How to File a Cybercrime Complaint for Online Scams and Financial Disputes

I. Introduction

System hacking, unauthorized access, account compromise, website defacement, data theft, ransomware, malware intrusion, and other security breaches are serious offenses under Philippine law. In an increasingly digital environment, individuals, businesses, schools, government offices, and organizations rely on computer systems, cloud platforms, databases, and online accounts for daily operations. A successful breach can expose personal information, disrupt services, damage reputation, cause financial loss, and create legal liability.

In the Philippine context, the primary law governing hacking and related cyber offenses is Republic Act No. 10175, also known as the Cybercrime Prevention Act of 2012. Depending on the facts, other laws may also apply, including the Data Privacy Act of 2012, the Revised Penal Code, the Access Devices Regulation Act, the Electronic Commerce Act, and special laws involving banking, telecommunications, intellectual property, or national security.

This article explains how a victim may prepare, file, and pursue a cybercrime complaint involving system hacking and security breaches in the Philippines.

This is a legal information article, not a substitute for advice from a lawyer or direct guidance from law enforcement, prosecutors, or the National Privacy Commission.

II. Legal Framework for Hacking and Security Breaches

A. Cybercrime Prevention Act of 2012

The Cybercrime Prevention Act penalizes several offenses involving computer systems and data. In hacking or breach cases, the most relevant offenses usually include:

1. Illegal Access

Illegal access refers to access to the whole or any part of a computer system without right. This is the closest legal category to “hacking” in many cases.

Examples include:

  • Logging into another person’s email, social media, cloud account, or business system without permission;
  • Accessing a company server using stolen credentials;
  • Entering an admin dashboard without authorization;
  • Exploiting a system vulnerability to gain access;
  • Using another person’s device, account, or system credentials without consent.

The key element is access without right.

2. Illegal Interception

This involves the interception of computer data without right through technical means. It may apply where an offender captures communications, network traffic, passwords, session tokens, or private data while being transmitted.

Examples include:

  • Packet sniffing on a network to capture login credentials;
  • Intercepting emails or messages;
  • Capturing authentication tokens;
  • Monitoring private communications without authority.

3. Data Interference

Data interference involves intentional or reckless alteration, damaging, deletion, or deterioration of computer data without right.

Examples include:

  • Deleting files from a hacked account;
  • Altering business records;
  • Modifying database entries;
  • Encrypting data through ransomware;
  • Destroying logs or backup files;
  • Changing website content.

4. System Interference

System interference involves intentional alteration or reckless hindering or interference with the functioning of a computer or computer network.

Examples include:

  • Distributed denial-of-service attacks;
  • Disabling a website or business application;
  • Locking users out of a system;
  • Crashing servers;
  • Deploying malware that disrupts system operations.

5. Misuse of Devices

This may apply when a person possesses, produces, sells, procures, imports, distributes, or otherwise makes available tools, passwords, access codes, or similar data intended for committing cybercrime.

Examples include:

  • Selling stolen passwords;
  • Distributing malware;
  • Providing hacking tools with criminal intent;
  • Trading compromised admin credentials.

6. Cyber-squatting, Computer-related Fraud, and Computer-related Identity Theft

Depending on the facts, hacking may also overlap with other cybercrimes:

  • Computer-related fraud if the breach was used to obtain money, property, or financial benefit;
  • Computer-related identity theft if the offender used another person’s identity online;
  • Cyber-squatting if a domain name was registered in bad faith using another person’s name, business name, trademark, or identity.

B. Data Privacy Act of 2012

Where the breach involves personal information or sensitive personal information, the Data Privacy Act may also apply.

This is especially important for companies, schools, clinics, online businesses, employers, associations, and organizations that process personal data. A hacking incident may trigger obligations involving:

  • Breach assessment;
  • Containment;
  • Internal documentation;
  • Notification to affected data subjects;
  • Notification to the National Privacy Commission;
  • Security review;
  • Remediation;
  • Possible administrative, civil, or criminal liability.

A security breach is not only a cybercrime issue. It can also be a data protection issue.

C. Revised Penal Code and Other Laws

A hacking incident may also involve traditional crimes, such as:

  • Estafa;
  • Theft;
  • Malicious mischief;
  • Unjust vexation;
  • Grave coercion;
  • Threats;
  • Falsification;
  • Libel;
  • Slander;
  • Qualified theft;
  • Damage to property;
  • Fraudulent use of identity.

