A phishing link from an online lending app can put your money, identity, phone contacts, and reputation at risk very quickly. In the Philippines, these links often arrive through SMS, Facebook Messenger, Viber, WhatsApp, email, or app notifications pretending to be from a lending company, collection agent, “SEC-registered” loan app, or borrower verification page. This guide explains what to do first, where to report the phishing link, what evidence to save, and which Philippine laws and agencies apply.
What Counts as a Phishing Link from an Online Lending App?
A phishing link is a fake or malicious link designed to trick you into giving personal information, installing a harmful app, or authorizing access to your accounts.
In online lending app cases, the link may claim that you need to:
- “verify” your loan account;
- “settle” an overdue loan through a payment page;
- download an APK file outside Google Play or the App Store;
- update your ID, selfie, bank account, GCash, Maya, or card details;
- stop harassment by clicking a “removal” or “blacklist clearing” link;
- view a fake subpoena, barangay complaint, police report, or court case;
- apply for an instant loan through an unverified app.
The warning signs are familiar: urgency, threats, strange shortened URLs, misspelled domains, links sent from personal mobile numbers, or requests for OTPs, passwords, PINs, card numbers, IDs, or face-verification videos.
The Bangko Sentral ng Pilipinas describes phishing as messages that ask users to click links to spoofed or fake websites to enter personal, bank, credit card, or password information, and advises consumers not to click links or attachments in such messages.
Why This Is a Serious Legal Issue in the Philippines
Phishing from online lending apps may involve more than one legal violation. The same incident can be a cybercrime, a data privacy violation, an unfair debt collection practice, a financial account scam, or ordinary fraud.
Cybercrime and identity theft
Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, covers computer-related fraud and computer-related identity theft. Identity theft includes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person without right. (Lawphil)
This matters when a phishing link captures your name, ID, selfie, login credentials, OTP, contact list, or e-wallet details.
Financial account scamming
Republic Act No. 12010, or the Anti-Financial Account Scamming Act (AFASA), signed in 2024, penalizes financial account scamming, including social engineering schemes. The law covers deception through electronic communications to obtain sensitive identifying information, including usernames, passwords, bank account details, credit card details, e-wallet information, and other credentials. (Lawphil)
AFASA is especially relevant if the phishing link led to unauthorized transfers, e-wallet withdrawals, or use of mule accounts.
Data privacy violations
Republic Act No. 10173, or the Data Privacy Act of 2012, penalizes unauthorized processing of personal information and sensitive personal information. (Lawphil)
For lending apps, this often involves excessive access to contacts, photos, SMS, location, device storage, or IDs. The NPC, DICT, and SEC have reminded online lending platforms that unnecessary app permissions, unauthorized or excessive contact-list processing, contacting non-guarantor contacts, harassment, public shaming, and unfair collection practices are prohibited.
Lending and financing company rules
Online lending platforms are regulated through the SEC when they involve lending companies, financing companies, and their online platforms. Lending companies are governed by Republic Act No. 9474, the Lending Company Regulation Act of 2007, while financing companies are governed by Republic Act No. 8556, the Financing Company Act of 1998. (Lawphil)
The SEC’s online lending rules include prohibitions on unfair debt collection practices and requirements for reporting online lending platforms. The 2026 joint DICT-NPC-SEC advisory specifically directs unfair debt collection complaints to the SEC Financing and Lending Companies Department through the SEC complaint portal.
Estafa, threats, and access-device fraud
Depending on the facts, phishing links may also involve:
- Estafa under Article 315 of the Revised Penal Code, when deceit causes financial damage;
- grave threats or coercion, when collectors or scammers threaten harm, public shame, or illegal action;
- access device fraud under Republic Act No. 8484, as amended by Republic Act No. 11449, when cards, account numbers, PINs, access codes, or similar account-access tools are misused. RA 8484 defines an access device broadly to include cards, codes, account numbers, PINs, and other means of account access used to obtain money or initiate fund transfers. (Lawphil)
What to Do Immediately Before Reporting
Do these first, especially if you clicked the link or installed something.
Do not enter any information. Stop if the page asks for OTP, PIN, password, ID upload, selfie, card details, or e-wallet login.
Disconnect and secure your accounts. Change passwords for email, banking apps, e-wallets, social media, and loan apps. Turn on multi-factor authentication.
Call your bank or e-wallet through the official app or hotline. Do not use numbers shown on the suspicious link. BSP guidance says unauthorized or suspicious transactions should be reported to the bank or financial institution immediately.
Revoke app permissions. On Android or iPhone, check app permissions for contacts, camera, files, SMS, microphone, phone, location, and notifications. Remove permissions that are not needed.
