How to Report and Request Blocking of Scam Websites in the Philippines (NTC/DICT)

Updated for Philippine legal and regulatory practice as of 2024.

Executive summary

The Philippines has a workable—though fragmented—framework for taking down or blocking scam websites. In practice, three tracks run in parallel:

Criminal enforcement (PNP-ACG/NBI-CCD, with prosecutors and courts), which is the gold standard when you need formal seizures or a court-issued blocking order.
Regulatory/administrative action through the National Telecommunications Commission (NTC), which can direct ISPs and public telecom entities (PTEs) to block access to identified malicious domains/URLs and coordinate with DICT on broader cyber-defense measures.
Voluntary/industry measures (ISPs, domain registrars/hosts, anti-phishing exchanges, banks/e-wallets) triggered by well-documented complaints.

The most effective filings combine all three: preserve evidence → file a criminal complaint → lodge an NTC regulatory complaint copying DICT and the telcos → send targeted abuse reports to the registrar/host and industry feeds.

Legal bases and institutional roles

1) Statutes and general authorities

Cybercrime Prevention Act of 2012 (RA 10175) – Establishes offenses (e.g., computer-related fraud), procedures for preservation and disclosure of computer data, and court-authorized restriction or blocking of computer data when warranted.
Electronic Commerce Act (RA 8792) – Penalizes certain online frauds/false representations; provides evidentiary recognition of electronic data.
Data Privacy Act (RA 10173) – Governs handling of personal data during incident response and complaint filing.
Public Telecommunications Policy Act (RA 7925) and related NTC charter/issuances – Provide NTC with regulatory oversight of ISPs/PTEs, including consumer protection and network integrity directives.
Anti-Child Pornography Act (RA 9775) – Explicitly supports blocking of child sexual abuse material (CSAM); while narrower in scope, its model has informed other harmful-content blocking efforts.
SIM Registration Act (RA 11934) – Strengthens obligations of PTEs to curb scam propagation via text/SMS and enables deactivation measures tied to online fraud vectors.

Takeaway: Court-ordered blocking is the surest legal route for non-CSAM scams. NTC directives supplement this by leveraging telecom/ISP licensing to require access disruption where justified and narrowly tailored.

2) Key agencies

NTC – Regulator of PTEs/ISPs. Receives complaints and may order temporary or ongoing blocks against domains/URLs/IPs, particularly when supported by law-enforcement findings or urgent consumer-protection concerns.
DICT – Policy/coordination lead for cybersecurity; works via the Cybersecurity Bureau and attached CICC (Cybercrime Investigation and Coordinating Center) to triage reports, run threat intel, and coordinate multi-agency action.
PNP Anti-Cybercrime Group (PNP-ACG) and NBI Cybercrime Division (NBI-CCD) – Investigate, preserve evidence, recommend prosecution, and seek court orders (e.g., search/seizure, data disclosure, and, where appropriate, interim blocking/injunctions).
Department of Justice (DOJ) / National Prosecution Service – Prosecutorial evaluation and motions for judicial relief (including injunctive orders).
National Privacy Commission (NPC) – Oversee privacy-law compliance when incidents involve personal data; you may need to notify NPC if a data breach co-occurs.

What “blocking” means (and why precision matters)

DNS blocking – ISPs return NXDOMAIN or walled-garden responses for flagged domains. Low risk of collateral damage if you target exact FQDNs.
URL filtering – Blocks specific paths on otherwise legitimate platforms (e.g., a single phishing page on a file-sharing site). Most precise but requires capable filtering.
IP blocking – Drops traffic to/from an IP. Risky for shared hosting/CDNs (can cause overblocking).
BGP/route filtering – Exceptional and rarely used for scams due to high collateral risk.
App/link filtering (SMS) – PTEs block clickable malicious links in SMS streams (common under anti-smishing drives).

Best practice: Ask for domain or URL-level blocking with time-bound scope and periodic review, to respect due process and minimize overreach.

Evidentiary groundwork (do this first)

Capture the content
- Full-page screenshots with visible URL bar, date/time, and device clock.
- Save page source, HTTP headers, and WHOIS/DNS data (domain, registrar, nameservers, creation/updated dates).
- Record IP(s) via DNS resolution at different times; note hosting AS/CDN if any.
- For payment scams: preserve transaction logs, wallet addresses, QR codes, account names/numbers, chat/email headers.
Hash and seal
- Generate SHA-256 hashes of files/screenshots to support integrity.
- Maintain a chain-of-custody log: who collected what, when, and how (tool versions, system clocks).
Avoid touching the evidence source
- Don’t probe excessively or “hack back.” Passive collection is fine; active intrusion is not.
- If visiting risky URLs, use an isolated environment (sandbox/VM) and record that in your log.
Identify the right target
- Differentiate domain vs subdomain vs URL path.
- Check if the domain is parked, newly registered, or part of a legitimate platform (marketplace page, social profile, link shortener). Tailor your request accordingly.

Reporting & request pathways

A) Law-enforcement complaint (recommended in all serious cases)

Where to file:

PNP-ACG (any regional office) or NBI-CCD.