Other laws may apply where the hacked system involves:

  • Bank accounts;
  • Credit cards;
  • E-wallets;
  • SIM cards;
  • Telecommunications;
  • Intellectual property;
  • Government systems;
  • Trade secrets;
  • Confidential business information.

III. Common Types of Hacking and Security Breach Complaints

A cybercrime complaint may arise from many factual situations. Common examples include:

1. Account Takeover

This happens when an offender gains control of an email, social media, e-wallet, banking, gaming, or business account.

Typical signs include:

  • Password changed without permission;
  • Recovery email or mobile number changed;
  • Unauthorized messages sent;
  • Unknown login alerts;
  • Money transferred out;
  • Friends or customers contacted by the hacker;
  • Account used for scams.

2. Website or Page Defacement

This occurs when a website, business page, or platform is altered without permission.

Signs include:

  • Changed homepage;
  • Offensive or political messages posted;
  • Unauthorized banners;
  • Redirects to malicious sites;
  • Deleted website content;
  • Locked admin access.

3. Database Breach

This involves unauthorized access to stored data.

Examples include:

  • Customer lists copied;
  • Employee records downloaded;
  • Student information exposed;
  • Patient information compromised;
  • Login credentials dumped;
  • Confidential documents leaked.

4. Ransomware

Ransomware occurs when malware encrypts or locks files and demands payment.

Important considerations include:

  • Do not immediately pay without legal and technical advice;
  • Preserve ransom notes;
  • Preserve cryptocurrency wallet addresses;
  • Preserve email addresses and chat handles used by attackers;
  • Disconnect infected systems from the network;
  • Avoid wiping devices before evidence is collected.

5. Business Email Compromise

This occurs when an email account is hacked or spoofed to redirect payments, invoices, or business communications.

Examples include:

  • Supplier bank details changed;
  • Fake payment instructions sent;
  • Employee payroll redirected;
  • Customers instructed to pay another account;
  • Internal email thread hijacked.

6. Insider Breach

Not all hacking is done by outsiders. A breach may be committed by an employee, contractor, former partner, administrator, or vendor.

Examples include:

  • Former employee accessing systems after resignation;
  • Contractor copying data without authority;
  • Admin user deleting company files;
  • Employee exporting customer lists;
  • Unauthorized use of shared passwords.

IV. Who May File the Complaint

A cybercrime complaint may be filed by the person or entity directly affected by the hacking or security breach.

Possible complainants include:

  • The individual whose account, device, or personal data was compromised;
  • A company whose system, website, database, or business email was breached;
  • A school, association, clinic, or organization affected by unauthorized access;
  • A government agency whose system was attacked;
  • An authorized representative of the victim;
  • A corporate officer authorized by board resolution, secretary’s certificate, or special power of attorney.

For juridical entities such as corporations, partnerships, associations, or organizations, the complainant should ideally be someone with authority to represent the entity. This avoids later issues regarding legal personality and authority to file.

V. Where to File a Cybercrime Complaint in the Philippines

A complaint for hacking or security breach may generally be brought to the following authorities:

A. Philippine National Police Anti-Cybercrime Group

The PNP Anti-Cybercrime Group investigates cybercrime complaints, including hacking, identity theft, online fraud, cyber libel, and other offenses under the Cybercrime Prevention Act.

A complainant may file a report with the appropriate cybercrime unit or office. The complaint is usually supported by an affidavit and evidence.

B. National Bureau of Investigation Cybercrime Division

The NBI Cybercrime Division also handles cybercrime complaints. Victims may file complaints involving hacking, online fraud, account compromise, data breaches, and related offenses.

The NBI may receive the complaint, evaluate evidence, conduct technical investigation, and refer the case for inquest or preliminary investigation where appropriate.

C. Office of the City or Provincial Prosecutor

A complainant may also file a criminal complaint directly with the Office of the Prosecutor having jurisdiction over the offense.

The prosecutor conducts preliminary investigation when required. Law enforcement investigation may still be needed, especially when technical attribution, IP logs, service provider records, or digital forensic analysis are involved.

D. Department of Justice Office of Cybercrime

The DOJ Office of Cybercrime has an important role in cybercrime policy, coordination, and certain cybercrime-related processes. For some cases, especially those involving cross-border cooperation, preservation requests, or technical coordination, DOJ involvement may be relevant.

