Identity Theft Using Another Person’s ID in the Philippines

I. Introduction

Identity theft using another person’s identification document is not treated in Philippine law as one single offense only. Depending on how the ID is obtained, used, copied, altered, presented, or circulated, the act may give rise to several criminal, civil, administrative, and data-privacy liabilities.

In practice, identity theft involving another person’s ID often appears in loan applications, SIM card registration, online wallet verification, bank account opening, employment applications, travel documents, government-benefit claims, social media impersonation, e-commerce fraud, and scams involving “verified” accounts. The legal consequences depend on the facts: what ID was used, whether it was genuine or falsified, whether the victim consented, whether money or property was obtained, whether the use was online, and whether personal data was processed or disclosed.

II. What Constitutes Identity Theft?

Identity theft generally refers to the unauthorized acquisition, possession, use, misuse, transfer, alteration, or deletion of identifying information belonging to another person. In the Philippine context, the most direct statutory basis is the Cybercrime Prevention Act of 2012, Republic Act No. 10175, which punishes computer-related identity theft.

Identity theft may involve:

  1. Using another person’s government-issued ID;
  2. Submitting someone else’s ID to open an account;
  3. Using another person’s ID to borrow money or obtain credit;
  4. Using another person’s ID to register a SIM card, e-wallet, or online platform account;
  5. Uploading another person’s ID for “Know Your Customer” verification;
  6. Altering a real ID by replacing the photo, name, birthdate, address, or signature;
  7. Possessing copies of another person’s ID for fraudulent use;
  8. Selling or transferring images of IDs;
  9. Impersonating the ID holder in physical or online transactions;
  10. Using a lost, stolen, leaked, or photographed ID without authority.

The key element is lack of right or consent. Even if the ID is genuine, the unauthorized use of it may still be unlawful.

III. Principal Laws That May Apply

A. Cybercrime Prevention Act of 2012 — Republic Act No. 10175

The Cybercrime Prevention Act expressly punishes computer-related identity theft. This is highly relevant where the stolen or misused ID is used through a computer system, phone, application, website, email, social media account, online lending platform, e-wallet, or digital verification portal.

The offense covers the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person, whether natural or juridical, without right.

Examples include:

  • Uploading another person’s ID to verify an online account;
  • Using someone else’s ID to create an e-wallet account;
  • Sending another person’s ID through email or messaging apps for fraud;
  • Using a stolen ID to register a SIM or digital service;
  • Possessing scanned IDs for online scams;
  • Using another person’s ID to impersonate them on social media or marketplace platforms.

The law becomes especially important when the criminal act is committed by, through, or with the use of information and communications technology. If another crime under the Revised Penal Code or special law is committed through ICT, cybercrime rules may increase liability.

B. Revised Penal Code

The Revised Penal Code may apply when the identity theft involves falsification, fraud, deceit, impersonation, or the use of false documents.

1. Falsification of Public, Official, or Commercial Documents

Government-issued IDs are generally public or official documents. If a person alters, counterfeits, simulates, or fabricates an ID, liability for falsification may arise.

Falsification may include:

  • Changing the name on an ID;
  • Replacing the photograph;
  • Altering the date of birth;
  • Changing the address;
  • Forging the signature;
  • Creating a fake government ID;
  • Using a falsified ID as if genuine.

Even a person who did not personally falsify the ID may be liable if they knowingly used or possessed the falsified document.

2. Use of Falsified Documents

A person who knowingly presents a falsified ID to a bank, employer, government office, online platform, creditor, or private establishment may be liable for using a falsified document. The act of use is separate from the act of falsification.

3. Estafa or Swindling

If the stolen or misused ID is used to obtain money, property, credit, services, employment, goods, or benefits through deceit, the offender may be liable for estafa.

Examples:

  • Using another person’s ID to borrow money;
  • Applying for a loan in another person’s name;
  • Pretending to be the ID holder to receive remittances;
  • Using a victim’s ID to claim benefits;
  • Obtaining goods from sellers by pretending to be someone else.

