Here’s a practical, Philippines-specific guide that collects what you need to know about getting your money back after unauthorized online payments—whether it’s a hacked card, a compromised e-wallet, or a rogue bank transfer. This is general information, not legal advice.

How to Request a Chargeback or Refund for Unauthorized Online Payments in the Philippines

The quick answer (TL;DR)

1. Lock it down now: Freeze the card/wallet/account, change passwords, and enable stronger authentication.

2. Preserve evidence: Screenshots, SMS/OTP logs, emails, app notifications, device info, and a copy of your statement.

3. Dispute immediately with your provider:

   • Cards (credit/debit): Ask your issuing bank to raise a chargeback for “fraud/unauthorized—card-not-present.”
   • E-wallets & online bank transfers: File a fraud dispute/recall request with your wallet provider or bank.

4. Get it on record: Ask for a written acknowledgement and a case/reference number.

5. Escalate if needed: Use the provider’s formal complaints process; if unresolved, elevate to the Bangko Sentral ng Pilipinas (BSP) for banks/e-money issuers, or the SEC/Insurance Commission for non-bank lenders/insurers.

6. Consider criminal/civil remedies: For larger losses or mule accounts, file with PNP/NBI Cybercrime. If a merchant is at fault, you may pursue civil claims (including small claims, if within the current threshold).

---

What counts as an “unauthorized online payment”

Any transaction you did not make or meaningfully authorize, including:

• Card-not-present charges (e-commerce, in-app, subscriptions) you didn’t initiate.
• E-wallet or online-bank transfers after account takeover, SIM swap, phishing, or malware.
• Transactions made after you reported your card/device lost/compromised (strong evidence in your favor).

Note: If you typed your own credentials and willingly approved a transfer (e.g., you entered an OTP into a phishing site), providers may argue “customer negligence.” You can still dispute, but your case will hinge on facts like spoofing, social engineering, and the provider’s security controls and disclosures.

---

Your legal and regulatory backdrop (in plain English)

• Financial Products and Services Consumer Protection Act (RA 11765) – Your core rights (fair treatment, disclosure, consumer redress). BSP, SEC, and the Insurance Commission enforce this depending on who your provider is.
• National Payment Systems Act (RA 11127) – BSP oversees payment systems (InstaPay, PESONet, QR Ph) and sets standards for safety and dispute handling.
• Electronic Commerce Act (RA 8792) – Recognizes electronic documents and e-signatures; relevant for evidence and merchant contracts.
• Data Privacy Act (RA 10173) – Personal data breaches must be handled properly; you can complain to the National Privacy Commission (NPC) if your data was mishandled.
• Consumer Act (RA 7394) – DTI enforces consumer protection against deceptive/unfair practices by merchants.
• Access Devices Regulation Act (RA 8484, as amended) – Criminalizes credit/ATM card and access-device fraud (useful when filing cases vs. fraudsters).
• Cybercrime Prevention Act (RA 10175) – Covers computer-related fraud, identity theft, and illegal access.

---

Chargeback vs. refund vs. recall: what’s the difference?

• Chargeback (cards): Your issuing bank pulls the transaction back from the merchant’s bank under card-network rules (e.g., Visa/Mastercard). Strong for unauthorized card-not-present fraud.
• Refund (merchant-initiated): The merchant voluntarily reverses a charge. Fast if they agree; not guaranteed.
• Recall/Return/Reversal (transfers/e-wallets): Your sending bank or wallet requests the recipient bank/wallet to return funds. If the money is still there and fraud indicators exist, a freeze/return is more likely; once withdrawn, recovery is harder.

---

Step-by-step playbooks

A) Credit or debit card (online charge)

1. Block the card (via app/hotline) and request a replacement.

2. Collect evidence: transaction details, screenshots, SMS/OTP logs, device IP (if shown), emails, delivery addresses, any travel proof if you were elsewhere.

3. Dispute with your issuing bank:

   • Reason: Fraud/unauthorized (card-not-present).
   • Ask for provisional credit while under investigation (many issuers provide this).
   • Sign any Affidavit of Fraud they require.

4. Watch the timelines:

   • File ASAP. Card networks typically allow disputes within ~120 days from transaction/statement date, but your bank may impose shorter windows (often 30 days from statement).
   • You may need to respond to “retrieval requests” for more info—answer quickly.

