How to Report Phishing SMS in the Philippines

I. Introduction

Phishing by SMS—commonly called “smishing”—is one of the most common forms of cyber-fraud in the Philippines. It usually appears as a text message pretending to come from a bank, e-wallet, telecom provider, delivery company, government agency, lending app, lottery, job recruiter, or other trusted entity. The message typically pressures the recipient to click a link, disclose personal information, enter an OTP, install an app, transfer money, or “verify” an account.

In Philippine law, phishing SMS is not merely an inconvenience. Depending on its content and result, it may involve cybercrime, fraud, identity theft, spoofing, misuse of registered SIMs, financial-account scamming, violations of data privacy rights, or traditional crimes such as estafa. Reporting the message promptly helps preserve evidence, block abusive numbers or domains, alert affected institutions, and support criminal or regulatory action.

This article explains how a person in the Philippines may report phishing SMS, which agencies may receive reports, what evidence to preserve, what laws may apply, and what remedies may be available.

II. What Counts as Phishing SMS?

A phishing SMS is a text message that uses deception to obtain money, personal data, account credentials, financial information, OTPs, passwords, PINs, or access to digital accounts.

Common examples include messages saying:

  1. “Your bank account is locked. Click this link to verify.”
  2. “Your GCash/Maya account will expire today.”
  3. “You have unclaimed rewards or points.”
  4. “Your package cannot be delivered unless you pay a fee.”
  5. “You were selected for a job. Submit your ID and bank details.”
  6. “Your SIM will be deactivated unless you update your registration.”
  7. “You won a prize. Pay processing charges first.”
  8. “Your account has suspicious activity. Enter your OTP here.”

The message may come from an ordinary mobile number, a spoofed sender name, an alphanumeric sender ID, a messaging app, or even a thread that appears to belong to a legitimate company. Some scams use fake links that closely resemble real domains. Others avoid links and instead instruct the victim to call, reply, send money, or move the conversation to another platform.

III. Immediate Steps Before Reporting

The recipient should first protect evidence and accounts. Do not click the link. Do not reply. Do not send OTPs, passwords, PINs, card numbers, account numbers, IDs, selfies, or personal data. Do not install any app from a link in the message.

Preserve the evidence by taking screenshots showing the sender, phone number or sender ID, message content, date, time, embedded link, and any follow-up conversation. If money was lost, save receipts, transaction reference numbers, account names, wallet numbers, bank transfer details, screenshots of unauthorized transactions, emails, call logs, and any communication with the scammer.

If the link was clicked, immediately change passwords, revoke suspicious sessions, enable multi-factor authentication, scan the device for malware, and contact the affected bank, e-wallet, or service provider. If an OTP or password was disclosed, treat the account as compromised.

IV. Where to Report Phishing SMS

A. Report to the National Telecommunications Commission

The National Telecommunications Commission is the primary telecommunications regulator. For phishing SMS, spam, scam texts, illegal messages, or threatening texts, a report may be filed through the NTC’s text scam or spam reporting channel. The NTC’s role generally includes receiving the complaint and endorsing it to the relevant public telecommunications entity or other concerned agency for blocking or appropriate action.

A typical NTC report should include:

  1. A copy of a valid government-issued ID, or other accepted identification if no government ID is available;
  2. A screenshot or image of the text scam or spam, including the sender’s number or sender ID;
  3. The complainant’s contact details;
  4. A short description of the incident; and
  5. Any link, number, account, or website used in the phishing attempt.

The NTC report is especially useful where the objective is to document the abusive number, trigger possible blocking or investigation by the telecom provider, and alert regulators to scam patterns.

B. Report to the Telecom Provider

The victim should also report the message to the telecom provider. Telecom providers generally maintain anti-spam or anti-scam reporting portals, mobile-app reporting tools, or customer-service channels. The report should include screenshots, sender number, date and time received, and the suspicious link.

Reporting to the telecom provider is practical because the provider may be able to block numbers, investigate sender IDs, disable SIMs used for abuse, or coordinate with regulators and law enforcement.

