How Foreigners Report Cybercrime in the Philippines: NBI, PNP-ACG, and Evidence Checklist

How Foreigners Report Cybercrime in the Philippines: NBI, PNP-ACG, and an Evidence Checklist

This article explains—step by step—how non-Filipino complainants can report cybercrime in the Philippines, what to expect from the National Bureau of Investigation (NBI) and the Philippine National Police – Anti-Cybercrime Group (PNP-ACG), and how to prepare evidence that actually moves cases forward. It is written for practical use and reflects the prevailing Philippine legal framework, including the Cybercrime Prevention Act (Republic Act No. 10175), the Data Privacy Act (RA 10173), the E-Commerce Act (RA 8792), and the Supreme Court’s Rules on Electronic Evidence and Rule on Cybercrime Warrants.

1. Who handles cybercrime cases?

NBI (Cybercrime Division/Units)

  • What they do: Criminal investigation and digital forensics; build cases for filing with prosecutors; coordinate with INTERPOL and foreign agencies; handle complex, syndicated, or cross-border cases.
  • When to go: High-impact hacks, large-value online fraud, sextortion rings, ransomware, corporate compromise, cases requiring deep forensics, or matters involving international cooperation.

PNP – Anti-Cybercrime Group (ACG)

  • What they do: Receive complaints nationwide; conduct entrapment, field operations, search warrants, on-scene digital seizure; maintain regional cybercrime offices for faster response.
  • When to go: Time-sensitive threats (ongoing extortion, live scams), arrest operations, and cases where police presence or immediate action is needed.

In practice, you may report to either NBI or PNP-ACG. They also cross-endorse complaints. For urgent, in-progress threats, go to PNP-ACG; for complex or highly technical matters, NBI is often the better first stop.

2. Can foreigners file complaints? (Yes.)

Standing and access. Foreign nationals may file criminal complaints in the Philippines if the offense is triable here. You do not need residency. If you are abroad, you can authorize a representative via a Special Power of Attorney (SPA) (consularized or apostilled, as applicable).

Basic identity documents to bring or submit:

  • Passport (bio page) and latest entry stamp or immigration status document (e.g., ACR I-Card if resident).
  • Local contact details; if overseas, provide a serviceable email and address for notices.
  • For corporate victims: board/secretary’s certificate authorizing the signatory.

3. When does the Philippines have jurisdiction?

Under RA 10175 (Cybercrime Prevention Act) and the Revised Penal Code, Philippine authorities generally have jurisdiction if any of the following apply:

  • The harmful act or its essential elements occurred in the Philippines (e.g., the offender or victim is here, the money was received here, or the device/server used is here).
  • The computer system or data affected is wholly or partly situated in the Philippines.
  • The offense produced substantial harmful effects in the Philippines (e.g., Filipino victims, local financial institutions impacted).
  • Some offenses also have extraterritorial reach, especially where a Filipino offender is involved or local systems are targeted.

Practically, prosecutors look for concrete Philippine hooks: local IP usage, SIM/subscriber data, bank accounts, cash-out points, delivery addresses, or devices recovered here.

4. What offenses are commonly involved?

  • Illegal access, data and system interference, misuse of devices – RA 10175.
  • Computer-related fraud/forgery/identity theft – RA 10175 (e.g., phishing, account takeovers).
  • Cyberlibel – RA 10175 in relation to libel provisions of the Revised Penal Code.
  • Voyeurism and non-consensual intimate images – RA 9995.
  • Child sexual abuse/exploitation material (OSAEC) – RA 11930 (Anti-OSAEC and Anti-CSAEM Act) and RA 9775.
  • Estafa (swindling) and Qualified Theft – Revised Penal Code, when committed through online means.
  • Access device fraud – RA 8484 (Access Devices Regulation Act).
  • Data privacy violations – RA 10173 (handled administratively and quasi-criminally through the National Privacy Commission, but also often factually entwined with cybercrime).

5. Where and how to report

A. Immediate safety or ongoing extortion?

  • Call or go to the nearest PNP station or PNP-ACG office. Request police assistance and a blotter entry.
  • Preserve live communications; do not delete chats/emails.

B. Formal complaint with NBI or PNP-ACG

  1. Prepare an Affidavit-Complaint

    • Written, sworn and notarized (or executed before the receiving agent).
    • Clearly narrate the offense in chronological order: who, what, where, when, how, and the acts showing each legal element.

  2. Attach evidence (see checklist below). Number and label exhibits (e.g., “Annex A-1 Screenshot of Instagram DM, with URL and timestamp”).

  3. Appear for interview (in person or, where allowed, via video). Bring original devices if requested for imaging.

  4. For foreigners abroad: Submit through an authorized representative with SPA, or coordinate by email/phone first and arrange later on-site execution, depending on the office’s practice.

