How to Report Online Loan Scams in the Philippines: Evidence, Agencies, and Refund Strategies

This is general information for educational purposes and not legal advice. Laws and procedures change; consult a Philippine lawyer for guidance on your specific case.

1) What counts as an “online loan scam”?

Common patterns

Fake lenders/loan apps that collect “processing fees” then disappear, or release only a fraction of the loan and keep charging fees.
Identity-theft loans opened in your name after phishing or device takeover (malware, SIM swap, OTP capture).
Debt-shaming schemes: abusive messages to your contacts, doctored photos, public posts, or threats to publish your data unless you pay.
Upgrade/renewal lures: “We’ll increase your limit—just share your OTP/pay a small verification fee.”
Payment red flags: asking you to send money to personal accounts/e-wallets, cryptocurrency, or gift cards; insisting on screenshots then blocking you.

Legal markers of illegality

Operating a lending/financing business without SEC registration and a Certificate of Authority (Lending Company Regulation Act, RA 9474).
Unfair collection practices (e.g., threats, profanity, contacting your contacts) prohibited for lending/financing companies (e.g., SEC rules).
Unauthorized processing or disclosure of your personal data (Data Privacy Act, RA 10173).
Fraud/estafa (Revised Penal Code, Art. 315), cybercrime modalities (Cybercrime Prevention Act, RA 10175), access device fraud (credit/debit cards, RA 8484), and grave threats/coercion under the RPC.
For regulated financial firms, unfair or abusive acts under the Financial Consumer Protection Act (RA 11765).

2) First 24 hours: triage and containment

Stop further loss

Freeze and dispute: Call your bank/e-wallet/card hotline immediately. Report fraud/unauthorized transaction and ask for a temporary block on accounts/cards and password/PIN resets. Enable/refresh 2FA.
If funds were transferred: Ask your bank to initiate a transaction recall/hold with the receiving institution. Provide reference numbers and say it’s a fraud case.

Secure your devices & data

On your phone, revoke app permissions (Contacts, SMS, Photos, Storage, Camera, Microphone, Phone) for the suspicious app; uninstall it after you preserve evidence (see §3).
Change passwords for banking, email, social, and your device lock screen. Update SIM/e-SIM PIN.
Run a reputable mobile anti-malware scan. Consider a factory reset only after you have captured evidence.

Protect against harassment

Tell family/friends that any messages about you asking for money are likely scam pressure tactics.
If “shaming” posts appear online, report them using the platform’s privacy/harassment tools and screenshot/record them first (evidence).

Document everything (see §3) and file reports promptly (see §5–7). Speed helps with bank recalls and investigations.

3) Evidence: what to collect and how to preserve it

Core items

Identity of the counterparty: app name/URL, social handles, phone/SIM numbers, email addresses, bank/e-wallet details (account name/number), and any QR codes.
Communications: full chat/email/SMS threads, including headers, profile pages, group chats, voice notes.
Transaction proof: bank/e-wallet statements, transaction reference numbers, receipts, card authorization alerts, OTP logs.
Device/app data: screenshots of app permissions, app version, APK hash (if possible), install time, and requested permissions.
Harassment artifacts: screenshots/recordings of threats, “doxxing,” and posts sent to your contacts.
Timeline: a dated list of events (what happened, when, who you spoke to).

Preservation tips

Screenshots + screen recordings showing the URL/address bar and timestamps when possible.
Export chats to PDF or text; print to PDF with page numbers.
Keep original files. Don’t edit images; instead add a separate note explaining context.
Back up to a write-once medium or cloud folder. Maintain a simple chain-of-custody note: who collected, when, and where stored.

