How to Spot and Report Fake Online Lending Scams in the Philippines: SEC and NBI Steps

How to Spot and Report Fake Online Lending Scams in the Philippines: SEC & NBI Guide (Full Legal Primer)

Philippine-focused, plain-English legal explainer. I’m not browsing the web per your request, so treat specific contact channels as placeholders—always double-check current forms/emails of the agencies mentioned.

Executive summary

Online loan scams in the Philippines typically (1) pretend to be licensed lenders, (2) harvest your personal data via apps or links, and (3) pressure you into “advance fees” or extortion. The Securities and Exchange Commission (SEC) polices lending/financing companies and unfair debt collection; the National Bureau of Investigation (NBI) handles the criminal side (e.g., estafa and cybercrime). Your playbook:

  1. Screen for red flags → 2) Verify SEC authority → 3) Do not pay any “release/verification fee” → 4) Preserve evidence → 5) Report to SEC (administrative/regulatory) and NBI (criminal) → 6) Lock down your accounts & devices → 7) Consider NPC/PNP and civil remedies when relevant.

The legal landscape (Philippines)

  • Lending/Financing registration & authority

    • Lending Company Regulation Act of 2007 (RA 9474) and Financing Company Act of 1998 (RA 8556): Lending/financing companies must be SEC-registered corporations and must secure a Certificate of Authority (CA) from the SEC before operating.
    • The SEC can issue advisories, cease-and-desist orders, revoke/suspend a CA, and impose administrative penalties.

  • Unfair debt collection & online lending apps

    • SEC has issued rules/memoranda prohibiting harassing, abusive, or shaming collection practices by lending/financing companies (e.g., contacting your phone contacts, threats, insults, humiliation, false representation as law enforcement).

  • Truth-in-Lending

    • Truth in Lending Act (RA 3765): lenders must clearly disclose finance charges/interest (APR/effective rates and fees) before you agree.

  • Data & cyber laws that often apply

    • Data Privacy Act of 2012 (RA 10173): protects personal data; “contact-shaming,” unlawful scraping of contacts, and lack of valid consent may violate this law. Complaints go to the National Privacy Commission (NPC) (optional but powerful).
    • Cybercrime Prevention Act of 2012 (RA 10175): covers computer-related fraud/identity theft and other cyber offenses.
    • Access Devices Regulation Act (RA 8484): protects against unauthorized use of cards/OTPs/access devices.
    • Estafa (Art. 315, Revised Penal Code): criminal fraud via deceit with damage.

Key takeaway: A legitimate lending/financing company = SEC corporate registration and an SEC Certificate of Authority to operate as such. If either is missing, treat it as illegal lending.

Quick red-flag checklist (spotting fakes)

  • No SEC details or they show a fake/altered SEC certificate; they refuse to provide the Certificate of Authority number.
  • Operates only via social media/messaging or .apk sideloads; pushes you to install an app outside official app stores.
  • Asks for “processing/release/verification” fees before loan disbursement.
  • Asks for your OTP, full card details, or remote control of your device (AnyDesk/TeamViewer).
  • Collector harassment/extortion: threats to “expose you” to your contacts, call your boss, or post your photos.
  • Payment to personal e-wallets/bank accounts that don’t match the company name.
  • Too-good-to-be-true offers (instant approval at near-zero interest, “government-backed” claims without proof).
  • Privacy policy is missing/vague; app requests excessive permissions (contacts, SMS, photos, mic) unrelated to lending.
  • Name squatting: uses a name confusingly similar to a legit lender or “claims to be a partner” but can’t prove it.

How to verify a lender (fast due diligence)

  1. Ask for two things in writing:

    • SEC Company Registration Number (corporate registration).
    • SEC Certificate of Authority (CA) number as a lending or financing company (not just any SEC registration).

  2. Match the name across:

    • Company legal name, trade name, website/app publisher name, bank account payee name, and receipts. Inconsistencies = red flag.

  3. Demand pre-contract disclosures (RA 3765):

    • Total loan amount, effective interest rate, all fees/penalties, payment schedule, cooling-off/cancellation conditions.

  4. Check app behavior:

    • Refuse unnecessary permissions; no sideloaded .apk. If they insist, walk away.

What to do immediately if you’re targeted or duped

  • Do not pay any “release” fee. If you already paid, stop further payments.

  • Preserve evidence (don’t delete):

    • Screenshots/screen recordings of chats, profiles, app pages, promises, and threats.
    • Copies of IDs you sent, and time you sent them.
    • Receipts: bank/e-wallet ref. numbers, amounts, dates, account names/numbers.
    • Links/handles: websites, app links, social media pages, phone numbers, email addresses.
    • Device evidence: if you installed an .apk, keep the file copy and note the install date; export chat logs where possible.