C. After filing: What happens?

  • Case build-up. Investigators may request subscriber info (telco, platforms), bank records, or CCTV via lawful requests or cybercrime warrants (see §7).
  • Prosecutor filing. Once evidence is sufficient, NBI/PNP files a criminal complaint with the Office of the City/Provincial Prosecutor for inquest (if suspect arrested) or regular filing (if at-large).
  • Subpoena/Counter-affidavits. The prosecutor issues subpoena; you may need to affirm your affidavit and testify at trial. Remote testimony may be allowed on motion in appropriate cases.

6. Parallel/alternative avenues

  • National Privacy Commission (NPC): If the matter involves personal data breaches, doxxing, unlawful processing, or failure of a Philippine entity to secure personal data, you may lodge a complaint with NPC for administrative action and compliance orders.
  • Civil actions: Injunctions, damages, and replevin may be pursued in civil courts, often alongside criminal complaints (e.g., to freeze assets or restrain further disclosure of intimate images).
  • Platform reporting: Use the platform’s legal/reporting channel. Preserve ticket numbers and email confirmations—they aid later data preservation orders.

7. Investigative tools authorities may use (what to expect)

Under the Rule on Cybercrime Warrants, investigators (upon judicial authorization) can obtain:

  • WDCD – Warrant to Disclose Computer Data: Compels service providers to disclose specified data (subscriber info, traffic data, logs).
  • WSSECD – Warrant to Search, Seize, and Examine Computer Data: Authorizes on-site seizure/imaging and forensic examination of devices/storage.
  • WICD – Warrant to Intercept Computer Data: Allows real-time collection or interception of specified communications/traffic data within defined scope.

Additionally, Data Preservation Orders under RA 10175 can require providers to preserve data for at least 6 months (extendable). Cooperation with INTERPOL, MLA channels, and local regulators/banks is common in cross-border fraud, money mule, and account-takeover cases.

8. The Evidence That Actually Helps (Foreign Complainant Edition)

Golden rules

  1. Originals or best evidence form. Keep the device, original files, and raw exports.
  2. Completeness beats curation. Investigators need full threads, headers, URLs, ids, and timestamps, not cropped snippets.
  3. Prove integrity. Where feasible, compute hash values (e.g., SHA-256) of files and note the hash in your affidavit. Do not modify files after hashing.
  4. Chain of custody. Record who handled what, when, and how; pack devices in evidence bags; avoid powered-on handling unless instructed.

A. Universal checklist (nearly all cases)

  • Your identity: Passport scan; Philippine entry stamp/visa if applicable; local and overseas contact details.

  • Affidavit-Complaint: Clear timeline and identification of suspects/accounts (handles, URLs, email addresses, phone numbers, wallet addresses).

  • Screenshots with context:

    • Include full URL bar (where relevant), visible timestamps/timezone, and account names/IDs.
    • For chats: capture entire conversation, not just the incriminating line.

  • Platform exports:

    • Facebook/Instagram/Twitter/X/WhatsApp/Telegram: full data exports or chat exports (JSON/ZIP) with hash and export log.
    • Email: save original .eml/.msg files with full headers.

  • Financial trail: bank transfer receipts, remittance stubs, GCash/GrabPay/Maya records, credit card charge slips, SWIFT/IBAN data, crypto TXIDs and wallet addresses.

  • Device evidence: the phone/PC used, with a written note of model/serial/SIM and unlock codes placed in a sealed envelope for use only if a warrant/consent requires access.

  • Preservation letters: copies of requests you sent to platforms/banks asking for preservation of data and the ticket numbers they issued.

B. Offense-specific additions

1) Online fraud/phishing/“investment” scams

  • Landing pages’ full URLs, WHOIS if you captured it, and any redirect chains.
  • Ad identifiers or campaign screenshots if you were targeted by ads.
  • Bank mule details (account names/numbers, deposit slips, ATM photos, withdrawal timestamps).
  • Crypto: exchange names, account emails, KYC screenshots, TXIDs, memos, chain type.

2) Account takeover/hacking

  • Login alerts, new-device alerts, recovery emails/SMS with timestamps.
  • IP logs or security activity pages exported from the platform.
  • Proof of 2FA status before/after compromise.
  • If malware suspected: retain the infected device and suspicious files (zipped), do not run them.

3) Sextortion/non-consensual intimate images

  • Full chat/video call logs; payment demands; proof of payment (if any).
  • All usernames/handles used by the suspect; links to groups/channels where material was threatened to be posted.
  • If images were posted, capture URL + date/time and take rapid steps for takedown/preservation.

4) Cyberlibel/harassment/doxxing

  • Full posts/comments with permalink URLs; profile pages; republication evidence (shares/retweets).
  • Proof of falsity or actual malice (where relevant) and context (prior disputes, demands).
  • If anonymous: note any pattern, time of posting, or language quirks—useful when matched with IP/subscriber data.

5) Business email compromise (BEC)

  • Original .eml messages with headers; mailbox rules and forwarding settings; SPF/DKIM/DMARC results.
  • Invoice copies, wire instructions, counterparty confirmations; bank recall attempts and SWIFT GPI traces.