4) Applicable laws (quick map)

Estafa / Swindling – Revised Penal Code, Art. 315 (false pretenses, fraudulent acts causing damage).
Cybercrime Prevention Act (RA 10175) – covers computer-related fraud, identity theft, illegal access, cyber libel (often used for “shaming”).
Access Devices Regulation Act (RA 8484) – unauthorized use of cards/access devices.
Financial Consumer Protection Act (RA 11765) – redress and regulator oversight for banks, e-money issuers, remittance agents, and other covered financial providers.
Lending Company Regulation Act (RA 9474) + SEC rules – registration/Certificate of Authority; unfair debt collection prohibitions for lending/financing companies.
Data Privacy Act (RA 10173) – unauthorized processing, malicious disclosure of personal data, inadequate security measures.
SIM Registration Act (RA 11934) – reporting misuse of registered numbers.
Anti-Money Laundering Act (RA 9160, as amended) – banks may file STRs; in larger cases authorities may seek freeze orders.

5) Where to report: who handles what (and when)

Criminal investigation

PNP Anti-Cybercrime Group (ACG) – for cyber-enabled fraud, threats, identity theft. File a police blotter and a cybercrime complaint; bring your evidence kit.
NBI Cybercrime Division – accepts complaints for online fraud, phishing, and harassment; may conduct digital forensics/coordination with platforms.

Regulators / sectoral agencies

SEC – Enforcement & Investor Protection / Lending & Financing oversight: report illegal loan apps, unregistered lenders, unfair collection.
Bangko Sentral ng Pilipinas (BSP) – if a bank, e-money issuer (e-wallet), remittance agent, or card issuer is involved (failed dispute handling, security lapses). Under the FCPA, complain first to the institution, then escalate to BSP with proof if unresolved.
National Privacy Commission (NPC) – for data privacy violations, e.g., scraping/using contact lists, public disclosure, threats using your personal data, inadequate app privacy notices.
Department of Trade and Industry (DTI) – E-Commerce/Consumer Protection – for non-financial goods/services scams masquerading as “loans” (e.g., item-purchase “loans”), but pure lending is usually SEC/BSP turf.
National Telecommunications Commission (NTC) and your telco – for abusive/scam calls/SMS, number blocking, spam reporting.

Payments rails and platforms

Your bank/e-wallet/card issuer – primary for disputes, recalls, and chargebacks.
Payment gateways/processors (if you paid a “merchant”) – report a fraudulent merchant so they can hold settlements/terminate accounts.
App stores/social platforms – report abusive apps and shaming content for removal.

6) How to file: practical step-by-step

A) With your bank/e-wallet/card issuer

Call the fraud hotline; request account/card block and password resets.
File a Transaction Dispute (and Fraud Declaration/Affidavit if required).
Submit: valid ID, transaction references, screenshots, timeline, and a police blotter or NBI receipt if available.
Ask for the case/ reference number and written acknowledgment. Keep logs of every call/email.
If not resolved within the provider’s or regulator’s prescribed period, escalate (BSP for banks/e-wallets).

B) With PNP-ACG or NBI Cybercrime

Prepare a Complaint-Affidavit (see template in §10) with your evidence index.
Bring government ID and digital/printed evidence; ask how to submit large files.
If identity of the scammer is unknown, name John/Jane Does and request subpoena/MLA steps as appropriate.
Ask for your case number and a certified copy of your blotter/receipt (useful for banks and platforms).

C) With the SEC (illegal lenders/unfair collection)

File a complaint describing: app/entity name(s), evidence of no SEC registration/COA, screenshots of harassment, and payment channels used.
Request take-down and cease-and-desist action where warranted; include names of officers/agents if known.

D) With the NPC (privacy violations/shaming)

Submit a complaint citing specific data processing acts (e.g., scraping your contacts, publishing your photos/messages).
Attach proof and identify harms (humiliation, threats, extortion).
Request order to cease processing, erasure, and, where appropriate, penalties.

7) Refund & recovery: what actually works

1) Credit/debit card chargebacks

Use the dispute reason “fraud/unauthorized transaction” or “services not rendered” (follow your issuer’s categories).
Provide proof of deception and that you never authorized the charge/OTP (or were tricked).
Networks impose strict time limits from posting date—act quickly.

