How to File Cybercrime Cases in the Philippines

A practical legal article for victims, businesses, and counsel under Philippine law

1) What “cybercrime” means in the Philippine setting

In the Philippines, “cybercrime” is not just “a crime committed online.” Legally, it usually falls into one or more of these buckets:

A. Offenses under the Cybercrime Prevention Act of 2012 (Republic Act No. 10175)

Common RA 10175 offenses include:

  • Illegal access (hacking/unauthorized access)
  • Illegal interception (capturing communications without authority)
  • Data interference (altering, damaging, deleting data)
  • System interference (hindering/impairing a computer system, e.g., DDoS)
  • Misuse of devices (selling/possessing tools or passwords for offenses)
  • Cybersquatting
  • Computer-related fraud (online deception for gain)
  • Computer-related identity theft (unauthorized use of another’s identity/data)
  • Content-related offenses like cyber libel (libel committed through a computer system)

B. Traditional crimes committed through ICT (the “crime is old, the tool is new”)

Examples:

  • Estafa (swindling) through online selling, investment scams, crypto scams
  • Theft/qualified theft involving electronic data, accounts, or funds
  • Grave threats / coercion / unjust vexation via messaging apps
  • Violations of special laws: anti-photo and video voyeurism, anti-child abuse online, etc.

C. Data privacy and electronic evidence issues that often ride along

  • Data Privacy Act of 2012 (RA 10173) may apply if personal information was mishandled, leaked, or processed unlawfully.
  • Rules on Electronic Evidence (A.M. No. 01-7-01-SC) govern how screenshots, logs, and digital records are presented and authenticated in court.

Key point: The best legal strategy starts by identifying the correct offense(s) and correct venue, then preserving evidence properly so it’s admissible.

2) Where to file: choosing the proper channel

You generally have four practical entry points, depending on your facts and urgency. You can use more than one in parallel.

Option 1: PNP Anti-Cybercrime Group (PNP-ACG)

Best for:

  • Hacking, account takeover, online scams, identity theft, online harassment, sextortion, cyber libel, device/system interference.

What they do:

  • Take complaints/affidavits, conduct case build-up, coordinate preservation and possible warrants, and refer to prosecution.

Option 2: NBI Cybercrime Division

Best for:

  • High-value scams, organized/serial offenders, cases needing broader investigative reach, cross-border leads, and complex digital forensics.

What they do:

  • Investigation and evidence handling; filing assistance; coordination for legal process.

Option 3: Prosecutor’s Office (Office of the City/Provincial Prosecutor / DOJ prosecutors, depending on assignment)

Best for:

  • When you already have evidence and want to initiate inquest (if there was a lawful warrantless arrest) or preliminary investigation for filing an Information in court.

What they do:

  • Evaluate probable cause; conduct preliminary investigation; file cases in court when warranted.

Option 4: National Privacy Commission (NPC) (for personal data issues)

Best for:

  • Data breach, unauthorized disclosure, unlawful processing, or privacy complaints related to personal information.

What they do:

  • Administrative investigations and possible enforcement actions; may also support criminal referrals if warranted.

Practical tip: If you’re unsure, file with PNP-ACG or NBI first for case build-up, especially when you need subpoenas, data preservation requests, or forensic handling.

3) Before you file: evidence preservation (do this first if you can)

Most cybercrime cases fail because evidence is incomplete, altered, or not properly preserved. Do the following immediately:

A. Preserve digital evidence without “contaminating” it

  • Do not delete chats, emails, posts, or transaction threads.
  • Avoid repeated logins or changes that overwrite logs (especially in compromised accounts).
  • If possible, use another device to document evidence.

B. Capture and organize the essentials

For each incident, keep:

  • Screenshots showing the full context: URL, username, timestamps, and conversation thread.
  • Screen recordings when content disappears quickly (stories, reels, ephemeral chats).
  • Links/URLs to posts, profiles, pages, product listings, and transaction references.
  • Email headers (not just body) for phishing/spoofing cases.
  • Transaction records: bank transfer slips, e-wallet reference numbers, crypto TXIDs, remittance receipts.
  • Platform details: account name, user ID, profile URL, phone numbers, emails used.
  • Device details: model, OS, IMEI (for phones), serials (if relevant), and the exact date/time you noticed the incident.

C. Get certified records where available

  • Request bank certification or transaction history for disputed transfers.
  • For telcos, keep proof of SIM ownership and any SIM swap timeline.
  • For platforms, preserve notification emails and security alerts.

D. Make a clear incident timeline

A simple timeline is powerful:

  • When you first noticed
  • What happened next
  • What you did (password changes, reports filed)
  • Loss/damage estimate (money lost, reputational harm, downtime, etc.)

