How to Verify Suspicious Emails for Fraud or Phishing (Philippines)

How to Verify Suspicious Emails for Fraud or Phishing (Philippines)

Executive summary

Phishing and fraud emails are among the most common vectors for identity theft, account takeovers, and unauthorized fund transfers in the Philippines. This article explains—step by step—how to verify a suspicious email, what the law says, what to preserve as evidence, where to report, and how to protect yourself and your organization. It is written for Filipino individuals, MSMEs, compliance teams, and IT/security officers.

Why verification matters

  • Threats: credential harvesting, malware delivery (e.g., ransomware), business email compromise (BEC), and investment/loan scams.
  • High-risk sectors: banking and e-wallets, online marketplaces, logistics/delivery, government services (SSS, PhilHealth, BIR, LTO, DFA), utilities, and schools.
  • Local realities: widespread use of mobile email + SMS, payment via e-wallets and bank apps, and active social engineering tied to Philippine holidays, disasters, or government programs.

Legal framework (Philippine context)

You don’t need to be a lawyer to use this, but it helps to know what laws and regulators are in play.

  • Cybercrime Prevention Act of 2012 (Republic Act No. 10175): Penalizes computer-related forgery, fraud, identity theft, illegal access and interception—often implicated in phishing/BEC.
  • Data Privacy Act of 2012 (RA 10173) and NPC rules: Requires lawful processing of personal data and mandates breach notification to the National Privacy Commission (NPC) when there’s likely risk or harm to data subjects. Controllers must notify the NPC and affected individuals without unreasonable delay (commonly interpreted as 72 hours from knowledge in serious cases under NPC circulars/issuances).
  • Electronic Commerce Act (RA 8792) & Rules on Electronic Evidence (A.M. No. 01-7-01-SC): Recognize electronic documents and signatures; provide rules for authenticity, integrity, and admissibility—critical when preserving email evidence.
  • Financial Consumer Protection Act (RA 11765): Assigns the BSP, SEC, and Insurance Commission sectoral powers to protect consumers from fraud in banks, e-money, securities, and insurance.
  • SIM Registration Act (RA 11934): Aims to curb SMS-enabled fraud. While not an email law, scams often blend SMS and email.
  • Other relevant issuances: BSP circulars/ advisories on phishing, NPC advisories on scams and breach reporting, and sector-specific guidelines (e.g., SEC on investment solicitations).

Key regulators you may interact with:

  • PNP Anti-Cybercrime Group (PNP-ACG) and NBI Cybercrime Division – investigation and enforcement.
  • National Privacy Commission (NPC) – privacy violations, breach notification, and guidance.
  • BSP/SEC/IC – financial consumer complaints depending on the product/entity involved.
  • DTI – deceptive/misleading trade practices in consumer transactions.

What counts as “phishing” or email fraud?

  • Phishing: any deceptive email that induces disclosure of credentials, OTPs, personal data, or payments by pretending to be a trusted entity (bank, e-wallet, courier, government, employer).
  • Spear-phishing/BEC: highly targeted messages (often impersonating executives, suppliers, or HR/payroll) designed to trigger urgent fund transfers or divulge confidential information.
  • Malware phishing: attaches or links files (e.g., .ZIP, .HTML, .HTM, .XLSM) to install malware or redirect to credential-harvesting pages.
  • “Quishing”: QR-code lures that route to fake portals.

Step-by-step verification workflow (use this every time)

1) Pause and isolate

  • Do not click links or download attachments.
  • Disconnect from corporate VPN if you already clicked (contain potential spread).
  • Create a copy of the email (don’t delete). You’ll preserve evidence later.

2) Check visible red flags

  • Sender display vs. real address: “BPI Customer Care” random@gmail.com is fake.
  • Mismatched branding and grammar: awkward Filipino/English mix, wrong fonts, off logos.
  • Pressure + urgency: “account will be locked in 30 minutes—verify now.”
  • Unusual asks: OTP request, password reset via non-official domain, payment to new beneficiary.
  • Generic greetings: “Dear User/Customer” instead of your name.