C. Report to the Cybercrime Investigation and Coordinating Center

The Cybercrime Investigation and Coordinating Center is a national cybercrime coordination body. Reports of online scams may be made through its public scam-reporting channels, including the Inter-Agency Response Center hotline. This is especially appropriate where the phishing SMS forms part of a broader online scam, account takeover, investment scam, fake job scam, fake marketplace transaction, or financial fraud.

A CICC report should contain screenshots, links, phone numbers, account identifiers, transaction records, names used by the scammer, and a short chronology of events.

D. Report to Law Enforcement: PNP ACG or NBI Cybercrime Division

If the incident involves actual loss of money, identity theft, account takeover, threats, extortion, unauthorized transactions, use of personal data, or a continuing criminal scheme, the victim should consider filing a criminal complaint with law enforcement.

The usual agencies are:

  1. Philippine National Police Anti-Cybercrime Group; and
  2. National Bureau of Investigation Cybercrime Division.

A law-enforcement report should be supported by a clear complaint narrative and evidence. The victim should bring or prepare screenshots, device details, transaction records, bank or e-wallet statements, reference numbers, links, phone numbers, account names, account numbers, email addresses, IP-related information if available, and communications with the scammer.

For serious losses, it is better to report quickly because digital evidence may disappear, accounts may be emptied, SIMs may be discarded, and scam websites may be taken down.

E. Report to the Bank, E-Wallet, or Financial Institution

If the phishing SMS involves a bank account, credit card, debit card, e-wallet, online lending account, remittance account, or other financial service, the victim should immediately report to the financial institution. This may allow the institution to freeze an account, reverse or hold a transaction if still possible, block a card, disable online access, investigate mule accounts, or issue a dispute case number.

The report should include:

  1. Date and time of the phishing SMS;
  2. Screenshot of the SMS and link;
  3. Date and time of unauthorized transaction;
  4. Amount lost;
  5. Transaction reference number;
  6. Recipient account, wallet, bank, or merchant;
  7. Any OTP, PIN, or login details that may have been compromised; and
  8. Steps already taken by the victim.

The victim should ask for a case or ticket number and retain all communications with the institution.

F. Report to the Bangko Sentral ng Pilipinas When a Regulated Financial Institution Is Involved

The Bangko Sentral ng Pilipinas regulates banks and certain financial institutions. If the concern involves how a bank, e-wallet issuer, or other BSP-supervised financial institution handled the complaint, the victim may use BSP consumer assistance channels. BSP guidance also encourages scam or fraud victims to report to law enforcement agencies such as the PNP, NBI, or CICC because these agencies have authority to commence formal investigation.

The BSP route is not a substitute for a criminal complaint. It is most relevant where the complaint concerns the conduct, response, or consumer-redress handling of a supervised financial institution.

G. Report to the National Privacy Commission When Personal Data Rights Are Violated

If the phishing SMS involves misuse, malicious disclosure, unauthorized processing, or improper disposal of personal information, the National Privacy Commission may be relevant. This may apply where the scammer used personal data that appears to have been leaked, where an institution mishandled personal information, or where a data subject’s privacy rights were violated.

An NPC complaint generally requires a formal complaint in the required format, supporting evidence, and compliance with the NPC’s filing rules. The NPC process is particularly relevant where the issue is not only the scam itself, but also how personal data was obtained, exposed, misused, or inadequately protected.

V. Legal Framework

A. Cybercrime Prevention Act

Republic Act No. 10175, the Cybercrime Prevention Act of 2012, is the central Philippine law on cybercrime. Phishing SMS may fall under several cybercrime-related theories depending on the facts.

Computer-related fraud may be involved where deception through a computer system or communication technology causes damage or results in unlawful gain. Computer-related identity theft may be involved where identifying information is intentionally acquired, used, misused, transferred, possessed, altered, or deleted without right. Illegal access or misuse of devices may also arise in more technical cases, such as malicious links, malware, credential theft, or account takeover.