E. National Privacy Commission

If the hacking incident involves personal data, especially in an organization that processes personal information, the matter may also need to be brought to the National Privacy Commission.

This is not always a substitute for a criminal cybercrime complaint. A single incident may require both:

  • A criminal complaint before law enforcement or prosecutors; and
  • Data breach reporting or privacy-related proceedings before the NPC.

VI. Jurisdiction and Venue

Cybercrime cases can involve complex venue issues because the offender, victim, server, platform, and affected system may be in different places.

In general, the complaint may be filed where:

  • The complainant resides or does business;
  • The affected system is located or operated;
  • The harmful effects were felt;
  • The offense was committed in whole or in part;
  • The offender accessed the system;
  • The unlawful transaction or communication occurred.

For practical purposes, victims often file with the nearest appropriate PNP or NBI cybercrime office, or with the prosecutor’s office where the victim resides, where the business operates, or where the damage occurred. Law enforcement and prosecutors may determine the proper venue based on the facts.

VII. Immediate Steps After Discovering a Hack or Breach

A victim should act quickly but carefully. The early response can determine whether the complaint succeeds.

1. Preserve Evidence

Do not delete messages, emails, logs, screenshots, files, or suspicious accounts. Preservation is critical.

Useful evidence includes:

  • Screenshots of unauthorized access;
  • Login alerts;
  • Emails from platforms;
  • IP address logs;
  • Device logs;
  • Server logs;
  • Access logs;
  • Audit trails;
  • Ransom notes;
  • Chat messages with attackers;
  • Cryptocurrency wallet addresses;
  • Bank transfer details;
  • URLs;
  • Usernames;
  • Email addresses;
  • Mobile numbers;
  • Transaction records;
  • Copies of altered files;
  • Malware samples, if safely handled by experts;
  • Incident reports from IT personnel.

Screenshots should ideally show the full screen, date, time, URL, account name, sender details, and other identifying information.

2. Avoid Tampering with Digital Evidence

Do not reformat devices, wipe servers, reinstall operating systems, delete suspicious files, or reset systems before evidence is preserved.

Restoring business operations is important, but preservation must be coordinated with technical responders. In many cases, forensic imaging or log preservation should be done first.

3. Secure the System

After preserving evidence, take steps to prevent further harm:

  • Change passwords;
  • Enable multi-factor authentication;
  • Revoke suspicious sessions;
  • Remove unauthorized users;
  • Disable compromised accounts;
  • Patch vulnerabilities;
  • Disconnect infected devices;
  • Rotate API keys and tokens;
  • Suspend exposed credentials;
  • Notify banks or payment processors;
  • Inform customers or employees where necessary.

4. Document the Timeline

Prepare a chronological incident timeline. Include:

  • When the breach was discovered;
  • Who discovered it;
  • What system was affected;
  • What suspicious activity was seen;
  • What data was accessed or lost;
  • What remedial actions were taken;
  • Who had authorized access;
  • Possible suspects;
  • Financial losses;
  • Business interruption;
  • Communications with platforms or banks.

A clear timeline helps investigators understand the case.

5. Identify the Affected Assets

List all compromised or possibly compromised assets:

  • Email accounts;
  • Social media pages;
  • Websites;
  • Databases;
  • Servers;
  • Laptops;
  • Mobile devices;
  • Cloud storage;
  • Admin dashboards;
  • Payment accounts;
  • Customer portals;
  • Source code repositories;
  • Messaging platforms;
  • CRM or HR systems.

6. Notify Service Providers

Depending on the case, notify relevant providers:

  • Email service provider;
  • Social media platform;
  • Web host;
  • Domain registrar;
  • Cloud provider;
  • Bank;
  • E-wallet provider;
  • Payment gateway;
  • Internet service provider;
  • Cybersecurity vendor;
  • Insurance provider.

Request preservation of relevant logs where possible.

VIII. Evidence Needed for a Cybercrime Complaint

The strength of a cybercrime complaint often depends on the quality of evidence. The complainant should gather both legal and technical proof.

A. Identity and Authority Documents

For an individual complainant:

  • Valid government ID;
  • Contact information;
  • Proof of account ownership;
  • Proof of device ownership, if relevant.

