Discovering an online loan you never applied for—or receiving threats from collectors using your name, ID, photograph, or contact list—can be frightening. The most effective response is to treat the incident as three connected problems: a fraudulent debt, a possible data privacy violation, and a potential cybercrime. Act quickly, but preserve evidence before blocking numbers, deleting messages, or uninstalling the lending app.
First, identify what actually happened
Different situations require different responses. Do not automatically describe every abusive online lending incident as identity theft.
| Situation | What it usually means | Main action |
|---|---|---|
| A loan was opened in your name without your knowledge | Possible computer-related identity theft, falsification, fraud, or misuse of personal data | Dispute the debt, demand the lender’s records, and report the crime |
| You applied for the loan, but someone took over your account | Possible account takeover, SIM-swap fraud, phishing, or unauthorized access | Secure your accounts and dispute unauthorized changes or transactions |
| You borrowed money, but the collector contacted or shamed your family, employer, or friends | The debt may be genuine, but the collection method may be unlawful | Report unfair collection and data privacy violations |
| You were listed as a character reference | You are not automatically a borrower or guarantor | Demand removal of your data and reject any claim that you owe the loan |
| Your ID was lost or previously submitted to another company | Your identity documents may have been reused | Report the lost or compromised ID and investigate other possible accounts |
This distinction matters. Falsely denying a genuine loan can weaken your credibility. On the other hand, paying a loan that you did not authorize merely to stop harassment can complicate your dispute.
Is a fake online loan legally binding on the identity theft victim?
A person does not become liable for a loan merely because their name, photograph, mobile number, or government ID appears in an application.
Under Articles 1317 and 1318 of the Civil Code of the Philippines, nobody may contract in another person’s name without authority, and a valid contract requires the consent of the contracting parties. A loan obtained by an impostor is therefore not enforceable against the innocent identity owner unless the person later validly ratifies or adopts it. (Lawphil)
Online lenders may rely on electronic contracts, OTPs, digital signatures, or app confirmations. However, the Electronic Commerce Act of 2000, or RA 8792, requires a reliable method of identifying the person sought to be bound and showing that the person intended to authenticate or approve the transaction. Electronic records are legally recognized, but they are not immune from challenges involving forgery, account takeover, stolen credentials, unreliable verification, or unreasonable reliance. (Lawphil)
This is why a proper identity theft dispute should focus on attribution: who actually controlled the device, SIM, email address, e-wallet, bank account, selfie process, and disbursement destination used for the loan?
Philippine laws that protect identity theft victims
Computer-related identity theft under RA 10175
Section 4(b)(3) of the Cybercrime Prevention Act of 2012, or RA 10175, penalizes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of another person’s identifying information without right. Using someone else’s identity to apply for an online loan can fall within this offense. (Lawphil)
Depending on the evidence, the offender’s conduct may also involve:
- Falsification or use of falsified documents under Article 172 of the Revised Penal Code;
- Estafa or other fraud-related offenses;
- Unauthorized use of access devices under RA 8484, as amended;
- Illegal access, computer-related forgery, or computer-related fraud under RA 10175; and
- Unauthorized processing or disclosure under the Data Privacy Act.
The exact charge is determined by investigators and prosecutors based on how the loan was created and where the proceeds went.
Data privacy rights under RA 10173
The Data Privacy Act of 2012, or RA 10173, gives you the right to know whether your personal information is being processed, obtain reasonable access to it, dispute inaccuracies, demand correction, and request blocking, removal, or destruction when information is false, unlawfully obtained, used without authority, or no longer necessary. You may also seek indemnification for damage caused by false or unauthorized processing. (National Privacy Commission)
This means you may ask the lender to disclose:
- What personal information it has about you;
- Where the information came from;
- When the account was created or modified;
- Who received or accessed the information;
- How the lender verified the applicant;
- The automated or manual process used to approve the loan; and
- Whether the account was reported to a collection agency, credit bureau, or the Credit Information Corporation.
The Supreme Court has repeatedly recognized privacy as the right to be free from unwarranted exploitation and intrusion. In Spouses Hing v. Choachuy, the Court described it as the “right to be let alone.” (Lawphil)
Special rules for online lending apps
NPC Circular No. 20-01, as amended by NPC Circular No. 2022-02, regulates the use of personal data in loan applications, servicing, and debt collection. It prohibits unnecessary or excessive app permissions and uncontrolled processing of contact lists.
A March 18, 2026 joint advisory of the DICT, National Privacy Commission, and Securities and Exchange Commission reiterated that lenders may not use contact lists for harassment, contact persons other than properly designated guarantors for debt collection, or require unnecessary access to personal data.
A character reference is not a guarantor. A character reference is generally provided only for identity or information verification. A guarantor must separately and expressly consent to assume responsibility for the loan.