Uninstall suspicious APKs. If you installed an APK from a link, uninstall it and run a device security scan. Consider backing up important files and resetting the phone if you see unauthorized logins, pop-ups, or remote-control behavior.
Do not delete the messages. Screenshots help, but investigators often prefer original messages, email headers, transaction records, URLs, sender numbers, and timestamps.
Warn contacts if your contact list was accessed. Tell them not to believe messages claiming you owe money, are under investigation, or used them as guarantors unless they personally consented.
Where to Report Phishing Links from Online Lending Apps
Different agencies handle different parts of the problem. In practice, many victims report to more than one office because a single phishing incident can involve scam operations, data privacy violations, financial loss, and lending-company misconduct.
| Situation | Report to | Why |
|---|---|---|
| You received a phishing link, scam message, or malicious URL | CICC / DICT Cyber Hotline 1326 | Central cyber incident reporting and referral |
| Money was taken from your bank or e-wallet | Bank/e-wallet first, then BSP if unresolved, and law enforcement | Account freezing, dispute, fraud investigation |
| The sender is an online lending app or collector | SEC Financing and Lending Companies Department | SEC supervises lending and financing companies |
| Contacts were harvested, shamed, or harassed | NPC and SEC | Data privacy and unfair collection issues |
| You need a criminal investigation | PNP Anti-Cybercrime Group or NBI Cybercrime Division | Evidence preservation, tracing, case build-up |
| Link came through SMS/text scam | NTC and telco | Blocking or referral to telcos and agencies |
The joint DICT-NPC-SEC advisory lists these reporting channels for abusive online lending behavior: SEC I-Message Mo portal for unfair debt collection, DICT cyber hotline email, NBI Cybercrime Division, and PNP Anti-Cybercrime Group.
Step-by-Step Guide to Reporting
Step 1: Prepare your evidence
Before filing, organize your evidence in one folder.
Include:
- screenshot of the phishing message showing the sender’s number, username, or email;
- the full phishing URL, not just the preview;
- date and time received;
- name of the lending app, website, or Facebook page;
- app store link or APK source, if any;
- screenshots of permissions requested by the app;
- screenshots of threats, harassment, or public shaming;
- proof of loan application, loan agreement, payment receipts, or transaction history;
- bank or e-wallet transaction reference numbers;
- your valid ID;
- contact details where investigators can reach you.
For emails, save the full email and, if possible, the email headers. For SMS, keep the original message on the phone until the report is acknowledged.
Step 2: Report urgent scam activity to CICC / Hotline 1326
For phishing links, scam messages, malicious URLs, online harassment, and cyber fraud, call 1326, the Inter-Agency Response Center hotline. ScamWatch Pilipinas, associated with CICC reporting, lists 1326 and alternative I-ARC numbers for Smart, Globe, and DITO users. (ScamWatch Pilipinas)
Use this when:
- the link is still active;
- many people may be receiving the same message;
- money was recently transferred;
- the sender is still communicating with you;
- you need guidance on where the report should be routed.
Step 3: Report lending-company misconduct to the SEC
If the phishing link appears connected to a lending company, financing company, online lending app, or collection agency, submit a complaint through the SEC’s I-Message Mo portal. The SEC portal allows users to open a new ticket, submit a complaint, and check ticket status. (Securities and Exchange Commission)
Report to the SEC when the issue involves:
- fake or unregistered lending app operations;
- hidden fees or misleading loan terms;
- threats from collectors;
- use of your contacts for collection;
- public shaming;
- impersonation of SEC, police, courts, or barangay officials;
- phishing links sent as part of collection pressure.
Be specific in the complaint. State whether you actually borrowed money, only applied, never borrowed, or were contacted because someone else listed you as a reference.
Step 4: Report data privacy violations to the NPC
File with the National Privacy Commission if the lending app or collector:
- accessed your contact list without a valid purpose;
- contacted your friends, employer, relatives, or co-workers even if they were not guarantors;
- posted or threatened to post your personal information;
- used your ID, selfie, or messages for harassment;
- continued processing your data after the legitimate purpose ended;
- forced consent through deceptive app design.
The NPC requires a formal complaint in a specific format. Its complaint process states that the complaint form should be downloaded, printed, filled out, notarized, then submitted in person, by courier, or by scanned email to the NPC complaints address. (National Privacy Commission)
The NPC also announced that a new Complaint-Affidavit template took effect on 1 July 2025, and that the previous version would no longer be accepted after the transition period. (National Privacy Commission)
For fees, NPC Circular No. 2023-01 lists a ₱500 filing fee for complaints, plus possible additional fees for damage claims, motions, cease-and-desist applications, and related requests. It also provides exemptions for qualified indigent litigants who submit the required barangay certificate, affidavits, and supporting tax declaration if any.