For a company or organization:

  • SEC registration or DTI registration;
  • Articles of incorporation or partnership documents, if relevant;
  • Secretary’s certificate or board authorization;
  • Special power of attorney, if filing through a representative;
  • Valid IDs of authorized representatives;
  • Proof that the affected system belongs to or is operated by the entity.

B. Proof of Unauthorized Access

This may include:

  • Login notifications;
  • Account activity records;
  • IP addresses;
  • Device history;
  • Security alerts;
  • Admin logs;
  • System logs;
  • Authentication logs;
  • Platform reports;
  • Screenshots of unauthorized changes;
  • Reports from IT personnel.

C. Proof of Damage or Harm

This may include:

  • Financial loss records;
  • Bank statements;
  • Payment receipts;
  • Fraudulent transaction records;
  • Business interruption reports;
  • Customer complaints;
  • Data exposure reports;
  • Cost of recovery;
  • Cost of forensic services;
  • Reputational harm evidence;
  • Altered or deleted files;
  • Evidence of extortion or ransom demand.

D. Proof Linking the Suspect to the Breach

Attribution is often the most difficult part of cybercrime cases. Evidence may include:

  • Admission by the suspect;
  • Emails or messages from the suspect;
  • Use of known phone numbers or accounts;
  • Bank account or e-wallet recipient details;
  • IP address correlation;
  • Device logs;
  • Employment or admin access records;
  • CCTV or physical access logs;
  • Insider access history;
  • Recovered stolen data in the suspect’s possession.

Mere suspicion is not enough. The complaint should show facts connecting the suspect to the unauthorized access or breach.

E. Affidavits

A complaint usually requires sworn statements, such as:

  • Complaint-affidavit of the victim;
  • Affidavit of IT administrator;
  • Affidavit of system owner;
  • Affidavit of employee who discovered the breach;
  • Affidavit of person who received scam messages;
  • Affidavit of bank or platform representative, if available;
  • Certification from service provider, where obtainable.

IX. Preparing the Complaint-Affidavit

The complaint-affidavit is the main written statement supporting the case. It should be clear, factual, and organized.

A. Contents of the Complaint-Affidavit

A good cybercrime complaint-affidavit should include:

  1. Identity of the complainant State the complainant’s name, address, contact details, and legal capacity to file.

  2. Description of the affected system or account Identify the email account, website, server, database, application, device, cloud platform, or system compromised.

  3. Ownership or authority Explain why the complainant has the right to use, control, manage, or protect the affected system.

  4. Date and manner of discovery State when and how the hacking or breach was discovered.

  5. Unauthorized acts committed Describe what the offender did, such as logging in, changing passwords, deleting files, copying data, transferring money, sending messages, or installing malware.

  6. Evidence of unauthorized access Refer to attached screenshots, logs, emails, alerts, reports, or forensic findings.

  7. Identity of suspect, if known State the suspect’s name, address, account, contact number, email, or other identifiers, if available.

  8. Reason for suspecting the person Explain the factual basis, not merely conclusions.

  9. Damage suffered State financial losses, operational disruption, reputational damage, data exposure, privacy harm, or other consequences.

  10. Relief requested Request investigation, filing of appropriate charges, preservation of evidence, and other lawful action.

  11. Verification and oath The affidavit must be signed and sworn before a notary public or authorized officer.

B. Attachments

Common attachments include:

  • Screenshots;
  • Email alerts;
  • Logs;
  • Incident report;
  • IT report;
  • Platform correspondence;
  • Bank records;
  • Receipts;
  • Corporate authorization;
  • Valid IDs;
  • Evidence of ownership;
  • Copies of communications with the suspect;
  • Forensic report, if available.

Each attachment should be labeled clearly, such as “Annex A,” “Annex B,” and so on.

X. Sample Structure of a Cybercrime Complaint-Affidavit

A complaint-affidavit may follow this structure:

Republic of the Philippines [City/Province]

Complaint-Affidavit

I, [Name], Filipino, of legal age, [civil status], and residing at [address], after being duly sworn, state:

  1. I am the complainant in this case.
  2. I am the owner/authorized representative/user/administrator of [account/system].
  3. On [date], I discovered that [describe breach].
  4. The unauthorized access was discovered when [facts].
  5. I did not authorize any person to access, alter, delete, copy, transfer, or interfere with the said system/data.
  6. The following unauthorized acts were committed: [list acts].
  7. Attached are copies of screenshots, logs, emails, and records showing the unauthorized access.
  8. I have reason to believe that [name or unknown person] committed the acts because [facts].
  9. As a result, I suffered [damage].
  10. I am executing this affidavit to request investigation and the filing of appropriate criminal charges under the Cybercrime Prevention Act of 2012 and other applicable laws.

