How to Check If a Website Is Legitimate in the Philippines: DTI, SEC, and Phishing Red Flags

This guide is written for consumers, in-house counsel, compliance teams, and MSMEs operating in or selling to the Philippines. It consolidates practical checks with the core legal framework (e-commerce, consumer protection, data protection, and securities regulation) and gives step-by-step verification methods against common red flags.

---

1) The One-Page Checklist (Start Here)

Before you pay or disclose personal data:

1. Identify the business

   • Full name of the enterprise, business address (not just a P.O. box), email and phone.
   • Links to DTI (for sole proprietors) or SEC (for corporations/partnerships) registration details.
   • Official receipts or sales invoices that show a BIR-issued TIN and business name.

2. Verify registrations

   • DTI BNRS search for sole proprietorships.
   • SEC search for corporations/partnerships and check for SEC advisories if the site markets investments, lending, or “earnings programs.”
   • (If provided) LGU business permit or mayor’s permit number and city/municipality.

3. Check commercial disclosures

   • Clear prices in PHP (or currency stated), VAT treatment, delivery/handling fees, return/refund and warranty terms, and complaint channels.

4. Evaluate privacy and security

   • Proper privacy notice (what data is collected, legal basis, retention, sharing, rights and contacts).
   • Secure checkout (https/TLS, reputable payment gateway, 3-D Secure for cards).
   • No requests for OTPs outside payment authorization.

5. Scan for red flags

   • “Too-good-to-be-true” pricing, pressure to pay instantly (especially via “cash-in,” load, crypto, or over-the-counter remittances to personal names), inconsistent branding, newly created domains, and grammar-ridden pages.

6. Prefer safer fulfillment & payment

   • Use marketplace escrow, COD with inspection, or card/ewallet with dispute mechanisms.
   • Keep screenshots, order confirmations, tracking numbers, and receipts.

---

2) Legal Framework You Should Know

2.1 Consumer Protection & E-Commerce

• Consumer Act of the Philippines (Republic Act No. 7394): prohibits deceptive, unfair, and unconscionable sales acts or practices; sets product and service warranty standards; empowers DTI to enforce.
• E-Commerce Act (Republic Act No. 8792): recognizes electronic documents/signatures and criminalizes malicious acts against information systems. In practice, it underpins enforceability of online transactions and disclosures.
• Civil Code & Electronic Evidence Rules: contracts formed online are valid if essential elements exist; electronic data messages are admissible.

Practical effect: A legitimate site discloses identity, terms, and after-sales remedies. Misrepresentations and hidden fees risk administrative and civil liability—and potentially criminal liability if fraudulent intent is present.

2.2 Business Registration & Tax

• DTI Business Name Registration (BNRS): required for sole proprietors using a business name.
• SEC Registration: required for corporations and partnerships; certain businesses (e.g., lending, financing, investment solicitation) need additional licensing/notification.
• BIR Registration: taxpayers must register, issue official receipts/sales invoices, and display the BIR Certificate of Registration (Form 2303) at business premises (online sellers typically display it digitally or provide upon request).

Practical effect: A real business can substantiate DTI/SEC registration and BIR compliance (TIN on receipts, OR/SI numbers, VAT/non-VAT status).

2.3 Data Privacy & Cybersecurity

• Data Privacy Act (Republic Act No. 10173) and its IRR: requires a privacy notice, lawful processing, reasonable security measures, and a Data Protection Officer (DPO) where applicable.
• Cybercrime Prevention Act (Republic Act No. 10175): criminalizes computer-related fraud and identity theft.

Practical effect: If a site harvests personal data without a clear privacy notice, or asks for OTPs/passwords outside checkout, treat it as high risk.

2.4 Securities & Investments

• Securities Regulation Code (Republic Act No. 8799): offering “securities” (including investment contracts) to the public requires SEC registration or an applicable exemption; brokers, dealers, and investment advisers need proper licenses.
• Administrative advisories: SEC routinely issues public advisories naming entities that illegally solicit investments or misuse corporate forms.

Practical effect: If a website promises passive income, guaranteed returns, multi-level payouts, or “forex/crypto doubling,” check SEC advisories first. Assume illegality if there’s no registration/license.

---

3) How to Verify a Philippine Website, Step by Step

Tip: Do not rely on any one signal. Combine business registration checks, content/legal disclosures, payment security, domain forensics, and reputational signals.

