unexpected password modifications.
  • Transaction Receipts: Defrauded third parties must secure official transaction logs, reference numbers, and account names from financial institutions (e.g., e-wallet receipts, bank transfer confirmations).

Summary of Penalties and Liabilities

Offense / Law Nature of Violation General Penalties (Philippine Context)
Illegal Access


(RA 10175) | Hacking and entering the account without authority. | Imprisonment of 1 to 6 years and/or a fine of at least ₱200,000. | | Computer-related Identity Theft


(RA 10175) | Impersonating the true owner to victimize contacts. | Imprisonment of 6 to 12 years and/or a fine of at least ₱200,000. | | Estafa via ICT


(Revised Penal Code + RA 10175) | Defrauding third parties of money via online deceit. | Penalty under RPC increased by one degree (can reach Reclusion Temporal depending on the amount). | | Social Engineering / Money Muling


(RA 12010 - AFASA) | Orchestrating financial scams; utilizing mule accounts. | Heavy fines and long-term imprisonment; non-bailable if constituting economic sabotage. | | Data Privacy Violations


(RA 10173) | Unauthorized processing and breach of personal chats/data. | Imprisonment of 1 to 6 years and fines ranging from ₱500,000 to ₱5,000,000. |

Procedural Remedies: Action Plan for Victims

For the Account Owner (Identity Theft Victim)

  1. Immediate Public Notice: Use alternative social media platforms, SMS, or public posts via trusted friends to declare that the original account has been compromised. Explicitly state: "Do not send money or click any links coming from my profile."
  2. Account Securitization & Reporting: Execute Meta’s compromised account protocols (facebook.com/hacked). Download login history if partial access remains.
  3. Blotter and Cybercrime Reporting: File an official police blotter at the nearest station and lodge a formal complaint with the Philippine National Police Anti-Cybercrime Group (PNP-ACG) or the National Bureau of Investigation Cybercrime Division (NBI-CCD). Secure an official copy of the report to defend against potential civil claims or criminal complaints.

For the Defrauded Third Party (Financial Scam Victim)

  1. Freeze Funds: Immediately report the transaction to the receiving financial institution (the bank or e-wallet provider) referencing the AFASA provisions to hold or track the fraudulent transfer.
  2. File Criminal Complaint: Bring transaction receipts, chat logs, and affidavits to the PNP-ACG or NBI-CCD. Because the real hacker is often anonymous initially, the complaint is typically filed against "John Doe/Jane Doe" or the registered owner of the destination financial account (the suspected money mule).
  3. Civil Action for Damages: Under Article 33 of the Civil Code, an independent civil action for fraud and damages can be pursued to recover lost funds and seek moral damages for the psychological distress caused by the scam.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login