E. If there is ongoing risk, prioritize safety and containment

  • Change passwords and enable 2FA using an authenticator app if possible.
  • Revoke suspicious sessions and linked devices.
  • Freeze accounts/cards if funds are being moved.
  • Warn contacts if your account is being used to scam others.

4) Identify the most likely legal basis (common scenarios)

Below are common cybercrime fact patterns and what they usually map to:

Online selling scam / investment scam / “send money first” scheme

  • Common: Estafa (RPC) + possibly computer-related fraud (RA 10175) Evidence: full chat thread, listing, proof of payment, delivery failure, IDs used, tracking claims, bank/e-wallet records.

Account takeover (Facebook/IG/email), SIM swap, OTP compromise

  • Common: Illegal access, identity theft, computer-related fraud, possibly data interference Evidence: login alerts, password reset emails, SIM swap records, telco logs if obtainable, messages sent from your account.

Phishing / fake bank site / spoofed email leading to theft

  • Common: computer-related fraud, identity theft, possibly illegal access Evidence: phishing URL, email headers, screenshots of site, banking transaction proof.

Sextortion / threat to release intimate images, blackmail

  • Common: threats/coercion offenses + applicable cybercrime and/or special laws (depending on circumstances) Evidence: threats, demands, payment requests, proof of relationship/consent issues, copies of content if it exists (handle carefully).

Cyber libel / online defamation

  • Common: libel committed through a computer system Evidence: original post URL, screenshots with timestamps, proof you are the person defamed, proof of publication and audience reach, context.

Doxxing / harassment / malicious posts

  • Common: may fall under cybercrime-related offenses and/or traditional offenses depending on the act Evidence: posts, accounts, messages, resulting harm (threats, lost work, security issues).

Hacking / DDoS / ransomware (business systems)

  • Common: illegal access, data/system interference, misuse of devices, computer-related fraud Evidence: server logs, incident response report, forensic images, ransom notes, payment demands, downtime records.

5) Jurisdiction and venue: where the case can be filed

Cyber cases can involve multiple places:

  • Where you accessed the content (read the post, received the message)
  • Where the offender posted/sent it
  • Where the damage occurred (e.g., where you reside or where the business suffered loss)
  • Where systems/accounts are administered (less practical, but sometimes relevant)

Practical guidance: For victims, it is usually workable to start where you are located (your city/province) via local law enforcement or the prosecutor. Cyber units can coordinate inter-area steps.

6) Step-by-step: filing a cybercrime complaint (practical walkthrough)

Step 1: Prepare your complaint packet

Bring both printed copies and digital copies (USB/cloud link) of:

  • Government ID(s)
  • Written narrative and timeline
  • Evidence folder (screenshots, URLs, headers, receipts)
  • Estimated damages (money lost, business interruption, etc.)
  • Names and contacts of witnesses (if any)

Step 2: Execute a Complaint-Affidavit

Most cybercrime filings begin with a Complaint-Affidavit:

  • Who you are
  • Who the respondent is (or “John Doe” if unknown)
  • What happened (facts, chronological)
  • Why it is a crime (cite laws if you can; if not, investigators/prosecutors can help)
  • Attach and mark evidence as annexes (Annex “A”, “B”, etc.)

If you don’t know the suspect: You can file against “John Doe” and describe the account, phone number, bank account, wallet ID, or any identifiers.

Step 3: File with PNP-ACG or NBI (for case build-up)

  • Submit your affidavit and evidence.
  • Ask about preservation steps for platform data and next investigative actions.
  • Get the blotter entry / reference number / acknowledgment of your complaint.

Step 4: Coordinate for data requests and legal process

Investigators may:

  • Seek subscriber/account information from telcos or platforms (subject to legal requirements)
  • Apply for warrants where needed
  • Conduct forensic examination of devices (more common in hacking/system cases)

Important: Do not expect immediate disclosure of platform data without due process. Many records require lawful process and coordination.

Step 5: Proceed to the Prosecutor for Preliminary Investigation

For most cases (no arrest), the next major step is preliminary investigation:

  • You file the complaint-affidavit with the prosecutor (or through investigators, depending on workflow).
  • The prosecutor issues a subpoena to the respondent (if identifiable) to submit a counter-affidavit.
  • You may file a reply, and the prosecutor decides whether there is probable cause.

Step 6: Filing in Court (Information) and trial

If probable cause is found:

  • The prosecutor files an Information in court.
  • The case proceeds through arraignment, pre-trial, and trial.
  • Your evidence must be authenticated under the Rules on Electronic Evidence and related rules.

Step 7: Civil recovery (optional but often crucial)

Many victims want money back. Options include:

  • Civil action implied with the criminal case (common), or
  • Separate civil action depending on strategy.

