How to Report Cybercrime Incidents in the Philippines

How to Report Cybercrime Incidents in the Philippines

A practical legal guide for individuals, businesses, and counsel

1) What counts as “cybercrime” (and why the label matters)

Under Philippine law, “cybercrime” generally covers any offense where a computer system or data is the target, the tool, or the scene of the crime. Core sources include:

  • Cybercrime Prevention Act of 2012 (Republic Act No. 10175) – creates and penalizes:

    • Offenses against confidentiality, integrity, and availability of data/systems (illegal access, interception, data/system interference, misuse of devices).
    • Computer-related offenses (computer-related forgery, fraud, identity theft).
    • Content-related offenses (e.g., cybersex; online libel; child pornography is addressed under a separate law but aggravated when ICT is used).

  • Data Privacy Act (RA 10173) – covers personal data breaches and breach notifications.

  • E-Commerce Act (RA 8792) – recognition and evidentiary rules for electronic data/messages.

  • Other special laws (e.g., Anti-Photo and Video Voyeurism Act, Anti-Child Pornography Act, Anti-Violence Against Women and Their Children, Anti-Trafficking in Persons, intellectual property statutes) and the Revised Penal Code (e.g., estafa, threats, unjust vexation) when committed through ICT.

Correct classification affects which agency takes the lead, what remedies apply, where you file, and what you must preserve.

2) The reporting map: who handles what

Law-enforcement & prosecutors

  • NBI – Cybercrime Division (NBI-CCAD): nationwide investigative jurisdiction; good for complex or high-impact incidents, cross-border elements, or when you need forensic handling from the outset.
  • PNP – Anti-Cybercrime Group (PNP-ACG): fielded across regions; rapid intake for scams, hacking, sextortion, cyberbullying, identity theft, phishing, card skimming, ransomware, etc.
  • Department of Justice – Office of Cybercrime (DOJ-OOC): central coordinating authority; assists with take-downs, mutual legal assistance, and prosecution support.
  • Special Cybercrime Courts (Regional Trial Courts designated by the Supreme Court): issue cyber warrants and try cybercrime cases.

Regulators & sector leads (often parallel, not exclusive to police reports)

  • National Privacy Commission (NPC): for personal data breaches and privacy violations (controllers/processors).
  • DICT / CERT-PH: for incident response coordination, vulnerability disclosure, and critical infrastructure incidents.
  • NTC: telco-related issues (SIM misuse, spam text campaigns).
  • BSP/Bank/EMI: unauthorized transactions, phishing, ATM/online banking fraud (start with your bank; escalate to BSP consumer protection if unresolved).
  • IPOPHL: online IP infringement (counterfeits/piracy).
  • IACAT/PNP-WCPC: online sexual exploitation of children (OSEC) and trafficking-linked cases.

Tip: You can report to both a law-enforcement body (NBI/PNP) and a regulator (e.g., NPC for breaches, BSP for banking fraud). They serve different functions.

3) Immediate “golden hour” actions (first 24–72 hours)

  1. Do not delete or alter anything. Power systems down only if strictly necessary to stop continuing harm; otherwise isolate from the network to preserve volatile evidence.

  2. Preserve evidence (see detailed checklist below).

  3. Contain the incident: change credentials from a safe device, revoke tokens/API keys, rotate keys, enable MFA, and disable compromised accounts.

  4. Notify the right people quickly:

    • Individuals: bank (if financial), platform/app support, employer/IT/security, and police (PNP-ACG) or NBI-CCAD.
    • Organizations (as “personal information controllers”): assess if a breach notification to NPC and affected data subjects is required without undue delay (generally within 72 hours of knowledge for notifiable breaches).

  5. Prepare an initial incident report (template below) before you walk into a station or file online; it speeds up intake and helps you stay consistent.

4) Where and how to file: step-by-step

A. Filing a criminal complaint (NBI-CCAD or PNP-ACG)

What to bring

  • A sworn statement/affidavit narrating the facts in chronological order.
  • Identity documents (government ID; for companies: SEC/DTI docs, board/secretary’s certificate authorizing the representative).
  • Evidence package (digital & printed): screenshots, message/email headers, transaction logs, device photos, filenames/hashes if available, and a media storage device containing the original exports.