5. If denied: Request the written basis (e.g., merchant provided 3-D Secure proof, IP/location). You can challenge inconsistencies (e.g., device mismatch, delivery to unknown address, 3-DS frictionless without your consent), then escalate (see “Escalations”).

B) E-wallets (e.g., account takeover or unauthorized app payments)

1. Lock the wallet, change password/PIN, revoke unrecognized devices, and freeze linked cards.
2. Report immediately via the app and official support channel; get a case number.
3. Ask for a transaction recall/freeze to the recipient account and for the provider to file a fraud incident with counterparties.
4. Submit proofs: screenshots, device info, SIM-swap receipts, phishing messages/URLs, and police blotter if available.
5. Follow the provider’s formal complaint process and request status updates in writing.

C) Online bank transfers (InstaPay/PESONet) you didn’t make

1. Secure your online banking (reset credentials, disable online transfers temporarily, remove suspicious payees/devices).
2. Report the incident to your bank’s fraud team; request an immediate recall and freeze on the receiving account.
3. Cooperate with KYC/AML checks—banks may ask for affidavits and IDs to file interbank disputes.
4. If the funds moved through multiple hops (typical mule chains), ask your bank to trace onward transfers and to coordinate with AML/LEA (law enforcement agencies).

---

Evidence checklist (use this to strengthen your case)

• Transaction IDs, amounts, dates/times, merchant names, and reference numbers.
• Screenshots of app/online banking pages, SMS messages, emails (with full headers if possible).
• Your location/device evidence (e.g., you were at work; you use iOS but logs show Android; 2FA delivered to a new device).
• Any delivery proof (merchant’s delivery address differs from yours).
• Police blotter and/or Affidavit of Fraud (banks often ask for one).
• If SIM-swap suspected: telco service-change logs, store visit receipts, trouble ticket numbers.

---

What outcomes to expect

• Cards: Many issuers grant provisional credit while they investigate. If the chargeback wins, the credit becomes final; if it loses, the charge may be reinstated (with explanation).
• E-wallets/transfers: Best case is a full return if funds are still parked. Harder if already withdrawn or moved to mule chains—law enforcement and court orders help.
• Merchant errors (duplicate/undelivered): Often resolved by merchant refund; otherwise, pursue a card chargeback or formal complaint.

---

When providers say “You shared your OTP”

Don’t give up automatically. Clarify:

• How was the OTP delivered and to which device/number?
• Were there red flags (spoofed websites, URLs, or caller IDs)?
• Did the provider follow required security controls and disclosures? Under RA 11765, providers must act fairly and have adequate risk management and customer assistance.
• 3-D Secure data (if card): device/browser fingerprints, IP, and challenge flow (frictionless vs. challenge).
• Account access logs: new device enrollments, password resets, or SIM change timestamps.

If the evidence shows sophisticated social engineering or spoofing beyond a reasonable consumer’s control, push for reconsideration and escalate if needed.

---

Escalations and where to file complaints

• Start with your provider’s formal complaints process (banks/e-wallets must have one and must document resolutions). Ask for written findings and final resolution letter.
• Bangko Sentral ng Pilipinas (BSP): If your case involves a bank, e-money issuer, remittance agent, or payment system participant, you can elevate unresolved disputes to BSP’s consumer assistance channel.
• SEC / Insurance Commission: For lending/financing companies, BNPLs, or insurers (non-bank financial institutions), escalate to the relevant regulator.
• DTI: If it’s a merchant issue (misrepresentation, failure to deliver, refusal to honor refunds), file a DTI consumer complaint.
• National Privacy Commission (NPC): If your personal data was mishandled or breached.
• PNP-ACG / NBI-CCD: For criminal complaints (phishing, identity theft, mule networks). Useful for freezing recipient accounts and subpoenaing platform/telco data.

Tip: Keep a tidy timeline of events with all case numbers across agencies. It speeds everything up.

---

Timelines & deadlines (what’s typical)

• Report immediately. Many issuers require notice within 30 days of statement for card disputes, while network rules may allow up to ~120 days from the posting/knowledge of the transaction—your bank’s shorter deadline controls.
• Provider acknowledgments usually arrive quickly (often same/next business day). Final investigations can take weeks (cards) or days to weeks (wallet/transfer), depending on complexity.
• Law-enforcement and AML actions can extend longer, especially for mule chains.

