How to Report Online Fraud in the Philippines: NBI Cybercrime Complaint Process and Evidence Checklist

NBI Cybercrime Complaint Process and Evidence Checklist

Online fraud in the Philippines is commonly prosecuted under the Revised Penal Code (for classic fraud/estafa concepts) and special laws that target computer-enabled wrongdoing, particularly Republic Act No. 10175 (Cybercrime Prevention Act of 2012). Depending on the scheme, other statutes may apply (for example, laws on electronic evidence and anti-money laundering frameworks when proceeds are traced). This article focuses on how to file a complaint with the National Bureau of Investigation (NBI) Cybercrime Division, what to expect in the process, and how to build an evidence file that investigators and prosecutors can actually use.

1) What counts as “online fraud” for complaint purposes

“Online fraud” is an umbrella term. Your report is stronger if you can describe the specific conduct, the loss, and the digital trail. In Philippine practice, the most frequent patterns include:

  • Marketplace scams: payment made, item never delivered; fake sellers/buyers; “reservation fee” schemes.
  • Investment/crypto scams: guaranteed returns, “pyramiding,” fake trading platforms, pig-butchering style romance/investment blends.
  • Phishing and account takeover: fake bank/e-wallet sites, OTP theft, SIM swap, social media takeover used to solicit money.
  • Impersonation and invoice scams: pretending to be a company, HR, supplier, or family member.
  • Fake customer support / remote access scams: victim is guided to install apps that enable control of device or access to accounts.
  • Chargeback/fake proof of payment: screenshots of “successful” transfer, edited transaction pages, fake bank notifications.
  • Loan apps and “processing fee” scams: borrower is asked to pay fees first, loan never released; threats/extortion sometimes follow.
  • Employment scams: “training fee,” “equipment fee,” or “placement fee” paid to a fake recruiter.

Common offenses that may be invoked (high level)

A single incident can implicate more than one offense. Typical legal hooks include:

  • Computer-related fraud (cybercrime law): fraud done through computer systems or manipulation of digital transactions/data.
  • Online scam as estafa-like conduct: deceit causing damage and inducing you to give money/property.
  • Identity-related offenses: using another person’s name, profile, photos, or credentials to deceive.
  • Unauthorized access/interference: hacking or taking over accounts/devices.
  • Threats/extortion: when scammers intimidate victims to pay.

You do not need to perfectly “label” the crime to file—what matters is that you provide a clear narrative and verifiable evidence.

2) NBI vs PNP Anti-Cybercrime Group vs prosecutor’s office: where to file

In the Philippines, cyber-fraud can be pursued through multiple entry points:

  • NBI Cybercrime Division / Cybercrime Division field units: good for cases that need investigative resources, tracing, preservation requests, and coordination with platforms and financial institutions.
  • PNP Anti-Cybercrime Group (ACG): also receives complaints and investigates.
  • Office of the City/Provincial Prosecutor: for filing a complaint-affidavit directly; usually you still need evidence and may benefit from prior investigative assistance.

Choosing one does not automatically exclude the others, but avoid duplicative filings that create conflicting case records. If you already filed with one agency, bring that reference when approaching another.

3) Before you file: immediate actions that protect your case and your money

A. Preserve and stabilize evidence

  • Stop deleting messages or accounts.
  • Do not “clean” your phone or reinstall apps.
  • Do not confront the scammer in ways that tip them off (they may delete accounts or move funds).
  • Back up chats and relevant files in read-only formats when possible.

B. Attempt rapid fund-containment (time-sensitive)

If money moved through banks or e-wallets, report immediately to the bank/e-wallet and request:

  • Transaction reversal (if possible),
  • Freeze/hold of recipient account, and/or
  • Investigation ticket reference and a copy of your report.

Even when funds cannot be recovered immediately, these reports create paper trails that support subpoenas, bank certifications, and cooperation requests.

C. Secure your accounts

If phishing/account takeover occurred:

  • Change passwords (email first, then financial apps).
  • Enable multi-factor authentication.
  • Check recovery email/phone settings.
  • Review recent logins and revoke unknown devices/sessions.
  • Report compromised social media pages to the platform.

4) The NBI Cybercrime complaint process (step-by-step)

Step 1: Identify the proper NBI unit and prepare your dossier

Complaints are typically received by NBI Cybercrime Division (or designated cybercrime units). Prepare:

  • a chronology (timeline),
  • a summary sheet of key identifiers (accounts, numbers, handles, URLs),
  • your evidence bundle (see checklist below),
  • and valid IDs.