  • Secure your accounts & device:

    • Uninstall suspicious apps; revoke permissions; change passwords; enable 2FA.
    • Contact your bank/e-wallet to flag/freeze compromised channels and dispute unauthorized transfers.

  • Inform your contacts (if “contact-shaming” is threatened) that any messages about you may be from scammers.

Reporting to the SEC (regulatory/administrative)

When to go to the SEC

  • The entity offers loans without an SEC Certificate of Authority, or misrepresents its licensing.
  • Unfair debt collection (harassment, shaming, threats, false representation as authorities).
  • Misleading advertising (false rates, hidden fees).

What to prepare

  • Your Affidavit/Complaint narrative (see template below).
  • Your government ID.
  • Evidence bundle: screenshots, screen recordings, links/URLs, app name/publisher, phone numbers/emails, copies of “certificates” they sent, receipts and reference numbers, and any contract/terms shown.
  • If it’s an app: device model/OS, app version, where you downloaded it.

How to file with SEC

  • Online or email: Use SEC’s enforcement/investor protection complaint channels (look up the current complaint form and email address on the SEC website). Attach your evidence and ID.
  • Walk-in: File with the SEC Enforcement/Investor Protection office at the main or regional office.
  • Ask the SEC to: (a) issue an Advisory naming the entity, (b) investigate for illegal lending and (c) act on unfair collection practices (e.g., impose penalties; issue a cease-and-desist order; revoke/suspend CA if any).

What to expect

  • SEC actions are administrative/regulatory (public advisories, orders, penalties). The SEC does not normally award restitution; for criminal accountability and possible recovery, proceed with NBI/DOJ and civil remedies.

Reporting to the NBI (criminal investigation)

When to go to the NBI

  • You lost money to deceit (estafa), were extorted/harassed, your device/accounts were compromised (cybercrime), or there’s identity theft/unauthorized use of your access devices (RA 8484).

Where to file

  • NBI Cybercrime Division (for online/app, phishing, hacking) or NBI Anti-Fraud Division (for estafa, advance-fee schemes). You may file online (if portal available) or walk-in at the nearest NBI office.

What to bring

  • Sworn Complaint/Affidavit (see template).
  • Valid government ID.
  • All evidence listed above (preferably printed and in a labeled USB/drive). Keep original files for forensic integrity.
  • List of suspects/handles (numbers, emails, wallet accounts, pages, sites, app names, developer/publisher, transaction refs).
  • Proof of loss (bank/e-wallet statements, receipts).

What happens next

  • The NBI may register your complaint, take your sworn statement, and request digital forensics, subpoenas (e.g., to telcos/e-wallets), and coordinate with PNP-ACG or the SEC. They can recommend filing criminal cases with the DOJ (for inquest/prelim investigation).
  • Keep your case/reference number and follow up using official channels.

Optional but useful: NPC & PNP

  • National Privacy Commission (NPC): If they scraped your contacts, shamed you, or misused personal data, file a privacy complaint. NPC can investigate, issue orders, and impose penalties for DPA violations.
  • PNP Anti-Cybercrime Group (PNP-ACG): You may also report cyber extortion, threats, and phishing—particularly for immediate local coordination.

Civil remedies (money recovery)

  • For amounts up to ₱1,000,000, consider filing a Small Claims case (no lawyers required) under the Revised Rules on Small Claims. You’ll need documentary proof (receipts, chats) and the defendant’s identity/address. For larger claims, consult counsel on ordinary civil actions (e.g., damages and restitution).

Tip: If you don’t know the real identity/address, your NBI complaint can help unmask the persons behind phone numbers, e-wallets, and domains through subpoenas.

Practical do’s & don’ts

Do

  • Keep all communications in-app or in writing. Move phone calls to email/chat where possible to preserve proof.
  • Watermark any ID selfies you share with the purpose and date (e.g., “For loan verification with XYZ Lending only, 20 Aug 2025”)—legit lenders should accept purpose-bound IDs; scammers hate it.
  • Use separate emails/numbers for financial apps to limit exposure.
  • Freeze your credit/debit card for suspected compromise and request new card numbers if needed.

Don’t

  • Don’t send front-and-back IDs plus selfie + signature + OTP in one thread—this is a full identity kit.
  • Don’t install .apk files from chat or unknown links.
  • Don’t let anyone remote-control your phone/computer.

Template: SEC complaint (use/adjust as needed)

Subject: Complaint vs. [Name used by Lender/App] for Illegal Lending & Unfair Collection

I. Parties
Complainant: [Full Name], [Address], [Mobile/Email], [Gov ID]
Respondent(s): [Entity name as advertised], [App/Website], [Known phone numbers/emails], [Social pages]

II. Facts
1. On [date], Respondent offered me a loan via [app/FB page/website/message].
2. They represented themselves as a licensed [lending/financing] company but refused/failed to show an SEC Certificate of Authority.
3. They demanded [“release/verification/processing”] fees before loan disbursement.
4. They [harassed/threatened/shamed] me by [describe conduct].
5. I paid [amount] to [wallet/bank], Ref. No. [xxx], on [date], but no loan was released / or I suffered [describe].