What to submit:

Affidavit-Complaint detailing the scam (who, what, when, where, how), with penal provisions invoked (e.g., estafa/ART. 315 RPC, computer-related fraud under RA 10175).
Annexes: the evidence set above (screens, logs, hashes), plus IDs and authority documents (if filing on behalf of a company).
Prayer: preservation orders, subpoenas to registrars/hosts/payment intermediaries, and application for temporary restraining/blocking order targeting exact domains/URLs.

Why this track matters:

Enables court-authorized blocking and cross-border evidence requests; strengthens subsequent NTC action.

B) NTC regulatory complaint and blocking request

Who may file: Any person/entity affected, or counsel/authorized representative.

Venue: NTC Central Office (Quezon City) or nearest Regional Office; email channels are commonly accepted for initial intake, followed by formal submissions.

What to file:

Letter-Complaint to the NTC Commissioner/Regional Director with:
- Parties’ details and standing (consumer, ISP subscriber, financial institution, platform victim).
- Clear identifiers: domains, subdomains, precise URLs, and observed IPs.
- Factual narrative of the scam and harm (consumer loss, phishing, malware delivery).
- Legal basis: RA 10175 (cybercrime), RA 7925 (telecom regulation/consumer protection), and public-interest grounds to protect subscribers.
- Relief sought: directive to ISPs/PTEs to block the listed domains/URLs (prefer exact domain/URL lists) for a limited period, subject to re-validation; coordination with DICT/CICC for intel sharing.
- Attachments: evidence bundle (hash list; chain of custody), any LEO case reference (PNP/NBI control number), and affidavit of the complainant.

NTC process in practice:

Triage by Consumer/Legal/Enforcement units.
Coordination with DICT/CICC and, where applicable, PNP/NBI.
Notice to concerned ISPs/PTEs with a directive (often time-bound, list-based).
Feedback loop: ISPs report blocking implementation; complainant may be asked to validate whether access is still possible or if new mirror domains emerged.

Tip: Provide a machine-readable IOC list (CSV with domain, URL, first-seen, last-seen, evidence hash) to speed ISP implementation and future updates.

C) DICT/CICC reporting and cyber-defense coordination

File a cybercrime/cybersecurity incident report with DICT or CICC, attaching the same dossier.
Request threat-intel correlation and IOC dissemination to ISPs, telcos, and partner agencies.
For large-scale campaigns (e.g., smishing), ask DICT to trigger network-level filtering advisories to PTEs.

D) Parallel industry takedowns (fast and often effective)

Domain registrar/registry: Send an abuse notice citing fraud/phishing, with evidence and hashes; request domain suspension.
Hosting provider/CDN: Report the abusive URL (not the whole platform) for swift removal.
Search engines: Report phishing/malware for de-indexing and interstitial warnings.
Banks/e-wallets: File merchant/account abuse reports to freeze receiving accounts advertised on the site.
Anti-phishing threat exchanges: Submit IOC details to broaden ecosystem blocking.

Drafting guidance and templates

1) Affidavit-Complaint (law enforcement)

Caption (e.g., Affidavit-Complaint for Violation of RA 10175 and Estafa).
Parties and jurisdiction (where the acts were committed or where complainant resides).
Facts: timeline of discovery, interaction, loss (if any), and exact online artifacts (domain/URL/IP).
Elements of offenses: map facts to statutory elements (false pretenses, unauthorized access, computer-related fraud).
Prayers:
1. Issue preservation orders and subpoenas duces tecum to registrar/host/payment processors;
2. Apply for a Temporary Restraining/Blocking Order targeting the enumerated domains/URLs;
3. File appropriate charges.

Annexes: Screenshot set; raw HTML/headers; DNS/WHOIS; transaction records; hash manifest; chain of custody.

2) Letter-Complaint and Request for Blocking (NTC)

Heading: Re: Complaint and Urgent Request for ISP-Level Blocking of Scam Domains/URLs.
Body:
- Identification of complainant and affected public interest (consumer protection).
- Enumerated indicators of compromise (bulleted table).
- Legal grounds for NTC directive to ISPs/PTEs.
- Scope and proportionality: domain/URL-level only; time-bound (e.g., 90 days subject to review).
- Commitment to updates: complainant will furnish new IOCs if mirrors appear.
Relief: immediate ISP-level block; ISP confirmation reports; coordination with DICT/CICC; courtesy copy to PNP/NBI case officer.
Attachments: evidence bundle; CSV IOC list; affidavit; reference to LE case number if any.

Practical tips that make or break a request

Be precise, not broad: Overly broad requests (e.g., “block all sites like X”) risk denial for lack of specificity or due process concerns.
Time-bind and review: Offer a review horizon (e.g., 60–90 days) and accept periodic re-validation.
Target URLs on major platforms: For sub-pages on big platforms, seek URL filtering or platform takedown, not full-domain blocks.
Mirror/domain churn: Include detector heuristics (e.g., typosquats, newly registered domains sharing the same wallet/QR) to help ISPs spot variants, but only ask to block items you enumerate unless the regulator agrees to narrowly defined pattern rules.
Respect due process: Avoid urging “block first, ask later” except where the law squarely allows (e.g., CSAM) or where facts show imminent public harm and the order provides prompt contest/appeal mechanisms.
Coordinate comms: Use one case reference across NTC/DICT/PNP/NBI; share updates as new IOCs surface.
Protect personal data: Redact non-essential PII from public filings; include full unredacted sets only in secure submissions.