Step 2: Execute a Complaint-Affidavit (or provide sworn statement)

The backbone of your case is a complaint-affidavit—a sworn narration of facts. You will generally need:

  • Your complete personal details and contact information,
  • The respondent’s known identifiers,
  • A clear account of what happened,
  • The damages/losses,
  • Attachments marked and referenced (Annex “A,” “B,” etc.).

If you do not know the real name of the suspect, you can file against “John/Jane Doe” or unknown persons, but provide every traceable identifier.

Step 3: Submission of evidence and initial evaluation

NBI personnel commonly check whether:

  • The incident is within cybercrime coverage,
  • There is enough digital trail to pursue,
  • The evidence appears authentic and complete,
  • Jurisdiction/venue considerations are manageable.

Expect guidance on missing items (for example: needing the full URL, a transaction reference number, or a certified bank statement).

Step 4: Case intake, documentation, and possible referral actions

After acceptance:

  • Your complaint is logged,
  • Evidence is recorded and may be copied,
  • You may be asked to execute additional affidavits (e.g., identification, supplemental narrative),
  • NBI may issue requests/letters to preserve data (depending on policy and what is permissible), and coordinate with platforms and financial institutions.

Step 5: Investigation stage (what investigators typically do)

Depending on facts and available data, investigators may:

  • Trace financial flows (banks/e-wallets),
  • Request subscriber/account details and logs,
  • Coordinate with platform providers for account identifiers (where possible),
  • Identify IP addresses/device identifiers if available and legally obtainable,
  • Link multiple complaints to a common actor (case build-up).

This stage can involve:

  • Requests for records,
  • Follow-up interviews,
  • Controlled communication (in some cases) to document ongoing solicitation.

Step 6: Filing for prosecution (when evidence is sufficient)

Once investigators determine probable cause can be established, the case is prepared for prosecutorial filing. Often, you (as complainant) will still need to:

  • Appear for clarificatory hearings if scheduled,
  • Submit certified/updated documents,
  • Authenticate key exhibits when required.

5) Venue and jurisdiction (practical rule-of-thumb)

For many cyber-related complaints, venue commonly considers:

  • Where the complainant accessed the system or received the fraudulent communication,
  • Where the transaction occurred (e.g., where you initiated transfer),
  • Where the damage was felt.

In practice, bring your location details (city/province, where you were when you transferred money or received the scam message) and let the receiving unit guide you on proper venue.

6) Evidence checklist (Philippine-ready, investigator-ready)

A. Identity and authority documents

  • Government-issued ID(s) with clear photo and signature.
  • If filing for someone else (minor, incapacitated, company): proof of authority (SPA, board resolution, secretary’s certificate, or proof of relationship/guardianship when applicable).

B. Narrative package (high impact, low effort)

  1. One-page case summary
  • What happened, how you were deceived, how much you lost, when/where it happened.
  • The exact “ask” from scammers (e.g., pay to GCash number X, bank account Y).
  1. Chronology / timeline
  • Date/time stamped events (first contact, negotiation, payment, follow-up, discovery of scam).
  1. Respondent identifiers sheet
  • Names used, aliases, social media handles, profile links,
  • Phone numbers, emails,
  • Bank/e-wallet account names and numbers,
  • URLs (marketplace listing, profile, group, website),
  • Shipping details (if any): rider name, tracking number, courier references.

C. Communication records (do this correctly)

  • Screenshots of entire conversation threads with:

    • visible usernames/handles,
    • visible timestamps where possible,
    • context (not just single messages).

  • Exported chats (if the platform allows) in native format (e.g., downloaded archive).

  • Call logs and recordings (if any), with date/time and the number used.

  • Email headers for phishing emails (not just the email body).

  • Links to the exact content: posts, ads, profiles, pages, chat invite links.

Best practice: Provide both (1) screenshots for quick viewing and (2) originals/exports for authenticity.

D. Transaction and money trail (often the decisive part)

For each payment/transfer:

  • Official transaction receipts (PDF or in-app receipt),
  • Reference numbers, timestamps, amount, sender/recipient details,
  • Bank statements or e-wallet transaction history showing the debit,
  • Any acknowledgment from the scammer (e.g., “Payment received”).

If cash-in/cash-out occurred:

  • Remittance slips, kiosk receipts,
  • Store branch location and date/time,
  • CCTV request references (if you reported quickly).

E. Device and account compromise evidence (for phishing/hacking)

  • Screenshots of:

    • login alerts,
    • unauthorized password change notices,
    • unknown devices,
    • OTP messages and phishing pages (if captured).

  • Browser history entries showing the phishing URL.

  • Installed app list (if remote access scam).

  • SIM swap indicators: sudden loss of signal, telco notifications, changes to SIM registration profile if known.