Step 5: File a cybercrime complaint with PNP ACG or NBI
Use law enforcement when there is identity theft, unauthorized account access, financial loss, threats, extortion, or repeated harassment.
The NBI Cybercrime Division citizen’s charter states that complainants fill out a complaint form and submit it to the division personnel, and that complaints are monitored, evaluated, and compiled. (National Bureau of Investigation)
The NBI website lists its Cybercrime Division and official division email, while the 2026 DICT-NPC-SEC advisory lists the NBI Cybercrime Division email and telephone numbers for online lending-related scams. (National Bureau of Investigation)
For PNP ACG, official government responses and the DICT-NPC-SEC advisory point complainants to the PNP Anti-Cybercrime Group email, e-complaint channel, and contact numbers for cybercrime complaints. (www.foi.gov.ph)
Expect law enforcement to ask for:
- your government ID;
- a written complaint or sworn statement;
- screenshots and original messages;
- transaction records;
- device details;
- sender numbers, URLs, account names, and payment destinations.
Some cases start online, but investigators may still require personal appearance for verification, affidavit execution, or digital forensic handling.
Step 6: Report SMS phishing to NTC and your telco
If the phishing link came by text message, report it to the National Telecommunications Commission and your mobile provider.
NTC guidance for text scam complaints requires a valid ID and an image of the text spam or scam showing the cellphone number, with submission through the NTC text scam reporting page, email, or the nearest regional office. NTC also explains that its role is generally to receive the complaint and endorse it to telcos or concerned agencies for blocking or appropriate action. (www.foi.gov.ph)
Step 7: Escalate bank or e-wallet disputes properly
If your account was charged or drained, report first to the bank, e-wallet, or payment provider. Ask for:
- ticket or reference number;
- temporary account hold or card blocking;
- reversal or dispute process;
- copy of transaction details;
- destination account or merchant details, if available.
If the financial institution is BSP-supervised and the issue remains unresolved, BSP says consumers should first report to the institution’s Financial Consumer Protection Assistance Mechanism, then escalate through the BSP Online Buddy or by CIR form if needed.
For fraud or scam cases, BSP also encourages reporting to law enforcement agencies such as PNP, NBI, or CICC, and notes that online lending app and collection agency complaints are best directed to the SEC.
Practical Evidence Checklist
| Evidence | Why it matters |
|---|---|
| Screenshot of message with sender number or account | Shows source and timing |
| Full URL or copied link | Helps agencies block or trace the phishing site |
| App name, package name, or APK file name | Helps identify fake or unregistered lending apps |
| App permissions screenshot | Supports data privacy complaint |
| Loan agreement or application screenshot | Shows relationship, if any, with the lending platform |
| Payment receipts and reference numbers | Helps trace funds |
| Bank/e-wallet dispute ticket | Shows you reported promptly |
| Threats or shaming posts | Supports SEC, NPC, and criminal complaints |
| Contact-list harassment screenshots from friends | Shows third-party harassment |
| Valid ID | Common requirement for formal complaints |
Common Mistakes That Weaken Reports
Deleting the original message
A screenshot is useful, but original SMS, email, or chat data is better. Keep the original message until the report is filed and acknowledged.
Clicking the link again “to check”
Do not revisit the link from your main phone. It can trigger tracking, malware download, or additional credential theft.
Sending your ID to strangers who claim to be investigators
Real agencies do not investigate through random private messages asking for your OTP, PIN, password, or full card details. BSP specifically warns consumers not to share PINs, passwords, account numbers, card numbers, passports, or IDs unnecessarily in complaint processing.
Reporting only to Facebook or the app store
Platform reports can help remove pages or apps, but they do not replace reports to SEC, NPC, CICC, PNP, NBI, NTC, or your bank/e-wallet.
Assuming a “registered company” can do anything to collect
Even legitimate lenders cannot harass, shame, threaten, or contact non-guarantor contacts for debt collection. The DICT-NPC-SEC advisory states that contacting persons on the borrower’s contact list other than named guarantors is prohibited for debt collection.
Treating all contacts as guarantors
A character reference is not automatically a guarantor. The 2026 advisory states that guarantors must have expressly consented to assume responsibility for the loan in case of default.