6) Ransomware/intrusions

  • Ransom note, targeted extension, sample encrypted file and unencrypted original for comparison.
  • EDR/SIEM logs, firewall/VPN logs; backup status; list of affected hosts.
  • Do not power down servers without advice; preserve volatile data if possible.

9. Drafting the Affidavit-Complaint (structure you can copy)

  1. Parties and capacity (your nationality, passport no., authority if corporate).
  2. Venue/Jurisdiction (why the case is triable in the Philippines).
  3. Statement of facts (chronology with dated entries; attach exhibits).
  4. Elements of offense (briefly map facts to the law—e.g., for identity theft, show unauthorized acquisition and misuse of identifying information).
  5. Damages/Harm (financial loss, reputational damage, mental distress, business disruption).
  6. Reliefs requested (investigation, issuance of cyber warrants, preservation requests to specified providers, coordination with banks/exchanges, and prosecution of named/unknown persons).
  7. Verification and jurat (sworn before officer; if executed abroad, have it apostilled/consularized and attach translation if not in English/Filipino).

10. Practical tactics that speed up Philippine cases

  • Name the providers early. List telcos, banks, e-wallets, platforms, and ticket numbers so investigators know whom to serve with preservation/disclosure requests.
  • Time-box data retention. Many providers auto-delete logs within 90–180 days. Ask authorities to issue preservation immediately.
  • Keep your phone number active. OTP/2FA and callback verification may be needed.
  • Avoid “self-forensics.” Don’t alter drives/apps; it can taint evidence. If you already captured data, document how (tool used, date/time, steps).
  • Mind confidentiality. Don’t post case details online; it risks defamation and tips off suspects.
  • Consider civil preservation/freeze. For fraud, ask counsel about asset freeze, bank recalls, or Rule 57 preliminary attachment where warranted.

11. Common pitfalls (and how to avoid them)

  • Cropped screenshots without URLs/headers. Always include context and metadata.
  • Deleting chats or closing accounts. This destroys evidence; request takedown after preservation.
  • No Philippine nexus stated. Even if you’re a foreigner abroad, articulate the local hook (e.g., “Funds were cashed out to GCash account no. … registered to a Philippine number…,” “The SIM used (+63…) traced to Quezon City”).
  • Unsworn narratives. Prosecutors need sworn statements and, at trial, willingness to testify.
  • Missing SPA. If you won’t be physically present, empower a local representative properly.

12. Frequently asked “what ifs”

  • What if the suspect is anonymous? Start with what you have (handles, phone numbers, emails, wallet addresses). Authorities can escalate to WDCD for subscriber info and to banks/exchanges for KYC.
  • What if I’m overseas and can’t come soon? File via a representative with SPA and appear later if needed; ask investigators about remote affirmation options during the prosecutor’s stage.
  • What if the platform is foreign? Philippine law enforcement routinely coordinates with major platforms via legal channels, especially after issuance of warrants or preservation requests.
  • Can I sue for damages? Yes. You can file a civil action for damages, separately or together with the criminal case.
  • Is mediation possible? For some offenses (e.g., certain fraud amounts or cyberlibel), prosecutors may explore settlement; for OSAEC/child-related crimes, settlement is not an option.

13. Quick reporting pack (print-ready)

  • Passport bio page + entry stamp (or ACR I-Card).

  • Proof of authority (corporate cert/SPA).

  • Affidavit-Complaint (signed, notarized/consularized).

  • Master evidence folder:

    • Chats (full export + PDFs with visible timestamps).
    • Emails (.eml/.msg + PDF render).
    • Financial records (statements/receipts/TXIDs).
    • Device list (model/SN/IMEI/SIM).
    • Hash list (files + SHA-256).
    • Preservation letters and platform/bank ticket numbers.
    • Incident timeline (one-page table of key events with dates/times).

14. Final notes and disclaimer

  • Philippine cybercrime enforcement relies on speedy preservation, clear narratives, and properly packaged electronic evidence under the Rules on Electronic Evidence.
  • This article is general information, not legal advice. For case-specific strategy, consult a Philippine lawyer experienced in cybercrime, data privacy, and electronic evidence.

One-page template: Incident Timeline (you can copy)

Date/Time (PH Time) Event Source/Exhibit Notes
2025-09-14 21:13 Instagram DM received from @user123 demanding money Annex A-1 Screenshot shows URL, handle, timestamp
2025-09-15 09:02 USD 1,000 sent via Exchange X to wallet bc1… Annex B-3 TXID: …; memo: …
2025-09-16 14:45 Threat to publish; link to Telegram channel Annex C-2 Preservation ticket #TG-45821
2025-09-17 10:20 Report filed with PNP-ACG NCR Annex D-1 Blotter ref. no. …

With the right package of jurisdictional facts, tight affidavits, and forensic-grade evidence, both NBI and PNP-ACG can act quickly—issuing preservation requests, applying for cyber warrants, and bringing your complaint to the prosecutor for criminal charges.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login