3.1 Business Existence

1. DTI (Sole Proprietor) Check

   • Ask for: Business name, owner’s name, BNRS certificate number (or screenshot).
   • Confirm via the DTI BNRS lookup (the business name should match exactly, and the scope—Barangay/City/Regional/National—should make sense for the claimed footprint).

2. SEC (Corporation/Partnership) Check

   • Ask for: Corporate name, SEC registration number (and if applicable, secondary licenses: lending, financing, investment house, broker/dealer).
   • Confirm via SEC company search.
   • If the site markets investments, lending, or high-yield programs, search SEC Advisories by name and known aliases.

3. BIR Compliance

   • Ask for: BIR Certificate of Registration (Form 2303) and sample OR/SI.
   • Look for a proper TIN, printed company name, and address on invoices/receipts.

4. LGU/Miscellaneous

   • Some industries require LGU permits, FDA (food/cosmetics/medical devices), DICT/NTC (telecom devices/SMS), or DOST/DA permits. If the product touches a regulated space, request the relevant permit.

3.2 Mandatory Commercial Disclosures (Good-Faith Signals)

A compliant site typically shows:

• Identity & Contacts: legal name, principal business address, customer service email and phone/chat hours.
• Pricing: itemized price, taxes (VAT or non-VAT), shipping/handling, and any platform fees.
• Terms of Sale: order flow, acceptance, cancellation, delivery timelines, risk of loss, title passage.
• Returns/Refunds/Warranties: conditions, periods, exclusions, and process (who pays return shipping).
• Privacy Notice & Cookies: categories of data collected, purposes, sharing, retention, rights, and DPO/contact.
• IP & Content: trademark/copyright notices, licensing of user reviews/photos.
• Dispute Channels: email/portal, response time commitments, and escalation route (e.g., DTI mediation).

3.3 Technical & Domain Forensics

• URL/Domain

  • Check for typosquatting (e.g., rn for m, extra hyphens/subdomains) and mismatched branding.
  • Look up domain age (very new domains selling luxury goods at 80–90% off are high-risk).

• HTTPS/TLS

  • Padlock is necessary but not sufficient; scammers also use TLS.

• Content Quality

  • Inconsistent logos, blurry seals, stolen product photos, and machine-translated copy suggest impersonation.

• Footers & Policies

  • Missing or generic “lorem ipsum” privacy/terms pages are red flags.

• Certificates/Trustmarks

  • If a site claims DTI Bagwis or other trustmarks, verify on the issuer’s listings; logos are easy to copy.

3.4 Payments, Delivery, and After-Sales

• Preferred: marketplace escrow, COD with inspection, or reputable e-wallet/card with chargeback/transaction dispute options.
• Avoid: one-way irreversible transfers (cash-in to personal wallets, crypto to personal addresses, gift cards/load).
• Delivery: insist on trackable couriers; be wary of “own rider” without verifiable dispatch details.
• Documentation: keep order confirmations, conversations, and delivery receipts—these are key for disputes and small-claims actions.

---

4) Phishing and Scam Red Flags (Philippine Context)

1. Payment Pressure

   • “Reserve now or price goes up in 10 minutes,” “Send to this GCash number only,” “Top-up via load or e-pins.”

2. Impersonation of Local Brands/Agencies

   • Fake DTI/SEC “permits,” bogus delivery fee collection texts, or “customs clearance” fees for parcels you never ordered.

3. Fake Order/Delivery Notifications

   • Links that install APKs (Android sideload) or ask for card details/OTP.

4. Investment Language on a Retail Site

   • “Membership packages” with guaranteed returns, referral income, or staking yields—check SEC advisories.

5. Social-Media-Only Stores

   • No standalone site, hidden ownership, payment to personal accounts, and curated comments with no independent reviews.

6. Inconsistent Identities

   • Business name in the footer does not match checkout merchant descriptor, TIN, or courier waybill.

7. Unsolicited Messages

   • SMS/DMs promising jobs/commissions (“rate tasks”) or parcel redelivery with shortened links—report and block.

---

5) Evidence to Keep (If Things Go Wrong)

• Screenshots of the website pages (product, checkout, policies), chat/email threads, invoices/receipts, payment confirmations, courier tracking, and IDs of persons you dealt with.
• For phishing/malware: the URL, message content, sender handle/number, and the date/time received.
• Maintain a simple timeline of events (offer → order → payment → delivery or non-delivery).