Identity theft and estafa often overlap. Identity theft explains the impersonation; estafa punishes the fraudulent taking or damage.

4. Usurpation of Authority or Official Functions

If a person uses an ID to pretend to be a public officer, government employee, law enforcement officer, or official representative, liability may arise for usurpation of authority or official functions, depending on the facts.

5. Using a Fictitious Name or Concealing True Name

Where a person uses another name publicly to conceal identity, evade responsibility, or cause damage, the Revised Penal Code may also become relevant.

6. Perjury or False Statements

If the offender uses another person’s ID in sworn statements, notarized documents, affidavits, government submissions, or official applications, perjury or false-statement liability may arise.

C. Data Privacy Act of 2012 — Republic Act No. 10173

An ID contains personal information and often sensitive personal information. Names, addresses, birthdates, signatures, ID numbers, photographs, biometrics, civil status, and government identifiers are protected data.

The Data Privacy Act may apply when a person or organization unlawfully collects, stores, uses, discloses, sells, shares, or processes another person’s ID.

Possible violations include:

  • Unauthorized processing of personal information;
  • Processing for unauthorized purposes;
  • Improper disposal of ID copies;
  • Unauthorized access;
  • Malicious disclosure;
  • Unauthorized disclosure;
  • Concealment of security breaches involving personal data;
  • Use of personal data obtained through unlawful means.

This law is particularly important where the misuse involves businesses, online lending apps, employers, recruitment agencies, financial technology platforms, data brokers, or persons who collect ID copies from multiple individuals.

D. Access Devices Regulation Act — Republic Act No. 8484, as amended

The Access Devices Regulation Act applies when another person’s ID is used in connection with credit cards, debit cards, account numbers, electronic banking, access devices, or financial credentials.

This may apply where the offender:

  • Uses another person’s ID to apply for a credit card;
  • Uses another person’s details to obtain access devices;
  • Opens accounts using false identity information;
  • Uses stolen identity documents for card fraud;
  • Submits fake or stolen IDs to financial institutions.

When identity theft is linked to banking or credit fraud, this statute may be one of the most relevant special laws.

E. Philippine Identification System Act — Republic Act No. 11055

The Philippine Identification System Act governs the Philippine National ID system. Misuse, unauthorized possession, falsification, sale, transfer, or unlawful use of PhilID-related information may lead to liability under this special law and other applicable laws.

Potentially punishable acts include:

  • Falsifying PhilID information;
  • Using another person’s PhilID;
  • Possessing or using PhilID data without authority;
  • Unauthorized disclosure or publication of PhilSys information;
  • Misrepresentation in PhilSys-related transactions.

F. SIM Registration Act — Republic Act No. 11934

The SIM Registration Act is relevant when another person’s ID is used to register a SIM card. A person who registers a SIM using false or fictitious information, fraudulent documents, or another person’s identity may face liability.

This is significant because SIM cards are often used in phishing, text scams, online marketplace fraud, romance scams, investment scams, and e-wallet fraud. The use of another person’s ID to register a SIM may expose the real ID holder to investigation, inconvenience, reputational harm, and financial risk.

G. Anti-Financial Account Scamming Act and Related Financial Fraud Laws

Where another person’s ID is used to open, access, rent, sell, or verify bank accounts, e-wallets, payment accounts, or mule accounts, newer financial-fraud laws and banking regulations may also apply. The legal analysis may involve cybercrime, estafa, access-device fraud, money laundering, and financial-account scamming, depending on the conduct.

H. Anti-Money Laundering Laws

If identity theft is used to move, conceal, receive, or launder criminal proceeds, anti-money laundering laws may be implicated. This is common in scams where stolen IDs are used to open accounts or verify wallets that receive fraudulent funds.