The law is important because phishing SMS often uses communication technology as the means to commit fraud or obtain personal and financial information.

B. Revised Penal Code: Estafa and Related Offenses

Where the phishing SMS causes the victim to part with money, property, or credit through deceit, the conduct may also constitute estafa under the Revised Penal Code. The use of SMS or online platforms may affect how the offense is investigated and prosecuted, but the essence remains deceit and damage.

A victim who transferred money because of a fake bank warning, fake parcel fee, fake job opportunity, fake investment opportunity, or fake account-verification link may have a potential estafa complaint, depending on the evidence.

C. SIM Registration Act

Republic Act No. 11934, the SIM Registration Act, requires registration of SIMs as a prerequisite to activation. The law and its implementing rules are relevant because many phishing SMS schemes use prepaid SIMs, mule SIMs, or falsely registered identities.

The Act also recognizes “spoofing,” referring to misleading or inaccurate information about the source of a call or text message with intent to defraud, cause harm, or wrongfully obtain anything of value. Spoofing is important in phishing SMS because scammers often impersonate legitimate senders, banks, e-wallets, delivery services, government agencies, or telecom providers.

A report to the NTC or telecom provider can therefore support regulatory action against abusive SIMs and sender identities.

D. Anti-Financial Account Scamming Act

Republic Act No. 12010, the Anti-Financial Account Scamming Act, is relevant where phishing SMS is used to obtain access to bank accounts, e-wallets, or other financial accounts, or where accounts are used as mule accounts to receive or move scam proceeds.

The law addresses financial-account scamming and related enforcement mechanisms. It is particularly important in cases involving social engineering, account takeover, unauthorized fund transfers, money-mule activity, and fraudulent use of financial accounts.

A phishing SMS that tricks a person into revealing credentials, OTPs, or account access may therefore implicate both cybercrime law and financial-account scamming law.

E. Data Privacy Act

The Data Privacy Act may become relevant when the scam involves personal information, sensitive personal information, unauthorized disclosure, misuse of personal data, or failure of an organization to protect personal data. Not every phishing SMS automatically creates a data privacy case, but many phishing incidents involve personal data.

For example, privacy issues may arise where the message includes the victim’s full name, account details, address, ID number, loan information, or other data that suggests a leak or unauthorized processing. A complaint to the NPC may be appropriate when the grievance is against a personal information controller or processor, or when the victim’s data privacy rights were violated.

VI. What Evidence Should Be Collected?

A strong report should contain enough facts to allow the regulator, financial institution, or law-enforcement agency to understand what happened.

The victim should collect:

  1. Screenshot of the phishing SMS;
  2. Sender number or sender ID;
  3. Date and time received;
  4. Full text of the message;
  5. URL or link, if any;
  6. Screenshots of the website, if safely available and already opened;
  7. Phone number, email, account name, bank account, e-wallet number, or social media account used by the scammer;
  8. Transaction receipts and reference numbers;
  9. Bank or e-wallet statements;
  10. Call logs;
  11. Emails or chat messages;
  12. Proof of identity;
  13. Timeline of events;
  14. Names of institutions impersonated; and
  15. Any report ticket numbers from banks, telcos, NTC, CICC, PNP, NBI, BSP, or NPC.

Evidence should not be altered. Screenshots should be clear and complete. If possible, export or preserve message details. Do not delete the SMS until the report has been completed and the investigating authority says it is no longer needed.

VII. Suggested Reporting Sequence

The correct sequence depends on the seriousness of the incident.

A. If the SMS Was Received but No Link Was Clicked and No Money Was Lost

The recipient should report to the telecom provider and NTC. The report should include the sender, screenshot, date and time, and suspicious link. The recipient may also report to CICC if the message appears to be part of a larger scam campaign.

B. If the Link Was Clicked but No Information Was Submitted

The recipient should close the page, avoid further interaction, clear suspicious downloads, check the device, change passwords for any potentially affected account, enable multi-factor authentication, and report the SMS to the telecom provider, NTC, and relevant impersonated institution.