F. Platform and takedown/report references

  • Report ticket numbers from Facebook/Instagram/Telegram/WhatsApp, marketplaces, etc.
  • Any platform response emails.
  • Preservation requests you made (if any).

G. Witness and corroboration evidence (if available)

  • Affidavits of witnesses who saw the transaction or communications,
  • Screenshots from third parties who were also scammed by the same account,
  • Group chat logs showing pattern.

H. Evidence integrity checklist (what makes evidence usable)

  • Keep original files (not just forwarded copies).
  • Avoid editing images; if you must redact personal data for sharing, keep an unredacted copy for authorities.
  • Name files systematically: 2026-02-10_Chat_FB_Messenger_1.png, 2026-02-10_GCash_Receipt_Ref123.pdf, etc.
  • Store in two places (USB + cloud), and keep a printed index list.

7) Writing a strong complaint-affidavit (structure and tips)

A practical structure:

  1. Parties
  • Your identity and capacity (victim/complainant).
  • Respondent as “Unknown person using…” plus identifiers.
  1. Statement of facts
  • How contact started (ad, listing, message).
  • Representations made by respondent (promises, proofs, fake IDs).
  • Your reliance and the transaction you made.
  • Subsequent events (non-delivery, blocking, excuses).
  • How you confirmed it was a scam.
  1. Damage
  • Amount lost, incidental costs, emotional distress (if relevant),
  • Attach proof.
  1. Evidence references
  • “Attached as Annex ‘A’ are screenshots…”
  • “Annex ‘B’ is the receipt…”
  1. Relief
  • Request investigation, identification, and filing of appropriate charges.

Tone: factual, chronological, no speculation. Avoid conclusions like “he is definitely in X syndicate” unless you have proof.

8) What to expect after filing (and common reasons cases stall)

What typically happens

  • You may be asked for supplemental affidavits.
  • Investigators may advise you to obtain certified true copies of bank records.
  • Respondents may be identified slowly if they used mule accounts or fake identities.

Common reasons complaints weaken

  • Missing transaction reference numbers,
  • Only partial screenshots without identifiers/timestamps,
  • Deleted chats and lack of platform exports,
  • Payments made through untraceable channels without receipts,
  • Evidence that appears altered or cropped without context,
  • No clear link between the respondent’s account and the receiving account.

9) Special scenarios

A. If the suspect is “unknown” (no real name)

This is common. File anyway with:

  • handles, profile URLs, phone numbers, emails,
  • recipient bank/e-wallet details,
  • courier details, and
  • the full conversation.

B. If the scammer used a mule account

Even if the receiving name is not the mastermind, the money trail is still valuable for:

  • building links to other incidents,
  • identifying coordination patterns,
  • and supporting subpoenas and cooperation.

C. If you are outside the Philippines

You can still preserve evidence and coordinate with Philippine agencies. If travel is difficult, prepare notarized documents where you are and consult on authentication requirements for filing in the Philippines.

D. If threats or sextortion are involved

Prioritize safety:

  • Preserve threats (screenshots, links, handles),
  • Report immediately,
  • Avoid paying further,
  • Consider rapid account security measures and platform reporting.

10) Practical pack list: what to bring on filing day

  • Valid IDs (plus photocopies)

  • Printed case summary, timeline, and identifier sheet

  • USB drive with:

    • organized folder of screenshots,
    • exported chats,
    • PDFs of receipts/statements,
    • a single “index” document listing all files

  • Printed key receipts and screenshots (as backup)

  • Copies of bank/e-wallet ticket numbers and correspondence

11) Quick templates (copy-ready)

A. One-page case summary (outline)

  • Type of scam: (Marketplace / Investment / Phishing / etc.)
  • Date range: (Start – End)
  • Total loss: PHP ___
  • Where you were when you transacted: City/Province
  • Scammer identifiers: handles, URLs, numbers, emails
  • Receiving accounts: bank/e-wallet details + reference nos.
  • Core evidence: list of top 10 files/receipts
  • Status: reported to bank/e-wallet on (date), ticket #; platform report #

B. File naming convention

YYYY-MM-DD_Source_Type_Sequence Examples:

  • 2026-02-10_FBMessenger_Chat_01.png
  • 2026-02-10_GCash_Receipt_Ref12345.pdf
  • 2026-02-11_BDO_Statement_Page1.pdf

12) Key reminders (to maximize success)

  • The strongest cases pair (1) money trail + (2) platform identifiers + (3) complete conversation context.
  • Preserve originals and keep a clean chain of custody for your files.
  • Report quickly to financial institutions and retain ticket numbers.
  • Don’t let embarrassment delay filing—speed materially affects traceability.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login