2) Bank transfer recalls (PESONet/InstaPay)

These are credit-push systems; no automatic reversal. Your bank will send a recall/hold request to the receiving bank.
Success depends on speed, whether funds remain, and recipient consent or bank intervention. A police blotter helps.

3) E-wallet disputes

File in-app/online disputes with reference IDs. Ask the wallet to flag the recipient account and retain logs for law enforcement.
If handling is poor or deadlines lapse, escalate to BSP under RA 11765.

4) Processor/gateway escalation

If you paid a merchant via a gateway, report the merchant as fraudulent. Processors can freeze settlements and assist with chargebacks.

5) Civil recovery

Send a Demand Letter (see §10) asking for a refund and data deletion.
File a Small Claims case (no lawyers required for individuals) if within the current monetary threshold set by the Supreme Court. Bring your documentary evidence and witness statements. (Check the latest small-claims limit and forms before filing.)
For larger claims, consider a civil action for damages (with counsel).

6) Criminal case leverage

Active criminal complaints can pressure perpetrators and intermediaries (e.g., mule account holders) to cooperate with refunds as part of settlement or restitution.

Avoid

“Recovery agents” who ask for fees upfront—this is a common second-wave scam.
Paying “verification” or “release” fees to get your money back—don’t.

8) Dealing with debt-shaming and privacy abuse

Document each abusive message/post (screenshots + URLs + timestamps).
Notify the lender/app to cease and desist from unlawful processing/harassment; demand erasure of your data.
Complain to the NPC (privacy violations) and SEC (unfair collection by lending/financing companies).
Report platforms (Facebook, Messenger, WhatsApp, SMS spam channels) with evidence; request removal.
Consider cyber libel complaints if false statements were published with malice, especially for pressure tactics.

9) Special scenarios & tips

Identity-theft loans in your name: Immediately dispute with the bank/e-wallet; submit ID theft affidavit, police blotter, and any proof of compromised credentials. Ask the lender to block and purge the fraudulent account under the DPA. Monitor your credit report (Credit Information Corporation and private bureaus).
SIM swap / OTP compromise: Ask your telco to flag the SIM, issue a new SIM, and provide a usage log to law enforcement upon proper request.
Cross-border actors: Focus on payment trails and local mule accounts; coordinate with PNP/NBI. Recovery is harder—prioritize chargebacks/recalls and platform takedowns.
Business victims: Keep Board/Partner resolutions authorizing representatives; preserve internal control logs (who approved payments, from which device/IP).

10) Ready-to-use templates (fill in your facts)

A) Incident timeline (attach to all complaints)

VICTIM: [Full Name], [Address], [Contact], [ID No.]
INCIDENT: Online Loan Scam / Fraud
SUMMARY: [One-paragraph overview]

TIMELINE
[YYYY-MM-DD HH:MM] [Event; include platform/app; who said what; file names]
[YYYY-MM-DD HH:MM] [Transaction; amount; reference no.; sending bank/wallet; recipient bank/wallet; account name/number]
[YYYY-MM-DD HH:MM] [Call with Bank; case no.; advice given]
[YYYY-MM-DD HH:MM] [Report filed; case no.; officer name]
...
LOSSES: [₱ amount]; NON-MONETARY HARM: [harassment, reputational harm]
ATTACHMENTS INDEX: [A-1 screenshots], [A-2 statements], [A-3 chats], etc.

B) Demand letter to the scammer or offending app (send via email/app chat/postal if available)

[Date]

[Name/Handle/App Operator, if known]
[Address/Email/URL]

RE: DEMAND TO CEASE UNLAWFUL ACTS, DELETE PERSONAL DATA, AND REFUND

I was induced by your misrepresentations to [apply/pay] on [date] via [app/platform], resulting in loss of ₱[amount]. Your acts constitute estafa under Art. 315 of the Revised Penal Code, violations of the Data Privacy Act (RA 10173), and (if applicable) unfair collection practices prohibited for lending/financing companies.