Financial consumer rights under RA 11765
The Financial Products and Services Consumer Protection Act of 2022, or RA 11765, protects the rights of financial consumers to:
- Equitable and fair treatment;
- Disclosure and transparency;
- Protection of assets against fraud and misuse;
- Data privacy and protection; and
- Timely handling and redress of complaints.
Financial service providers must maintain a consumer assistance mechanism, while regulators such as the SEC may provide mediation, conciliation, adjudication, and other forms of redress. (Supreme Court E-Library)
What to do immediately after discovering a fake online loan
1. Preserve evidence before deleting or blocking anything
Take screenshots and, where possible, screen recordings showing:
- The lender’s messages and collection demands;
- The app name, developer name, app-store page, and website;
- The loan or account number;
- Amount allegedly borrowed and due date;
- Mobile numbers, email addresses, and social media accounts used by collectors;
- Threats, defamatory statements, or messages sent to relatives and coworkers;
- Payment instructions and the receiving bank or e-wallet account;
- Call logs, voicemail, email headers, and chat histories;
- App permissions, especially access to contacts, camera, photos, location, SMS, or storage; and
- Any credit report entry relating to the fake loan.
Keep the original electronic files. Back them up to a separate device or cloud folder. A chronological folder is more useful than dozens of unorganized screenshots.
2. Secure your phone, SIM, email, bank, and e-wallet accounts
Change the passwords of your primary email account first because it may be used to reset other accounts. Then secure your:
- Online banking accounts;
- GCash, Maya, or other e-wallets;
- Mobile network account;
- Social media accounts;
- Cloud storage;
- Government portals; and
- Lending or shopping apps that store identity information.
Enable multi-factor authentication where available. Contact your telecommunications provider immediately if your SIM unexpectedly lost signal, was replaced without your request, or may have been duplicated.
Revoke unnecessary permissions from the lending app, but do this after preserving evidence. Uninstalling the app does not necessarily erase data that the operator already copied or stored.
3. Send a formal written identity theft dispute to the lender
Do not deal only with the collection agent. Send the dispute through the lender’s official customer assistance, fraud, legal, and data protection channels.
Your notice should state:
- You did not apply for, authorize, receive, or benefit from the loan.
- You deny liability and dispute the account in full.
- The lender must immediately mark the account as disputed and suspend collection.
- It must stop contacting your relatives, employer, friends, and other third parties.
- It must preserve all application, verification, device, transaction, and communication records.
- It must investigate the account as possible identity theft.
- It must correct or block false personal information and notify parties that received it.
- It must provide a written investigation result.
Use a subject line such as:
FORMAL IDENTITY THEFT DISPUTE — UNAUTHORIZED LOAN ACCOUNT [ACCOUNT NUMBER]
Avoid making a token payment or signing a restructuring agreement simply to stop calls. Payment or written acknowledgment may later be cited as evidence that you adopted the account, although the effect will depend on the circumstances. If you already paid under protest or intimidation, keep the receipt and immediately state in writing that the payment was not an admission of liability.
4. Demand the records that can reveal the real applicant
Ask the lender to provide or preserve:
- The complete loan application;
- Submitted ID images and document metadata;
- Selfie, video, facial-recognition, or liveness-verification records;
- OTP delivery and validation logs;
- Mobile number and email used;
- Device identifiers, IP addresses, login history, and timestamps;
- Electronic signature or consent records;
- Privacy notices and consent screens shown during application;
- Bank or e-wallet account that received the proceeds;
- Recording of verification calls;
- Name of the employee, agent, or outsourced provider that approved the application;
- Collection agency endorsement; and
- Reports submitted to the CIC or private credit bureaus.
Some technical details may be subject to legitimate security restrictions. The lender should still provide sufficient information to explain why it attributed the application to you and should preserve the complete records for investigators.
5. Prepare an affidavit of denial or identity theft
A notarized affidavit is useful when filing with the lender, SEC, NPC, PNP, NBI, or prosecutor. It should contain facts within your personal knowledge, including:
- Your full name and identification details;
- When and how you discovered the loan;
- A clear statement that you did not apply, authorize anyone, receive the proceeds, or give the cited consent;
- Whether your ID, phone, SIM, or accounts were lost or compromised;
- Whether you know the alleged lender or app;
- Steps you took after discovery;
- Description of calls, threats, or third-party contacts; and
- A list of attached evidence.
Do not include speculation as fact. State what you personally know and identify assumptions separately.
When sending an ID copy, place a visible watermark such as:
FOR IDENTITY THEFT DISPUTE WITH [COMPANY] ONLY — [DATE] — NOT FOR LOAN APPLICATION
6. Report the cybercrime to the PNP or NBI
You may report the incident even if you do not know the offender’s identity. Investigators can request or preserve records that an ordinary complainant cannot obtain.