3) Verify the sender’s domain (without clicking)

  • Hover to reveal the actual link (on mobile, long-press to preview).
  • Check domain spelling: bpi.com.ph vs bpl.com.ph or bpi.support-verify.com.
  • Subdomain tricks: security.bpi.com.ph.attacker.com is not bpi.com.ph. The true domain is the rightmost registered domain pair (here, attacker.com).

4) Inspect full email headers (auth results)

Look for SPF, DKIM, and DMARC in the headers:

  • SPF: Was the sending IP authorized by the domain? spf=pass is good; fail/softfail/neutral are suspect.
  • DKIM: Is the message cryptographically signed by the purported domain? dkim=pass helps; none/fail is suspect.
  • DMARC: Did the message align with SPF/DKIM? dmarc=pass is ideal.

How to open headers quickly

  • Gmail (web): open the email → ⋮ (More) → Show original.
  • Outlook (desktop): File → Properties → Internet headers.
  • Outlook (web): ⋯ → View > View message details.

Note: A pass is not a guarantee (attackers can use look-alike domains with valid SPF/DKIM). But a fail is a red flag.

5) Validate links and files out-of-band

  • Do not open the link directly. Instead:

    • Manually type the official site you already know (e.g., your bank’s bookmarked URL/app).
    • Call the institution via the number on your card/website you already trust—not the email.
    • For businesses, use your IT sandbox or vendor-provided URL reputation tools; never from your main workstation.

6) Cross-check the story

  • “Package delivery”? Confirm with your courier app and tracking you generated, not theirs.
  • “Payroll/HR change”? Verify with HR via known channels.
  • “Executive payment request”? Call the executive; use a dual-control payment policy.

7) Decide: suspicious vs. confirmed fraud

  • If any of SPF/DKIM/DMARC fail and content has red flags → treat as phishing.
  • If all checks pass but something still feels off → escalate to IT/security for sandboxing and domain intelligence.
  • If verified legitimate → close the ticket and coach the sender if they caused false alarms (e.g., poor template).

Evidence preservation (for Philippine proceedings)

To support law-enforcement or internal discipline and maintain admissibility under the Rules on Electronic Evidence:

  1. Export/print to PDF the full message and save raw headers (Gmail “Download Original”; Outlook .msg).
  2. Screenshots: include message list, opened message, header results, link hovers, and any error pages.
  3. Hash files (for organizations): compute SHA-256 of the email/raw file and store in your incident folder.
  4. Contemporaneous notes: who found it, when, actions taken, and systems affected.
  5. Chain of custody: designate a custodian; restrict edit access; log transfers.
  6. Do not forward the live malicious email to colleagues—forward a PDF or safe screenshot.

Reporting & escalation (Philippines)

  • If money or credentials are at risk now: contact your bank/e-wallet via official hotline/app, request account freeze and transaction dispute, and change passwords.

  • Law enforcement:

    • PNP Anti-Cybercrime Group (ACG) – for complaints/investigation.
    • NBI Cybercrime Division – for case build-up and forensics.

  • Privacy concerns/breaches: National Privacy Commission (NPC) for complaints or breach notifications (organizations).

  • Financial products:

    • BSP for banks and e-money institutions;
    • SEC for investment solicitations and unregistered offerings;
    • Insurance Commission for insurance-related fraud.

  • DTI – deceptive trade practices in consumer transactions.

Keep ticket/case numbers, call logs, and submission receipts.

Special scenarios (with Philippine nuances)

Banking & e-wallets

  • Legitimate institutions never ask for full passwords/OTPs via email.
  • Use official mobile apps for any requested action.
  • If you typed credentials on a suspect site: change passwords immediately, revoke app sessions, and enable MFA.

Government impersonation

  • Phishers mimic BIR eFPS, SSS, PhilHealth, DFA, LTO, PSA.
  • Government email domains usually end in .gov.ph. Be wary of public-mail senders with gov-like names.
  • For payments, the government does not accept through personal accounts.

Logistics and “undelivered parcel” lures

  • Cross-check with the courier app or your own tracking ID. Avoid QR codes or shortened links claiming customs/storage fees.

Academia & payroll

  • Confirm grade release, scholarship, or payroll updates via official portals.
  • Enforce dual authorization for payroll or supplier bank-account changes.