Frequently invoked offenses and parallel remedies

Estafa (Art. 315, RPC) – Classic avenue for fraud-induced loss.
Computer-related fraud/forgery (RA 10175) – When data manipulation or phishing is involved.
Unauthorized access and illegal interception (RA 10175) – If credentials were harvested/used.
Intellectual property & consumer laws – For counterfeit goods scams.
Administrative sanctions vs. PTEs/ISPs – Non-compliance with valid NTC directives can trigger regulatory penalties.
Civil remedies – Injunctions/damages against identifiable perpetrators or enablers.

Cross-border and jurisdiction issues

Offshore domains/hosts: Use registrar/host abuse channels and court-assisted MLAT requests.
Budapest Convention participation aids cross-border evidence and cooperation.
CDN/shared IPs: Prefer DNS/URL blocking; IP-level blocks are a last resort due to collateral impact.

Company playbook (if you’re an enterprise victim)

Incident Response (IR) kickoff – Contain, collect, classify (scam type: phishing, fake store, investment fraud).
Legal assessment – Offense mapping, harm statements, draft filings.
Stakeholder sprint – File with PNP/NBI; lodge NTC request; notify DICT/CICC; send registrar/host takedowns; advise banks/e-wallets.
Customer advisory – Publish a verified notice; offer remediation (password resets, refund steps).
Monitoring – Track mirrors, update IOCs weekly for 4–12 weeks.
Post-mortem – Update playbooks; negotiate standing contacts with ISPs and regulators for faster response next time.

Model IOC table (attach as CSV)

Type	Value	First Seen	Last Seen	Evidence Hash (SHA-256)	Notes
Domain	`ph-promo-bankexample.com`	2024-07-09	2024-07-10	`…`	Typosquat
URL	`https://bankexample-verify.com/l/k`	2024-07-09	2024-07-11	`…`	Phishing form
IP	`203.0.113.42`	2024-07-09	2024-07-10	`…`	Shared host—avoid IP block
Wallet	`bc1q…`	2024-07-10	2024-07-10	`…`	Receiving addr

Sample letter (NTC)

Subject: Complaint and Urgent Request for ISP-Level Blocking of Fraudulent Domains/URLs Addressee: The Commissioner, National Telecommunications Commission Body (abridged): We respectfully request immediate ISP-level blocking of the following domains/URLs used in large-scale online fraud targeting the Philippine public: [list]. The enclosed affidavit and annexes show victims, losses, and technical indicators. Pursuant to RA 10175 and NTC’s mandate under RA 7925 to protect subscribers and network integrity, we pray for a time-bound block (90 days, renewable upon validation), limited to the enumerated FQDNs/URLs to avoid collateral impact. We commit to providing updates if mirror domains appear and will coordinate with DICT/CICC and PNP/NBI under the referenced case no. [____]. Attachments: Affidavit; Evidence bundle; IOC CSV; Hash manifest; Chain-of-custody log; LE case reference.

Due process, transparency, and appeal

Notice to affected parties (where identifiable) and a mechanism to contest blocks should accompany NTC directives or court orders.
Logging by ISPs (what was blocked, when, under what authority) aids transparency.
Sunset/renewal clauses prevent indefinite blocks without review.
Complainants should withdraw or narrow requests if evidence changes (e.g., URL removed but domain remains active for legitimate content).

Common pitfalls (and how to avoid them)

Overbroad scopes → Always specify exact FQDNs/URLs and justify each.
Insufficient evidence → Screenshots alone are weak; add headers, HTML source, DNS/WHOIS, and transaction ties.
Skipping law enforcement → Limits your ability to obtain court relief and cross-border cooperation.
No monitoring plan → Scammers rotate domains; prepare to update IOCs.
Privacy missteps → Redact non-essential PII in public docs; secure channels for full sets.

Quick checklist

Evidence captured (screens, source, DNS/WHOIS, headers, hashes).
Chain-of-custody log started.
Affidavit-Complaint filed with PNP-ACG/NBI-CCD.
NTC complaint + IOC CSV submitted; copies to DICT/CICC.
Registrar/host abuse reports sent; payment rails notified.
Monitoring for mirrors; periodic IOC updates.
Post-action review and documentation.

Final notes

Court orders provide the strongest legal footing for blocking. Use NTC directives to protect the public quickly while judicial relief is pursued.
Keep requests narrow, evidence-based, and time-bound.
Treat privacy and due process as design constraints—not afterthoughts.

With a well-documented dossier and coordinated filings to NTC, DICT/CICC, and law enforcement, victims and institutions can meaningfully reduce exposure to scam websites while respecting constitutional and statutory limits.