---

6) Remedies and Where to Complain

The right venue depends on the nature of the problem (consumer goods, data misuse, or investment scam). Parallel reporting is common and acceptable.

• Consumer transaction disputes (goods/services, deceptive acts): file with DTI for mediation/administrative action; marketplaces typically cooperate with DTI requests.
• Data privacy violations (unlawful processing, breaches, spam with personal data misuse): file with the National Privacy Commission; include your evidence and show harm or risk.
• Cybercrime (phishing, identity theft, card-not-present fraud, malware): report to law enforcement cybercrime units and your bank/e-wallet immediately to trigger fraud operations and freeze protocols.
• Investment scams/unregistered solicitation: report to the SEC (include URLs, social pages, payment channels, and names of recruiters).
• Civil claims: pursue Small Claims for money claims within the prevailing jurisdictional amount (no lawyer required), or ordinary civil/criminal actions for fraud.
• Chargebacks/Payment Disputes: notify your card issuer/ewallet provider promptly; short deadlines apply.

---

7) Model Policies & Clauses to Look For (or Implement)

If you operate a website—or are assessing one—these minimums reduce risk:

• Imprint/Disclosure Page: legal name, business style, SEC/DTI number, principal office, contact details, and DPO contact (if applicable).
• Terms of Sale: offer/acceptance mechanics, availability, pricing errors clause, payment risk allocation, delivery timelines, inspection period, return/refund workflow, warranty, and governing law/forum.
• Privacy Notice: purposes (order fulfillment, fraud prevention, marketing with consent), lawful bases, data sharing (couriers, payment processors), retention, data subject rights (access, correction, deletion), DPO contact, and complaints route.
• Security Statement: use of TLS, vetted payment gateways, OTP handling, and guidance not to share one-time passwords with anyone.
• Complaints Handling: SLA for responses (e.g., within 3–5 business days), escalation path, and external remedies (DTI/SEC/Privacy Commission).

---

8) Due Diligence Playbook (For Counsel & Compliance Teams)

1. Corporate Profile: SEC GIS or BNRS printout; beneficial ownership (where available); key officers.
2. Licensing Map: industry-specific permits (FDA, NTC, etc.); cross-border implications if shipping from abroad.
3. Tax Health Check: BIR registration, e-invoice/e-receipt systems (if applicable), sample OR/SI, VAT status.
4. Policy Gap Analysis: compare site disclosures against Consumer Act and Data Privacy Act requirements.
5. Security Review: TLS configuration, CSP, PCI-DSS (if storing/processing cards), breach response plan.
6. Third-Party Risk: payment gateway agreements, logistics SLAs, marketplace T&Cs; confirm anti-fraud tooling.
7. Monitoring: watchlists for domain impersonation, takedown readiness, and social media brand abuse playbooks.

---

9) Frequently Asked Questions

Is an HTTPS padlock enough to trust a site? No. TLS only secures the connection; it doesn’t validate the seller’s legitimacy.

Do I have a “seven-day return right” by law? There’s no universal seven-day right to return in the Philippines. Your remedies derive from the Consumer Act (unfair/deceptive practices, defects) and the seller’s policy/marketplace rules. Many platforms voluntarily give 7–15 days—check the posted terms.

Are Facebook/Instagram sellers required to register? If they are “doing business” (habitual sales for profit), they generally should be registered (DTI for sole proprietors; SEC for corporations/partnerships) and BIR-registered for tax. Ask for proof.

A site shows a DTI/SEC “certificate” image. Is that sufficient? No. Independently verify against official search tools and, for investments, scan SEC Advisories.

---

10) Quick Script You Can Use With Sellers

“Hi! Before I place my order, please share your DTI/SEC registration number (and business name as registered), your BIR Certificate of Registration or a sample official receipt showing your TIN and business name, and a link to your return/refund policy. Thanks!”

If the seller refuses or stalls, treat that as a significant risk signal.

---

Bottom Line

A legitimate Philippine website won’t hide who it is, will align its DTI/SEC/BIR records with the branding you see online, and will provide clear terms, privacy notices, and secure, reversible payment channels. Combine registration verification, policy review, payment prudence, and phishing awareness—and you’ll avoid most scams while preserving strong remedies if something goes wrong.