Organizational controls (for businesses, schools, LGUs)

Email authentication & secure configuration

  • Enforce SPF, DKIM, and DMARC with a policy of p=reject once aligned.
  • Deploy MTA-STS and TLS-RPT to improve transport security and visibility.
  • Block executables and macro-enabled files at the gateway; allow via managed channels only.

People & process

  • Security awareness every 6–12 months with Philippine-relevant lures (banks, e-wallets, disaster relief).
  • Phishing simulations with positive coaching (avoid shaming).
  • Incident runbooks with clear owners: detection → containment → eradication → recovery → notification → lessons learned.
  • Approval policies: dual control for payments; verify supplier bank changes through a second channel.

Technology

  • Endpoint protection/EDR, web filtering, and DNS security.
  • Least privilege on endpoints; disable Office macros by default.
  • Password manager + MFA everywhere (especially email, VPN, HRIS, finance).
  • Backups tested regularly; keep offline or immutable copies.

Vendors and third parties

  • Contractually require security baselines (SPF/DKIM/DMARC, breach notification timelines, incident cooperation).
  • Maintain an allowlist of official supplier domains and payment accounts.

Individual best-practice checklist (quick use)

  • Hover before you click; verify domain spelling.
  • Never share OTP/PIN/password via email.
  • Use official apps or bookmarked URLs to log in.
  • Enable MFA and unique passwords (use a password manager).
  • Keep devices updated; use antivirus.
  • When in doubt, call the institution using a number you already trust.
  • Report and preserve evidence if you suspect fraud.

If you already clicked or typed credentials

  1. Disconnect from Wi-Fi/VPN; don’t power off if IT needs volatile memory.
  2. Change passwords (email first, then financial and work accounts).
  3. Revoke sessions on email and apps; enable MFA.
  4. Scan endpoints and consider re-imaging if malware found.
  5. Notify your bank/e-wallet and monitor accounts for new payees or small “test” transactions.
  6. File reports (PNP-ACG/NBI/NPC, and your provider).
  7. Document everything you did and when.

Admissibility and evidence tips (PH)

  • Keep original electronic form with metadata (raw headers, .eml/.msg).
  • Demonstrate authenticity and integrity: hash values, system logs, and controlled storage.
  • Prepare a witness-friendly narrative: who discovered, how preserved, and who had access (chain of custody).
  • For companies, align with your Retention Policy and Incident Response Plan.

Basic header reading quick-guide (what to look for)

  • Return-Path / From / Reply-To: must be consistent and on expected domain.
  • Received: trace the path; odd first hop (foreign IP for a purely local service) can be suspicious.
  • Authentication-Results: look for spf=pass, dkim=pass, dmarc=pass.
  • X-Mailer/X-Originating-IP: consumer webmail or odd generators are clues in corporate spoofs.

Template: short incident report (you can copy/paste)

Subject: Suspected Phishing – [Your Org/Name], [Date/Time, PH Time] Summary: Received email claiming [bank/courier/gov]. Contained [link/attachment]. Indicators: From: [address]; Domain: [domain]; SPF/DKIM/DMARC: [results]; Red flags: [list]. Actions taken: Isolated device; no clicks/ downloaded; preserved headers; notified [bank/IT]; password reset & MFA enabled. Evidence: PDF of email; raw .eml/.msg; screenshots; hashes; ticket #s. Next steps requested: Domain block; takedown; consumer dispute; law-enforcement referral.

Penalties overview (high level, non-exhaustive)

  • RA 10175 (Cybercrime): imprisonment and/or fines for computer-related fraud, identity theft, illegal access.
  • DPA (RA 10173): administrative fines, corrective orders, and criminal liability for unauthorized processing and negligent breaches.
  • Sectoral sanctions: BSP/SEC/IC can impose penalties, directives, or suspend operations for non-compliant regulated entities.
  • Civil liability: damages claims for losses from negligent security practices or deceptive conduct.

Final thoughts

Verification is a process, not a gut feel. Combine content checks (language, urgency), technical checks (SPF/DKIM/DMARC), out-of-band verification, and proper evidence handling. In the Philippines, fast escalation to your bank or provider, plus reporting to PNP-ACG/NBI and—where personal data is at risk—the NPC, materially improves outcomes.

If you want, I can adapt this into a one-page checklist for end-users or a policy/runbook for your company’s incident response.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login