Process overview

  1. Intake & triage – determine offense classification/jurisdiction; risk/urgency assessment (e.g., active extortion, ongoing account takeover).
  2. Evidence turnover – investigators may forensically image devices or collect copies; keep a receipt of property/evidence and maintain a chain-of-custody log.
  3. Investigation – requests to platforms/telcos, cyber warrants (see below), coordination with regulators/banks; interviews of complainant and witnesses.
  4. Filing with the prosecutor – preparation of the complaint-affidavit with annexes; inquest for arrests without warrant or regular filing otherwise.
  5. Pre-trial & trial – once information is filed in court; expect motions related to authenticity of electronic evidence and jurisdiction.

You can also go directly to the City/Provincial Prosecutor to lodge a criminal complaint-affidavit with annexes. The prosecutor may refer to police/NBI for further investigation.

B. Reporting a data privacy breach (NPC)

Organizations must:

  • Assess material risk to rights/freedoms of individuals.
  • Notify NPC and affected data subjects without undue delay (commonly within 72 hours for notifiable breaches) with: nature of breach, personal data involved, measures taken, and contact details of the DPO.
  • Maintain a breach register, conduct post-incident remediation, and follow orders from NPC (audits, compliance checks).

C. Banking/financial fraud

  • Immediately notify your bank/EMI (freeze/block, dispute, card replacement).
  • File a police/NBI report for record and investigation.
  • If unresolved, escalate to the bank’s Consumer Assistance Mechanism, then to the BSP consumer protection channel. Keep reference numbers and written replies.

D. Platform/telco takedowns

  • Use in-platform reporting (impersonation, IP piracy, CSAM, harassment).
  • For SIM/telco abuse (smishing/spam), file with your carrier and NTC; include message content, sender/MSISDN, timestamps.

5) Cyber warrants & investigative tools (what to expect)

The Rules on Cybercrime Warrants empower courts to issue:

  • Warrant to Disclose Computer Data (WDCD) – to compel service providers/platforms to disclose traffic/content data.
  • Warrant to Intercept Computer Data (WICD) – for lawful interception/real-time collection.
  • Warrant to Search, Seize and Examine Computer Data (WSSECD) – for on-site or remote acquisition/forensic extraction.
  • Warrant to Examine Computer Data (WECD) – for data already lawfully seized.

Applications typically show probable cause, particularity, scope, time limits, and data minimization. Expect directions on hashing, imaging, and returns to court.

6) Electronic evidence: admissibility & best practices

  • Rules on Electronic Evidence (Supreme Court) recognize electronic documents and signatures.
  • Authentication may be shown through: metadata, hash values (MD5/SHA-256), system logs, custodial testimony, platform certificates/business records, and forensic expert reports.
  • Keep an evidence log capturing: what/when/from where/by whom/how stored.
  • Prefer original exports (e.g., full email with headers in .eml, chat exports with JSON/HTML, server logs), not just screenshots.
  • Ensure chain of custody from collection to court.

7) Jurisdiction, venue, and prescription (high-level)

  • Venue generally lies where any element occurred, where the offended party resides in certain online offenses, or where the computer system is located/accessed.
  • Some offenses have special rules or longer prescriptive periods when committed through ICT. When in doubt, file early and let the prosecutor resolve conflicts; late filing risks dismissal.

8) Cross-border elements

  • The Philippines cooperates through mutual legal assistance and international frameworks (including the Budapest Convention on Cybercrime).
  • Practical note: platform and telco data may be stored offshore; timely preservation requests and cyber warrants/MLA are critical to avoid loss due to provider retention limits.

9) What to include in your report (templates)

A. Incident report (individual)

1. Parties

  • Complainant: name, address, IDs, contact.
  • Suspect (if known): identifiers, handles, URLs.

2. Narrative (chronological)

  • Date/time zone; device/accounts involved; what you saw/did; losses; witnesses.

3. Evidence list & locations

  • Files (hashes if available), messages (raw exports), screenshots (with visible timestamps/URLs), logs, bank records, receipts, delivery info, IP addresses.

4. Relief sought

  • Investigation, takedown, restitution, protective measures.

5. Consent & declarations

  • Consent for device imaging, truthful statements under oath.

B. Incident report (organization / DPO)

1. Executive summary – what happened, when detected, scope. 2. Assets & data – systems affected, categories of personal data. 3. Threat/attack vector – phishing, credential stuffing, malware, misconfiguration, insider. 4. Containment & eradication – actions taken and when. 5. Impact – number of data subjects, services disrupted, financial exposure. 6. Notifications – to NPC, data subjects, banks, law enforcement, partners. 7. Forensics & evidence – imaging details, hashes, logs preserved, third-party IR engagement. 8. Remediation plan – patches, MFA rollout, user comms, monitoring. 9. Appendices – timeline, IOC list, copies of notices, legal holds.