IV. Common Scenarios

A. Using Someone Else’s ID to Apply for a Loan

This may involve identity theft, estafa, falsification, use of falsified documents, data privacy violations, and possibly access-device fraud. Online lending platforms may also be liable if they negligently process identity documents or misuse the victim’s contacts, photos, or personal data.

B. Using Another Person’s ID for an E-Wallet

This is one of the most common modern forms of identity theft. The offender may upload the victim’s ID and selfie, or manipulate images to pass verification. Liability may arise under cybercrime, data privacy, access-device, banking, and fraud laws.

C. Using Another Person’s ID to Register a SIM

The offender may use the SIM for scams, harassment, or fraudulent transactions. The victim should immediately report the incident to the telecommunications provider, law enforcement, and relevant agencies.

D. Using Another Person’s ID for Employment

If an applicant uses another person’s ID, diploma, license, clearance, or personal records to obtain employment, the act may involve falsification, fraud, use of falsified documents, and civil liability. If the job is regulated, such as security, teaching, healthcare, transportation, or government service, additional administrative and criminal issues may arise.

E. Using a Lost ID

Finding an ID does not give anyone the right to use it. Possession of another person’s ID may be innocent at first, but using it, copying it, selling it, or presenting it as one’s own may create criminal liability.

F. Posting Another Person’s ID Online

Posting an ID online without consent may violate privacy rights and the Data Privacy Act. If done to shame, threaten, extort, harass, defraud, or impersonate the person, additional civil, criminal, or cybercrime liability may arise.

G. Using Another Person’s ID in Social Media Impersonation

Creating an account using another person’s name, photo, and ID may constitute computer-related identity theft. If the account is used to defame, scam, solicit money, or harass, additional charges may include cyber libel, estafa, unjust vexation, threats, or other applicable offenses.

V. Elements Prosecutors Commonly Look For

Although the exact elements depend on the charge, investigators and prosecutors usually examine:

  1. The identity of the victim;
  2. The ID or identifying information used;
  3. Whether the ID belonged to another person;
  4. Whether the accused acquired, possessed, used, transferred, altered, or submitted it;
  5. Whether the use was unauthorized;
  6. Whether a computer system or online platform was involved;
  7. Whether there was deceit, fraud, or damage;
  8. Whether money, property, credit, service, or benefit was obtained;
  9. Whether the document was genuine, altered, fake, or simulated;
  10. Whether the accused knew the ID was not theirs;
  11. Whether the victim suffered financial, reputational, emotional, or privacy harm.

Intent is often shown through surrounding facts, such as false contact details, repeated use, concealment, forged signatures, fake selfies, account withdrawals, messages to victims, or deletion of records.

VI. Evidence in Identity Theft Cases

Important evidence may include:

  • The original ID or copy used;
  • Screenshots of account registration;
  • Email confirmations;
  • SMS verification messages;
  • SIM registration records;
  • E-wallet or bank records;
  • Loan application documents;
  • CCTV footage;
  • IP logs;
  • device logs;
  • Transaction histories;
  • Chat messages;
  • Delivery records;
  • Notarized documents;
  • Affidavits of the victim and witnesses;
  • Platform verification records;
  • Police or NBI cybercrime reports;
  • Data breach notifications;
  • Demand letters;
  • Proof of financial loss;
  • Proof of reputational harm.

Victims should preserve screenshots, URLs, account numbers, transaction references, phone numbers, email addresses, and timestamps. They should avoid deleting messages or altering digital evidence.

VII. Liability of the Person Who Used the ID

A person who uses another’s ID may face:

  1. Criminal liability — imprisonment, fines, or both;
  2. Civil liability — damages, restitution, attorney’s fees, and costs;
  3. Administrative liability — if the offender is a public officer, employee, student, licensed professional, or regulated person;
  4. Regulatory consequences — blacklisting, account closure, loss of license, or disqualification;
  5. Data privacy liability — if personal information was unlawfully processed or disclosed.

The offender may be liable even if the victim did not suffer immediate monetary loss. Unauthorized use of identity information can itself be punishable, especially under cybercrime and data privacy laws.