The 2026 DICT-NPC-SEC advisory identifies the following channels for threats, fraud, scams, and cybercrime complaints:
- PNP Anti-Cybercrime Group: acg@pnp.gov.ph or onlinecims.ocs@gmail.com; telephone (632) 8723-0401 local 7491
- NBI Cybercrime Division: ccd@nbi.gov.ph; telephone (632) 8523-8231 to 38
- DICT Cyber Hotline: 1326@dict.gov.ph
Bring or attach your affidavit, valid ID, evidence folder, lender correspondence, suspected transaction details, and a one-page chronology.
A police or barangay blotter may help document when you reported the incident, but it does not automatically cancel the loan. The lender must still correct its records, and the appropriate agencies must investigate the fraud.
7. File an SEC complaint against the lender or app operator
Lending and financing companies are generally regulated by the Securities and Exchange Commission. The SEC also enforces Memorandum Circular No. 18, Series of 2019, which prohibits unfair debt collection practices such as threats, false representations, deceptive collection methods, and conduct intended to harm a person’s reputation. (SEC Appointment System)
Submit the complaint through the SEC iMessage ticketing system. The current joint advisory also lists the SEC hotline 1-4732 (1-4SEC). (Securities and Exchange Commission)
Identify both:
- The consumer-facing app or brand name; and
- The legal corporation operating it.
Attach the app-store URL, developer name, company address, collection numbers, screenshots, and your correspondence. An app’s presence in an app store does not by itself prove that its operator has a valid SEC Certificate of Authority.
8. File a National Privacy Commission complaint when data was misused
File with the NPC when the lender or its collectors:
- Processed your identity without lawful authority;
- Refused to correct or block false data;
- Disclosed the alleged debt to relatives, employers, or friends;
- Harvested or misused contact lists;
- Used your photograph for shaming;
- Continued processing after receiving substantial proof of identity theft; or
- Failed to provide access to your personal data.
The NPC requires a properly completed and notarized Complaint-Affidavit, supporting evidence, and a valid government-issued ID. Complaints may be submitted personally, by courier, or by scanning and emailing the documents to complaints@privacy.gov.ph. (National Privacy Commission)
The basic filing fee under NPC Circular No. 2023-01 is ₱500, with additional fees when claiming damages or applying for special relief. The NPC’s published guidance states that initial evaluation may take up to 30 calendar days, while the entire complaint process may take approximately 10 to 12 months. (National Privacy Commission)
9. Check and dispute your CIC credit report
A fraudulent loan may affect future applications for housing, employment-related credit checks, business financing, credit cards, or legitimate loans.
Obtain your credit report through the Credit Information Corporation or an authorized accessing entity. If the fake account appears, use the CIC Online Dispute Resolution Process and attach your identity theft documents.
Section 4(o) of the Credit Information System Act of 2008, or RA 9510, gives borrowers the right to dispute erroneous, incomplete, outdated, or misleading credit information. The law directs the CIC to investigate and verify disputed information within five working days from receipt, although correction by the submitting lender and updates across downstream systems may take longer. (Credit Information Corporation (CIC))
Documents to gather
| Document or evidence | Why it matters |
|---|---|
| Valid government ID | Establishes your identity |
| Notarized affidavit of denial | Creates a sworn factual narrative |
| Screenshots and original messages | Proves collection, threats, or disclosure |
| Call logs and recordings lawfully obtained | Identifies collectors and their statements |
| Lender dispute and delivery proof | Shows that the company was formally notified |
| Bank and e-wallet statements | Helps prove that you did not receive the proceeds |
| SIM replacement or telco records | Supports a SIM-swap or account-takeover claim |
| Lost-ID report | Shows when the identity document became compromised |
| Passport stamps, travel records, or work records | May show that you were elsewhere during verification |
| CIC credit report | Identifies reporting damage |
| Statements from contacted relatives or coworkers | Supports privacy and harassment complaints |
Ask witnesses to preserve the original messages they received. A screenshot forwarded to you is useful, but the witness’s own device and account may provide stronger context.
Common mistakes that make identity theft cases harder
Deleting the app and messages too early
Preserve the evidence first. Once messages disappear, it may be difficult to prove what the collector said, which permissions the app requested, or which company operated it.
Sending more unprotected IDs through informal chat
Do not send clear ID images to random collector numbers, personal Facebook accounts, Telegram accounts, or unverified WhatsApp profiles. Use the lender’s official channel and watermark every copy.
Speaking only by telephone
Phone calls leave weak records unless properly documented. Follow every important call with an email summarizing the date, time, person spoken to, and what was agreed.