III. Legal Grounds
- RA 9474 / RA 8556 (operating without SEC CA), Truth in Lending (RA 3765 disclosures), SEC rules against unfair/abusive collection.

IV. Evidence
- Annex A: Screenshots/recordings of chats and pages
- Annex B: Proof of payments (refs, statements)
- Annex C: Copies of “certificates” they provided
- Annex D: App details (publisher, version), device info

V. Reliefs
- Investigate and issue an Advisory naming Respondents;
- Issue Cease-and-Desist Order; impose administrative penalties;
- Coordinate with NBI/PNP for criminal action.

I attest under oath that the foregoing is true and correct.
[Signature over printed name]
[Date]

Template: NBI sworn affidavit of complaint (sample skeleton)

REPUBLIC OF THE PHILIPPINES )
CITY OF _________            ) S.S.

AFFIDAVIT OF COMPLAINT

I, [Full Name], of legal age, Filipino, with address at [Address], after being duly sworn, depose and state:

1. On [date/time], I was contacted by [name/handle/number] offering a loan of [amount] through [app/page/website].
2. Respondent(s) represented themselves as SEC-licensed lender(s) and demanded [fee/OTP/card details/remote access].
3. Relying on these representations, I [paid amount / installed app / gave data]. Thereafter, [no loan was released / I was extorted / my contacts were messaged / funds were stolen].
4. I suffered damage amounting to [₱____]. Proofs attached as Annexes A–__.
5. I believe Respondent(s) committed Estafa (Art. 315 RPC) and computer-related offenses under RA 10175, among others.

PRAYER
I request the NBI to investigate, identify, and prosecute Respondent(s).

IN WITNESS WHEREOF, I sign this [date], in [city].

[Signature over printed name]
Affiant

SUBSCRIBED AND SWORN to before me this [date].

Bring originals and copies; the NBI officer/notary will guide you on executing a sworn statement if needed.

Evidence pack checklist (print + USB)

  • Government ID (and photocopy).
  • Chronology of events (dates/times).
  • Screenshots/screen recordings (with visible timestamps/URLs).
  • Contracts/terms or ads shown to you.
  • Bank/e-wallet statements; deposit slips; reference numbers; account names.
  • App details (name, developer/publisher, version, store link), device info.
  • List of all contact points used by scammers (numbers, emails, pages, websites, domain registrations if you have them).
  • Any witness statements (e.g., coworkers who received “shaming” calls/messages).

Frequently asked questions

1) Are “processing” fees always illegal? Not necessarily—but advance fees before any loan release are a classic scam marker. Legit lenders typically deduct fees from proceeds, with prior written disclosure (RA 3765).

2) Can a loan app access my contacts? Only with valid, informed consent and only to the extent necessary. Using your contacts to shame or threaten you is typically unlawful under SEC rules and may violate the Data Privacy Act.

3) The lender threatens to sue/jail me if I don’t pay their “fee.” Payment demanded via deceit or extortion is not a legitimate debt. Document the threat and report to the NBI and SEC.

4) Can the SEC get my money back? The SEC’s core powers are regulatory/administrative. Money recovery usually goes through criminal prosecution (NBI/DOJ) and/or civil action (e.g., Small Claims for ≤ ₱1,000,000).

5) The company shows “some SEC paper.” Is that enough? No. You need to see the SEC Certificate of Authority to operate as a lending/financing company, and it must match the name you’re dealing with.

One-page action plan (printable)

  1. Stop engagement; don’t pay any upfront fee.
  2. Preserve evidence (screenshots, receipts, links).
  3. Lock down: uninstall shady apps, revoke permissions, change passwords, enable 2FA; alert your bank/e-wallet.
  4. Report to SEC: illegal lending / unfair collection (attach evidence).
  5. Report to NBI: estafa/cybercrime (file sworn affidavit + evidence).
  6. Optional: NPC complaint for privacy abuses; PNP-ACG for cyber threats.
  7. Consider Small Claims for recovery where viable.

Final notes

  • Agency forms, hotlines, and emails change—verify current channels on official sites or by phone before filing.
  • If you’re in immediate danger (live threats, stalking), contact PNP right away.
  • For larger losses or cross-border elements, consult a lawyer to coordinate SEC/NBI/NPC/PNP actions and civil recovery.

If you want, I can turn this into a filled-out complaint pack (SEC + NBI) you can download as PDFs—just tell me the names, dates, amounts, and evidence you’re ready to include.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login