Timelines and What to Expect
Reporting phishing links is usually faster than building a full criminal case.
| Process | Typical practical timeline |
|---|---|
| CICC / Hotline 1326 report | Immediate intake or referral, depending on volume |
| Bank/e-wallet blocking | Same day is ideal for urgent fraud reports |
| SEC complaint ticket | Online submission first; review and routing may take days to weeks |
| NPC formal complaint | Longer because of form, notarization, fees, and evaluation |
| NBI or PNP cybercrime complaint | Initial intake can be quick, but investigation may take weeks or months |
| NTC text scam report | Intake and referral/blocking process depends on telco and agency action |
Delays often happen because screenshots are incomplete, the URL is no longer active, the victim deleted the original message, the sender used fake accounts, or the money passed through multiple mule accounts.
Special Notes for OFWs, Foreigners, and People Outside the Philippines
You can still report phishing links connected to Philippine online lending apps even if you are outside the Philippines.
Practical points:
- Use email or online complaint channels first.
- Keep Philippine phone numbers active if the messages were sent there.
- Save timestamps with timezone.
- If a sworn complaint-affidavit is required, ask the receiving agency what form of notarization it will accept.
- If you executed a document abroad, formal use in the Philippines may require consular notarization or proper authentication depending on the document and the agency’s instructions.
- If your Philippine bank, e-wallet, or SIM is involved, report to that provider immediately even while abroad.
Foreigners who were targeted by a Philippine lending app should include passport or government ID details only in secure official submissions, not through links sent by collectors or unknown “agents.”
Frequently Asked Questions
Can I report a phishing link even if I did not lose money?
Yes. Report it, especially if the link impersonates a lending app, asks for OTPs or IDs, installs an APK, or is being sent to many people. Early reporting helps agencies and telcos block links before more victims are affected.
Which agency should I report to first?
For an active phishing or scam link, start with CICC / Hotline 1326. If money moved, contact your bank or e-wallet immediately. If the link is connected to an online lending app or collection activity, report to the SEC. If your personal data or contacts were misused, report to the NPC. For criminal investigation, report to PNP ACG or NBI Cybercrime Division.
Is it illegal for a lending app to access my contacts?
A lending app cannot freely harvest and use your entire contact list for collection. The 2026 DICT-NPC-SEC advisory says excessive or disproportionate processing of contact lists is prohibited, and lenders may contact only guarantors for debt collection.
What if the lending app says my contacts agreed to be guarantors?
A guarantor must give separate consent to assume responsibility if the borrower defaults. Merely being listed as a character reference does not automatically make someone a guarantor.
Can I file an NPC complaint by email?
Yes, but the NPC process requires the complaint in the proper format, with the form filled out and notarized, then submitted in person, by courier, or by scanned email. (National Privacy Commission)
Do I need a lawyer to report a phishing link?
For initial reports to CICC, NTC, SEC, your bank, PNP ACG, or NBI, you can usually prepare and submit the report yourself. For a formal NPC complaint, criminal complaint-affidavit, damages claim, or complex case involving multiple victims, legal assistance can help organize facts, evidence, and claims.
What if the online lending app is not SEC-registered?
Report it to the SEC and CICC. The SEC regulates lending and financing companies, and unregistered online lending operations may face enforcement action. The 2026 advisory also notes that violations can lead to fines, suspension, revocation of authority to operate, and other penalties.
Should I pay the amount demanded to stop the harassment?
Do not pay through a suspicious link or personal account without verifying the lender and the debt. If you owe a legitimate debt, ask for official billing, statement of account, and payment channels under the registered company name. If the demand includes threats, public shaming, or phishing links, preserve evidence and report it.
Can the police trace the person behind the link?
Sometimes, but tracing takes time and depends on available evidence, platform cooperation, telco records, financial account records, and whether accounts used were fake, stolen, or mule accounts. Fast reporting improves the chance of preserving digital trails.
What if my friends or employer received shame messages about me?
Ask them to screenshot the messages showing sender, date, time, and content. Their screenshots can support your SEC complaint for unfair collection, NPC complaint for misuse of personal data, and possible criminal complaint for threats, harassment, identity misuse, or cyber-related offenses.
Key Takeaways
- A phishing link from an online lending app should be treated as a cybercrime and data-risk incident, not just a nuisance message.
- Do not click, install APKs, enter OTPs, or upload IDs through suspicious loan links.
- Report urgent scams to CICC / Hotline 1326, financial loss to your bank or e-wallet, lending-app misconduct to the SEC, data misuse to the NPC, SMS scams to NTC, and criminal conduct to PNP ACG or NBI.
- Preserve original messages, full URLs, screenshots, transaction references, app details, and proof of harassment.
- Lending apps and collectors cannot freely use your contact list, shame you publicly, or contact non-guarantors for debt collection.
- Fast reporting matters because phishing pages, SIMs, mule accounts, and fake pages can disappear quickly.