For scams, early focus is often on:

  • Tracing funds and preserving transaction proof
  • Identifying the real beneficiary accounts

7) Costs, timelines, and what outcomes to expect (realistically)

What’s fast

  • Filing the complaint
  • Getting a complaint reference number
  • Initial coordination with investigators
  • Immediate account security measures and platform reporting

What’s slower

  • Identifying anonymous perpetrators
  • Getting records across institutions
  • Prosecutor evaluation and hearings
  • Court trial

Typical outcomes

  • Dismissal for lack of evidence or inability to identify respondent
  • Filing in court but later settlement/withdrawal of civil interest (case-specific)
  • Conviction (harder, but possible with strong identification + evidence)
  • Administrative outcomes (for data privacy complaints)

8) Special notes on evidence: screenshots are not always enough

Screenshots help, but you should strengthen them:

  • Capture URL, date/time, full thread, and surrounding context.
  • Preserve original files (photos, videos, audio) with metadata when possible.
  • Avoid editing images. If you must redact, keep the unredacted originals.
  • Consider notarized affidavits explaining how you obtained the evidence and that it is a faithful reproduction.
  • For emails, keep full headers.
  • For websites, save PDF print-to-file and use web archiving carefully (but keep originals).

In many cases, you’ll eventually need testimony on:

  • How the evidence was created
  • How it was stored
  • That it wasn’t altered

That is the practical “chain of custody” story.

9) If you’re a business: incident response and reporting checklist

If the victim is a company (ransomware, breach, fraud), do this early:

  • Preserve logs and forensic images (don’t wipe systems prematurely).
  • Document downtime and financial impact.
  • Identify impacted personal data (possible RA 10173 obligations).
  • Limit communications to avoid compromising investigation.
  • Engage counsel and incident response specialists where appropriate.

Businesses often benefit from dual-track action:

  • Criminal complaint (PNP-ACG/NBI + prosecutor)
  • Administrative/data privacy action where personal data is involved

10) Common mistakes that sink cybercrime cases

  • Deleting chats or “cleaning up” the account before preserving evidence
  • Filing without transaction proof (no reference numbers, no bank/wallet records)
  • Submitting cropped screenshots without URLs/timestamps/context
  • Not keeping original files and device logs
  • Waiting too long (accounts get deleted, logs expire, funds move)
  • Filing the wrong legal theory (e.g., treating a scam as “hacking” without proof)
  • Using “fixers” or paying “recovery agents” who are not legitimate and may worsen losses

11) Frequently asked practical questions

Can I file even if I only have a username, wallet ID, or phone number?

Yes. File against John Doe and provide all identifiers you have. Investigators may be able to correlate those with other reports or seek records through proper channels.

Can I file if the scammer is abroad?

Yes, but cross-border enforcement is more complex. You still file locally; investigators may coordinate where feasible.

Is reporting to Facebook/GCash/bank enough?

Platform and bank reporting helps with containment and documentation, but it’s usually not the same as filing a criminal complaint. Do both when money loss or serious harm is involved.

Can I settle?

Some cases allow practical settlement, especially where civil restitution is the main goal, but settlement doesn’t automatically erase criminal liability. The effect depends on the offense, stage, and prosecutorial/court discretion.

Should I notarize my affidavit?

Often helpful. Many offices will require affidavits under oath for prosecution. Notarization strengthens formality, but coordinate with the receiving office’s requirements.

12) Minimal template: what your Complaint-Affidavit should contain

  1. Caption (City/Province, Prosecutor/Agency)
  2. Complainant details (name, address, contact)
  3. Respondent details (name or “John Doe,” identifiers)
  4. Narrative (chronological facts, not conclusions)
  5. Loss/damage (amounts, dates, impact)
  6. Evidence list (Annexes)
  7. Prayer (investigation and filing of charges)
  8. Verification and oath (signed under oath)

13) Quick “what to bring” checklist

  • 2 valid IDs
  • Printed affidavit + soft copy
  • Screenshots with URLs/timestamps
  • Email headers (if applicable)
  • Bank/e-wallet receipts with reference numbers
  • Timeline and loss computation
  • Any platform reports or ticket numbers
  • Device info and security alert emails

14) Final practical guidance

If you are actively being harmed (ongoing hacking, sextortion, threats), prioritize:

  1. safety and account containment,
  2. preserving evidence, and
  3. filing promptly with a cybercrime unit for case build-up.

If your primary concern is financial loss, focus early on:

  • transaction traceability (reference numbers, beneficiary accounts, wallet IDs), and
  • speed (funds move quickly; logs expire).

If you want, share the facts of your situation (what happened, platform used, whether money was transferred, and what evidence you have), and I can map it to the most likely charges and a step-by-step filing plan tailored to your case.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login