DEMANDS:
1) Refund ₱[amount] to [bank/e-wallet details] within [5] days.
2) Immediately cease data processing, harassment, and contact of third parties; delete my data and confirm in writing.
3) Preserve all logs, account records, IP/device data for law enforcement.

Absent compliance, I will pursue criminal, civil, and regulatory remedies with PNP/NBI, SEC, NPC, BSP, and relevant platforms.

Sincerely,
[Name]
[ID No.; Contact]

C) Bank/e-wallet dispute letter (attach forms as required)

[Date]

Consumer Assistance / Disputes
[Bank/E-Wallet/Card Issuer]

RE: FRAUD DISPUTE – [Acct/Card No. masked], Txn Ref [XXXX]

I dispute the transaction(s) below as unauthorized/fraud-induced:
- [Date/Time – Amount – Merchant/Recipient – Ref No.]

Facts: [short narrative: phishing/app scam/identity theft, no OTP willingly shared, or coercion].
Attached: timeline, screenshots, police/NBI case receipt, ID.

Please process a chargeback/recall and block related recipients. Kindly provide written acknowledgment and the case number.

[Name, Signature, Contact]

D) Complaint-Affidavit (for PNP-ACG/NBI) – skeleton

I, [Name], Filipino, of legal age, after having been duly sworn, depose and state:

1. I am the victim of online fraud committed by [Name/Unknown] using [app/platform/number/email].
2. On [dates], respondents deceived me into [act], causing loss of ₱[amount] and harassment.
3. The acts constitute violations of [Art. 315 RPC estafa], [RA 10175 cybercrime], [RA 10173 DPA], [RA 9474/SEC rules on unfair collection], and other applicable laws.
4. Attached are Annexes “A” to “__” (screenshots, transaction records, chat exports, device logs, etc.).
5. I respectfully pray that respondents be investigated and charged; that subpoenas be issued to [banks/wallets/telcos/platforms] to preserve/produce logs and KYC data; and that restitution be sought.

[Signature over printed name]
[Government ID details]

11) Do’s and Don’ts

Act within hours, not days.
Keep your evidence index tidy; number your files.
Use official channels; ask for case numbers.
Follow up in writing; keep a communications log.

Don’t

Pay “release/verification” fees.
Share OTP, full card/PIN, or selfie-video “verification.”
Let anyone remote-control your phone/PC unless it’s your bank’s verified support—and even then, be cautious.
Trust “recovery agencies” that guarantee refunds.

12) Quick checklist (printable)

Freeze card/accounts; change passwords; enable 2FA
File bank/e-wallet dispute; request recall/chargeback
Create timeline; collect screenshots/records
File PNP-ACG/NBI complaint (get case/DR number)
Report to SEC (illegal lender/unfair collection)
Complain to NPC (privacy/shaming)
Report numbers/content to telco/platforms
Send Demand Letter (optional but useful)
Consider Small Claims/civil case if no refund
Monitor credit reports; watch for new activity

13) FAQs

Q: I paid via InstaPay to a personal account. Can I still get my money back? Possibly—your bank can request a recall from the receiving bank. Success depends on speed, whether funds remain, and cooperation. File a police blotter and provide it to both banks.

Q: The lender is registered, but they’re harassing me. Registration does not excuse unfair collection or privacy violations. Report to SEC and NPC with evidence.

Q: They posted defamatory content about me. Preserve evidence, request takedown, and consider cyber libel and DPA complaints. Do not retaliate online.

Q: Do I need a lawyer? Not to start complaints or small claims (subject to the Court’s rules), but legal counsel can greatly help with strategy, settlement, and multi-agency coordination.

Final note

You’ll get the best results by moving fast, preserving proof, and working parallel tracks: (1) bank/e-wallet dispute; (2) criminal report (PNP-ACG/NBI); (3) regulator complaint (SEC/NPC/BSP); (4) civil demand/claim if needed.