Because institutions set their own internal service levels (consistent with BSP rules), always ask for the specific timeline in writing for your case.

---

Templates you can reuse

1) Initial dispute (card/wallet/bank)

Subject: Urgent: Unauthorized Online Transaction – Dispute & Fraud Report Account/Wallet/Card No.: xxxx-xxxx-xxxx-1234 Reference Nos.: [list] | Amounts/Date/Time: [list]

I did not authorize the above transactions. Please:

1. Block my account/card to prevent further misuse;
2. Initiate a chargeback/recall as applicable;
3. Provide a written acknowledgement with my case number; and
4. Advise your expected timeline and documents you require (I can execute an Affidavit of Fraud).

Attached are screenshots, statements, and my ID.

I invoke my rights under RA 11765 and related BSP regulations on financial consumer protection.

Sincerely, [Name, Mobile, Email, Valid ID No.]

2) Follow-up / escalation (after denial or delay)

Subject: Escalation: Unresolved Fraud Dispute – Request for Final Position Letter Case No.: [xxxx]

Please provide your final position in writing, including: – Basis for denial (logs, 3-D Secure data, device/IP, delivery proof); – Security controls applied; – How your investigation complied with RA 11765 and BSP consumer protection rules.

Absent satisfactory resolution, I intend to elevate this case to the appropriate regulator.

---

Special situations

• Cross-border merchants: Card chargebacks still apply under network rules. Expect longer timelines and currency adjustments.
• Recurring/subscription charges: Cancel the subscription, then dispute prior unauthorized renewals.
• App-store purchases (Apple/Google/Steam, etc.): Use the platform’s refund flow and notify your issuer if you suspect account takeover.
• BNPL/fintech loans you didn’t open: File an identity theft report, dispute the account with the lender (SEC-regulated if non-bank), and place a fraud alert or request enhanced verification on your credit files if available.
• SIM-swap indicators: sudden “No Service,” SIM replacement SMS, or call diversions. Demand telco logs and freeze further SIM changes.

---

What if the merchant or recipient refuses?

• Cards: The network process can still pull funds back if the issuer proves fraud within the rule set.
• Transfers/e-wallets: If funds are gone, your provider may pursue mule accounts via AML and law enforcement. You may sue the wrongdoer or a complicit merchant (civil action) and pursue criminal complaints (estafa, access-device fraud, computer-related fraud).

---

Preventive moves (learned the hard way)

• Use a separate card or virtual card with low limits for online spending; enable real-time alerts.
• Never type an OTP/PIN outside your bank/wallet app or official site.
• Keep devices updated; avoid installing unverified apps or “SMS forwarders.”
• Beware of “representatives” asking you to share screen, click links, or re-enroll devices.
• Enable biometrics and strong passwords; remove old devices from your account.
• For businesses: adopt 3-D Secure, device fingerprinting, velocity checks, and strong KYC.

---

FAQs

Q: I accidentally gave my OTP to a scammer. Am I automatically liable? Not automatically. The outcome turns on overall circumstances—spoofing, provider controls, disclosures, and whether your actions were reasonable. Dispute, document everything, and escalate if needed.

Q: Do I need a police report? Banks often request one for fraud cases. It’s helpful for interbank freezes and later recovery.

Q: Can I go to small claims? Yes, if your claim falls within the current small-claims monetary threshold set by the Supreme Court. It’s faster and doesn’t require a lawyer. (Check the latest threshold and forms before filing.)

Q: My bank took too long to respond. Ask for the final position letter and cite your rights under RA 11765. If still unresolved, elevate to the proper regulator with your full paper trail.

---

One-page action plan (print this)

1. Immediately block card/wallet/online banking and change credentials.
2. List all unknown transactions and gather evidence.
3. File a written dispute with your bank/wallet (get a case number).
4. Ask for recall/chargeback and provisional credit (if applicable).
5. Prepare an Affidavit of Fraud and, if asked, police blotter.
6. Track timelines and follow up in writing.
7. Escalate to BSP/SEC/IC/DTI/NPC or law enforcement if unresolved.
8. Consider civil/criminal action for significant losses or mule activity.

---

Final note

Unauthorized payment disputes blend contract rules (your bank/wallet terms), network rules (for cards), and Philippine statutes/regulations. Move fast, document everything, and escalate through the proper channels if you’re not getting traction.