Paying merely to stop harassment
Payment may reduce immediate pressure but can blur the issue of whether you accepted or ratified the account. Clearly dispute liability before making any payment, and do not sign a settlement for a debt you did not incur.
Assuming a character reference is liable
A reference does not become a guarantor simply because a borrower entered their number. Under the 2026 advisory, a guarantor must expressly consent to assume responsibility. Collectors should not demand payment from a reference or disclose unnecessary details about the borrower’s alleged debt.
Waiting for one agency before contacting another
A lender dispute, cybercrime report, SEC complaint, NPC complaint, and CIC dispute address different parts of the problem. They may proceed at the same time.
Filing a vague complaint
“Someone stole my identity” is not enough. State dates, amounts, account numbers, mobile numbers, application details, recipients of disclosures, and specific requests for relief.
What Filipinos abroad and foreign nationals should do
A Filipino living overseas can still dispute a Philippine online loan and report misuse of Philippine identity documents. Evidence such as immigration records, foreign employment records, foreign SIM ownership, and proof that the alleged loan proceeds went to an unfamiliar Philippine account can be valuable.
A sworn affidavit executed abroad may generally be:
- Signed before a Philippine embassy or consulate authorized to perform notarial services; or
- Notarized locally and apostilled when issued in a country covered by the Apostille Convention.
For documents from non-Apostille countries, Philippine consular authentication or legalization may be required. Confirm the receiving agency’s current documentary requirements before sending originals. (Philippine Embassy in New Delhi)
Foreign nationals whose data are processed in the Philippines may also use Philippine data privacy remedies. Nationality does not make an unauthorized Philippine loan valid. If appointing someone in the Philippines to submit documents or follow up personally, the agency may require a notarized or apostilled Special Power of Attorney.
Frequently Asked Questions
Do I have to pay an online loan opened using my stolen identity?
Not merely because the account carries your name. A lender must establish that you validly consented to and were properly identified in the transaction. Dispute the account immediately and avoid statements or conduct that could be presented as acknowledgment.
Can an online lender contact my family or employer?
A lender may use lawful and proportionate methods to locate or communicate with an actual borrower. It may not publicly shame, threaten, disclose unnecessary personal information, or use an entire contact list for collection. Under current NPC rules, debt collection through contacts should be limited to a properly designated and consenting guarantor.
Am I liable if someone listed me as a character reference?
No. Being a reference does not make you the borrower, co-maker, or guarantor. Tell the collector that you did not consent to guarantee the debt and demand removal of your information as a reference.
Should I block the collector’s number?
Preserve screenshots, call logs, voicemails, and messages first. After documenting the evidence and sending a formal dispute, you may block persistent abusive numbers while keeping an official written channel open for the lender’s investigation.
Is an affidavit of denial enough to erase the loan?
No. It is important evidence, but it does not automatically correct the lender’s or CIC’s records. Submit it with your formal dispute and supporting documents, and require a written investigation and correction.
Is a police report enough to stop collection?
Not by itself. Send the report to the lender and separately demand that collection be suspended, the account be marked as disputed, and false data be corrected. File with the SEC, NPC, or CIC when appropriate.
Can I claim damages against the lender?
Potentially. RA 10173 allows indemnification for damage caused by inaccurate, false, unlawfully obtained, or unauthorized processing. Civil Code Articles 19, 20, 21, and 26 may also support civil remedies for bad-faith conduct, privacy invasion, humiliation, or damage to reputation. Liability depends on the evidence showing what the lender or its agents did after receiving notice of the fraud.
What if the scammer used my identity to open an e-wallet or bank account?
Immediately notify the bank or e-wallet provider through its official fraud channel and request preservation and restriction of the account. RA 12010, the Anti-Financial Account Scamming Act of 2024, specifically covers opening or using financial accounts under another person’s identity or identification documents. Report the matter to the BSP-supervised institution and the PNP or NBI. (Lawphil)
What if I previously submitted my ID to another legitimate app?
That does not prove which company or person caused the misuse. List every place where the ID was submitted, preserve relevant emails, and avoid accusing a particular company without evidence. Investigators can compare document copies, metadata, timestamps, account details, and data-access records.
Key Takeaways
- A loan opened by an impostor is not automatically enforceable against the person whose identity was stolen.
- Preserve messages, app details, account records, and transaction evidence before blocking numbers or uninstalling the app.
- Dispute the account directly with the lender and demand its KYC, OTP, device, selfie, signature, and disbursement records.
- Report the cybercrime to the PNP Anti-Cybercrime Group or NBI Cybercrime Division, and report unlawful lending practices to the SEC.
- File with the NPC when personal data was unlawfully collected, disclosed, retained, or used for harassment.
- Check your CIC credit report and formally dispute any fraudulent entry.
- A character reference is not a guarantor, and a guarantor must expressly consent to assume the obligation.