10) Evidence preservation checklist (copy/paste)

  • Export full email with headers; save .eml/.msg and a PDF print.
  • Screenshots with visible URL, handle, and timestamps; keep original exports (chat JSON/HTML, platform transparency reports).
  • Device & server logs (auth logs, firewall, VPN, EDR, cloud audit trails) with time synchronization noted.
  • Bank/SMS/OTP records, transaction IDs, dispute reference numbers.
  • Malware/attachments quarantined; do not execute; retain hashes (SHA-256).
  • External links: record full URLs, storage locations, and dates accessed.
  • Chain-of-custody form: item, unique ID, collector, date/time, method, hash, transfer signatures.
  • Legal hold notices to staff/vendors; suspend auto-deletion.

11) Special scenarios & where to report first

  • Unauthorized bank transfers / card fraudBank (immediate), PNP-ACG/NBI, possible BSP escalation.
  • Account takeover (email/social)Platform (recovery & 2FA), PNP-ACG/NBI; if corporate, DPO & NPC if personal data at risk.
  • RansomwareInternal IR team/DICT-CERT-PH, PNP-ACG/NBI; involve counsel before paying any demand; consider sanctions/AML risks.
  • Sextortion / OSECPNP-ACG/NBI; minors → WCPC/IACAT; request emergency takedown from the platform.
  • Deepfake/defamation/harassmentPlatform (takedown), PNP-ACG/NBI; preserve source files and posting metadata.
  • Data breach (org) → NPC (if notifiable) and affected data subjects, plus law enforcement when a crime is involved.
  • IP piracy/counterfeitsPlatform, IPOPHL, PNP/NBI (IP units).

12) Practical drafting tips for lawyers & complainants

  • Name the offense under RA 10175 (and other applicable laws) but plead facts, not labels.
  • Attach properly marked annexes (Annex “A”, “B”, etc.) and reference exhibits in your affidavit.
  • Request preservation and, where needed, assistance for cyber warrants to stop data from being purged by providers.
  • Anticipate defenses: lack of jurisdiction, hearsay/screenshot authenticity, absence of malice/intent, or consent.
  • Use business records exceptions, platform certificates, and expert testimony to authenticate digital evidence.
  • For organizations, align with incident response plans, DPO workflows, and board oversight.

13) Victim protection & remedies

  • Civil damages may be pursued alongside or apart from criminal cases (e.g., moral, exemplary damages; attorney’s fees).
  • Protection orders are available for VAWC-related online abuse.
  • Take-down mechanisms: platforms, registrars/hosts (via notices), and court orders.
  • Restitution in fraud cases may be ordered; coordinate early with banks and prosecutors.

14) Compliance posture for organizations (to lessen legal exposure)

  • Appoint a Data Protection Officer, maintain a privacy management program, conduct PIAs, and implement MFA, least privilege, logging, and backups.
  • Keep a Breach Response Plan with 72-hour clock triggers, law-enforcement contacts, and outside counsel/forensics on retainer.
  • Train staff on phishing and secure handling of personal data; test with tabletop exercises.
  • Maintain vendor and cloud clauses for breach notification, cooperation, and evidence preservation.

15) Frequently asked questions

Do I need barangay conciliation first? No. Cybercrime complaints are criminal and typically carry penalties beyond the barangay’s scope; they are filed with police/NBI and the prosecutor.

Can I file where I live? Often yes, especially for certain online offenses; otherwise file where any element occurred or where the system/data is located.

What if the suspect is overseas? Still file. Law enforcement can request preservation and work through international cooperation channels.

Is a screenshot enough? It helps, but export originals (with headers/logs/metadata) and keep hashes whenever possible.

16) One-page action plan (tear-off)

  1. Preserve: exports, headers, logs, hashes; isolate systems.
  2. Contain: reset credentials, MFA, revoke tokens; notify your bank/platform.
  3. Report: file with PNP-ACG or NBI-CCAD; organizations assess NPC notification.
  4. Document: incident timeline, costs/losses, and all reference numbers.
  5. Follow through: assist on warrants, respond to subpoenas, pursue takedowns and restitution.

Final note

This article is a practical guide, not legal advice for a specific case. Facts matter in cybercrime. When stakes are high, involve counsel early, preserve evidence meticulously, and report promptly to the appropriate Philippine authorities.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login