IN WITNESS WHEREOF, I sign this affidavit on [date] at [place].

[Signature] [Name]

Subscribed and sworn to before me this [date] at [place].

XI. Filing Procedure

The filing process may vary depending on the agency, but the general steps are as follows.

Step 1: Prepare the Evidence

Organize all evidence chronologically and label attachments. Make both digital and printed copies where appropriate.

Digital evidence should be preserved in its original form. Screenshots are helpful, but original logs, emails, files, headers, metadata, and platform records are stronger.

Step 2: Draft and Notarize the Complaint-Affidavit

Prepare the complaint-affidavit and supporting affidavits. Have them notarized or sworn before an authorized officer.

For corporate complainants, attach proof that the representative has authority to file.

Step 3: File with the Appropriate Agency

Bring the complaint to the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or the appropriate prosecutor’s office.

The receiving office may require:

  • Complaint-affidavit;
  • Supporting affidavits;
  • Evidence;
  • IDs;
  • Contact details;
  • Digital copies;
  • Printed copies;
  • Corporate documents, if applicable.

Step 4: Initial Evaluation

The investigator or receiving officer may evaluate whether the facts constitute a cybercrime and whether additional evidence is needed.

They may ask for:

  • More detailed logs;
  • Original emails;
  • Device access;
  • Account recovery records;
  • Platform correspondence;
  • Bank records;
  • Witness statements;
  • Technical report.

Step 5: Investigation

Law enforcement may conduct further investigation, which may involve:

  • Taking supplemental statements;
  • Preserving digital evidence;
  • Coordinating with platforms;
  • Requesting subscriber information;
  • Seeking warrants where required;
  • Conducting digital forensic examination;
  • Coordinating with banks or service providers;
  • Identifying suspects.

Step 6: Referral to Prosecutor

If there is sufficient basis, the case may be referred to the prosecutor for preliminary investigation or appropriate action.

The prosecutor determines whether probable cause exists to charge the respondent in court.

Step 7: Preliminary Investigation

During preliminary investigation, the respondent may be required to submit a counter-affidavit. The complainant may submit a reply-affidavit. The prosecutor then issues a resolution.

If probable cause is found, an information may be filed in court. If not, the complaint may be dismissed, subject to available remedies.

XII. Filing a Complaint When the Hacker Is Unknown

Many hacking complaints begin with an unknown offender. This does not prevent filing.

The complaint may be filed against:

  • John Doe;
  • Jane Doe;
  • Unknown person;
  • Unknown user of a specific email address;
  • Unknown user of a phone number;
  • Unknown owner of a bank or e-wallet account;
  • Unknown administrator of a malicious domain;
  • Unknown IP address user.

The complaint should still provide identifiers, such as:

  • Email address;
  • Username;
  • Profile URL;
  • IP address;
  • Phone number;
  • Bank account;
  • E-wallet number;
  • Domain name;
  • Website URL;
  • Device ID;
  • Transaction reference number.

Law enforcement may use these identifiers to trace the offender through lawful processes.

XIII. Special Considerations for Businesses and Organizations

Businesses must treat a hacking incident as both a legal and operational crisis.

A. Internal Incident Response

A business should immediately activate an incident response process involving:

  • Management;
  • IT team;
  • Legal counsel;
  • Data protection officer;
  • Communications team;
  • External cybersecurity experts;
  • Insurance provider, if applicable.

B. Authority to File

A corporation should issue a secretary’s certificate, board resolution, or written authorization allowing a representative to file the complaint.

C. Data Privacy Compliance

If personal data was compromised, the organization must assess whether the incident is a notifiable data breach.

Relevant factors include:

  • Whether personal data was involved;
  • Whether sensitive personal information was involved;
  • Whether the breach is likely to result in serious harm;
  • Whether data was encrypted;
  • Whether the attacker accessed, copied, or exfiltrated data;
  • Whether affected individuals must be notified;
  • Whether the NPC must be notified.