C. If Personal Information, OTP, Password, or PIN Was Entered

The victim should immediately contact the affected bank, e-wallet, telecom provider, or online service. Passwords should be changed, sessions revoked, cards blocked if necessary, and account security reviewed. The victim should report to NTC, the telecom provider, and CICC. If account takeover or unauthorized access occurred, the victim should consider filing with PNP ACG or NBI Cybercrime Division.

D. If Money Was Lost

The victim should immediately contact the bank, e-wallet, or financial institution and ask whether the transaction can be frozen, reversed, held, or investigated. The victim should obtain a case number. The victim should then file a report with law enforcement, such as PNP ACG or NBI Cybercrime Division, and may also report to CICC. The NTC and telecom provider should still be notified about the phishing SMS and sender. BSP consumer channels may be considered if a BSP-supervised institution is involved and consumer redress is needed.

E. If the Message Suggests a Personal Data Leak

The victim should preserve the message and determine what personal data appears in it. If the message contains unusually specific personal information, or if there is reason to believe an organization mishandled personal data, a complaint to the NPC may be appropriate.

VIII. Draft Complaint Narrative

A concise complaint narrative may read as follows:

“I respectfully report a phishing SMS that I received on [date] at approximately [time] from [sender number/sender ID]. The message claimed to be from [institution] and instructed me to [click a link/provide information/pay a fee/verify my account]. The message contained the following link: [link]. I believe the message is fraudulent because [reason]. I have attached screenshots of the message showing the sender, date, time, and content. If applicable: After following the instructions, I discovered unauthorized transactions amounting to [amount], with transaction reference number [reference number]. I request appropriate action, including investigation, blocking of the number or sender, preservation of relevant records, and referral to the appropriate agency.”

For financial-loss cases, the victim should add a detailed transaction chronology. For privacy cases, the victim should identify the personal data involved and why its use appears unauthorized.

IX. Practical Tips for Stronger Reports

Reports are more effective when they are specific. A vague statement such as “I received a scam text” is less useful than a report showing the exact sender, date, time, text, link, and institution impersonated.

The victim should avoid forwarding suspicious links in a way that may accidentally expose others. It is better to provide screenshots and plain-text details in the official report form. If a government agency or bank asks for the link, provide it only through the official channel.

The victim should also keep a record of every report filed. Save the date of filing, agency name, ticket number, email confirmation, screenshots of submitted forms, and names of personnel spoken to.

X. Duties of Caution by the Public

The public should remember that banks, e-wallets, telecom providers, and government agencies generally do not ask for passwords, OTPs, PINs, or full card details through SMS links. A message that creates urgency, threatens deactivation, promises rewards, asks for an OTP, or requires payment through an unofficial account should be treated as suspicious.

Users should access services only through official apps or official websites typed manually into the browser, not through links in suspicious messages. Account security should include strong passwords, multi-factor authentication, transaction alerts, and regular review of authorized devices.

XI. Remedies and Possible Outcomes

Reporting does not always guarantee recovery of money, but it can produce important results. A report may lead to blocking of the number, disabling of a malicious SIM, takedown of a fake website, freezing of a recipient financial account, internal bank investigation, law-enforcement investigation, or prosecution.

In financial cases, speed matters. The sooner the victim reports to the bank or e-wallet, the higher the chance that the transaction can be traced or stopped. In criminal cases, timely reporting helps preserve electronic evidence. In data privacy cases, prompt complaint filing helps establish the timeline and the nature of the personal data misuse.

XII. Conclusion

Phishing SMS in the Philippines should be treated as a legal incident, not merely an annoying text. The proper response is to preserve evidence, secure affected accounts, report to the telecom provider and NTC, escalate to CICC or law enforcement when cybercrime or financial loss is involved, notify the bank or e-wallet immediately, and approach the NPC or BSP when data privacy or financial-consumer issues arise.

A victim’s best protection is speed, documentation, and use of official channels. Every report helps regulators, telecom providers, financial institutions, and law enforcement identify patterns, block malicious infrastructure, and hold offenders accountable.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login