D. Employment and Insider Cases

If an employee or contractor is suspected, the organization should avoid hasty accusations. Preserve access logs, employment records, device assignment forms, admin privileges, HR records, and communications.

The business may need to pursue:

  • Criminal complaint;
  • Civil action;
  • Labor or disciplinary proceedings;
  • Injunctive relief;
  • Data privacy proceedings;
  • Recovery of confidential information.

XIV. Digital Evidence and Chain of Custody

Digital evidence can be challenged if it appears altered, incomplete, or unreliable. Chain of custody is therefore important.

A. Preserve Originals

Whenever possible, preserve:

  • Original device;
  • Original storage media;
  • Original email;
  • Original server logs;
  • Original files;
  • Original database exports;
  • Original message threads;
  • Original transaction records.

B. Make Forensic Copies

For serious incidents, a digital forensic expert may create forensic images of drives, servers, or devices. Hash values may be generated to prove integrity.

C. Record Who Handled the Evidence

Maintain a log showing:

  • Who collected the evidence;
  • Date and time of collection;
  • Where it was collected;
  • How it was stored;
  • Who accessed it;
  • When it was transferred;
  • Purpose of transfer.

D. Avoid Editing Evidence Files

Do not edit screenshots, crop images, rename files without logging, or alter metadata unnecessarily. Copies may be prepared for presentation, but originals should remain intact.

XV. Common Mistakes to Avoid

1. Deleting Evidence

Victims often delete embarrassing messages, malicious files, or suspicious emails. This can weaken the case.

2. Posting Accusations Online

Publicly naming a suspected hacker without sufficient evidence may create exposure to defamation or cyber libel claims.

3. Retaliatory Hacking

Hacking back is not lawful. A victim should not break into the suspect’s account, device, or system.

4. Paying Ransom Without Advice

Payment does not guarantee recovery and may encourage further attacks. It may also complicate investigation.

5. Delaying the Complaint

Logs may be deleted, platforms may purge records, and suspects may disappear. File promptly.

6. Submitting Only Screenshots

Screenshots are useful but may not be enough. Preserve original digital records, headers, metadata, and logs.

7. Failing to Secure the System

A complaint does not automatically stop ongoing access. The victim must also contain and remediate the breach.

8. Ignoring Data Privacy Duties

A company that suffers a data breach may face consequences if it fails to assess and report the breach properly.

XVI. Remedies and Possible Outcomes

A cybercrime complaint may lead to different outcomes depending on the evidence.

A. Criminal Prosecution

If probable cause is found, the offender may be charged in court for offenses under the Cybercrime Prevention Act and other applicable laws.

B. Search, Seizure, and Forensic Examination

Law enforcement may seek court authority to search, seize, or examine devices and digital evidence where legally justified.

C. Preservation of Data

Authorities may take steps to preserve relevant computer data, logs, or subscriber information.

D. Account Recovery and Platform Action

Although criminal authorities do not directly control private platforms, a complaint may support requests for:

  • Account recovery;
  • Page restoration;
  • Takedown of malicious content;
  • Preservation of logs;
  • Disclosure through lawful processes.

E. Civil Claims

The victim may consider civil action for damages, injunction, recovery of property, breach of contract, or other relief.

F. Administrative Proceedings

Where personal data is involved, proceedings before the National Privacy Commission may result in compliance orders, corrective measures, or other administrative consequences.

XVII. Cybercrime Complaint Involving Banks, E-Wallets, or Financial Loss

When hacking results in unauthorized transfers or financial loss, immediately:

  • Notify the bank or e-wallet provider;
  • Request freezing or reversal where possible;
  • Obtain transaction reference numbers;
  • Secure account statements;
  • Preserve SMS and email alerts;
  • File a complaint with law enforcement;
  • Include recipient bank account or wallet details;
  • Document all communications with the financial institution.

Financial cases often involve several possible offenses, including illegal access, computer-related fraud, identity theft, estafa, and violations of financial regulations.

XVIII. Cybercrime Complaint Involving Social Media Accounts

For hacked social media accounts or pages, collect:

  • Profile URL;
  • Page URL;
  • Username;
  • Screenshots before and after compromise;
  • Unauthorized posts or messages;
  • Login alerts;
  • Email notices from the platform;
  • Recovery attempts;
  • Messages sent by the attacker;
  • Scam solicitations;
  • Names of victims contacted by the attacker.

Also report the compromise to the platform using its official recovery and reporting channels.

XIX. Cybercrime Complaint Involving Email Compromise

For email hacking, preserve:

  • Full email headers;
  • Login history;
  • Security alerts;
  • Forwarding rules;
  • Auto-reply settings;
  • Recovery email changes;
  • Suspicious sent messages;
  • Deleted emails;
  • Unknown devices;
  • IP addresses;
  • Business losses caused by the compromise.

Check whether the attacker created hidden forwarding rules or filters to continue monitoring communications.

XX. Cybercrime Complaint Involving Websites, Servers, or Databases

For website or server breaches, preserve:

  • Server access logs;
  • Admin login logs;
  • Web application logs;
  • Database logs;
  • Firewall logs;
  • Malware scan results;
  • File change timestamps;
  • Backups;
  • Source code repository logs;
  • Hosting provider notices;
  • Defacement screenshots;
  • Suspicious user accounts;
  • Unauthorized scripts or web shells;
  • Vulnerability findings.

A technical incident report from a qualified IT professional or cybersecurity expert is highly useful.

XXI. Role of Lawyers in Cybercrime Complaints

A lawyer can assist by:

  • Assessing the proper offenses;
  • Preparing the complaint-affidavit;
  • Organizing evidence;
  • Coordinating with forensic experts;
  • Advising on data privacy obligations;
  • Representing the complainant during preliminary investigation;
  • Preparing reply-affidavits;
  • Seeking civil remedies;
  • Avoiding statements that may create liability;
  • Coordinating with law enforcement and prosecutors.

For businesses, legal counsel should be involved early, especially where personal data, customers, employees, contracts, regulators, or public communications are involved.

XXII. Practical Checklist Before Filing

Before filing, prepare the following:

Item Purpose
Complaint-affidavit Main sworn statement
Valid ID Identity verification
Authority document Needed for company representatives
Screenshots Visual proof of unauthorized activity
Logs Technical evidence
Email alerts Proof of suspicious access
Platform reports Confirmation from provider
Bank/e-wallet records Proof of financial loss
Incident timeline Clear sequence of events
IT report Technical explanation
Witness affidavits Corroboration
Copies of communications Evidence of threats, ransom, fraud, or admission
Digital copies Easier review by investigators
Original files/logs Stronger evidentiary value

XXIII. Practical Checklist After Filing

After filing the complaint:

  • Keep the receiving copy or reference number;
  • Record the name and office of the investigator;
  • Preserve all new evidence;
  • Continue documenting losses;
  • Submit supplemental evidence promptly;
  • Monitor account recovery;
  • Follow up respectfully;
  • Avoid public accusations;
  • Coordinate with counsel;
  • Continue improving system security.

XXIV. Security Remediation After a Breach

Filing a complaint addresses legal accountability, but it does not automatically fix security weaknesses. Victims should also remediate.

Recommended steps include:

  • Reset all passwords;
  • Use unique passwords;
  • Enable multi-factor authentication;
  • Remove unused accounts;
  • Disable former employees’ access;
  • Patch systems;
  • Update plugins and applications;
  • Review admin privileges;
  • Rotate API keys;
  • Rotate database credentials;
  • Review firewall rules;
  • Install endpoint protection;
  • Conduct vulnerability assessment;
  • Review backups;
  • Test restoration procedures;
  • Train employees against phishing;
  • Monitor logs;
  • Prepare an incident response plan.

For businesses, cybersecurity is not only a technical issue. It is a governance, compliance, and legal risk issue.

XXV. Conclusion

Filing a cybercrime complaint for system hacking and security breaches in the Philippines requires both legal preparation and technical discipline. The victim must preserve evidence, document the incident, secure affected systems, prepare a sworn complaint, and file with the appropriate authority such as the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or the prosecutor’s office. If personal data is involved, the National Privacy Commission and the Data Privacy Act must also be considered.

The most important rule is to act quickly without destroying evidence. A strong complaint is factual, organized, supported by digital records, and clearly shows unauthorized access, damage, and the link between the act and the suspected offender. In serious cases, coordination among lawyers, IT professionals, forensic specialists, management, law enforcement, and regulators is essential.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login