VIII. Liability of Companies and Platforms

Businesses that collect and process IDs must comply with data privacy obligations. They should collect only necessary information, secure ID copies, restrict access, verify identity properly, and dispose of data lawfully.

A company may face liability if it:

  • Negligently allows accounts to be opened using stolen IDs;
  • Fails to implement reasonable verification measures;
  • Mishandles ID copies;
  • Discloses IDs without consent;
  • Uses IDs for unauthorized purposes;
  • Fails to report a notifiable data breach;
  • Harasses the wrong person based on fraudulent applications;
  • Continues collection against a victim after notice of identity theft.

Online lending companies, financial institutions, telcos, e-wallets, employers, and recruitment agencies are frequent subjects of complaints when IDs are mishandled.

IX. Rights and Remedies of the Victim

A victim may pursue several remedies.

A. File a Police or Cybercrime Complaint

The victim may report to local police, the Philippine National Police Anti-Cybercrime Group, or the National Bureau of Investigation Cybercrime Division, especially when the misuse occurred online.

B. Notify the Platform, Bank, Telco, or Company

The victim should immediately notify the entity where the ID was used and request:

  • Freezing or suspension of the fraudulent account;
  • Preservation of records;
  • Removal of unauthorized data;
  • Written confirmation that the account was fraudulent;
  • Correction of records;
  • Blocking of further transactions;
  • Internal investigation.

C. File a Complaint with the National Privacy Commission

If the case involves misuse, unauthorized processing, or disclosure of personal data, the victim may consider a complaint before the National Privacy Commission.

D. Send a Demand Letter

A demand letter may be sent to the offender or negligent institution, requiring them to stop using the ID, remove data, correct records, pay damages, and preserve evidence.

E. File a Criminal Complaint with the Prosecutor

For prosecution, the victim may execute a complaint-affidavit and attach evidence. The prosecutor will determine probable cause.

F. File a Civil Action for Damages

The victim may seek moral damages, actual damages, exemplary damages, attorney’s fees, and other relief where supported by evidence.

X. Practical Steps for Victims

A person whose ID was used without consent should consider the following:

  1. Secure copies of the ID involved;
  2. Make a written timeline of events;
  3. Take screenshots of accounts, messages, loan notices, or transactions;
  4. Report the incident to the platform, telco, bank, or lender;
  5. Request account freeze, deletion, or correction;
  6. Ask for written confirmation that the account was fraudulent;
  7. File a police blotter or cybercrime report;
  8. Execute an affidavit of denial or non-participation if needed;
  9. Notify credit providers or financial institutions;
  10. Replace compromised IDs where appropriate;
  11. Change passwords and enable two-factor authentication;
  12. Monitor bank, e-wallet, and credit activity;
  13. Consult counsel for criminal, civil, or privacy remedies.

XI. Defenses and Issues That May Arise

Possible defenses may include:

  • Consent of the ID holder;
  • Lack of knowledge that the ID belonged to another person;
  • Lack of participation in the transaction;
  • Mistaken identity;
  • Fabricated or planted evidence;
  • No proof that the accused controlled the account or device;
  • No proof of fraudulent intent;
  • Legitimate business purpose;
  • Authority as agent, employee, guardian, or representative.

However, consent must be specific and lawful. A person allowed to photocopy an ID for one transaction is not automatically allowed to use it for another purpose. Authorization to keep an ID copy is different from authorization to submit it, sell it, post it, or use it to create accounts.

XII. The Role of Consent

Consent is central in identity theft cases. Philippine law generally requires that the use of another person’s identity information be lawful, authorized, and purpose-specific.

Examples:

  • A person may consent to giving an ID copy for employment screening, but not for loan applications.
  • A customer may provide an ID to a hotel, but not for publication online.
  • A borrower may send an ID to a lender, but not authorize the lender to shame them by posting the ID publicly.
  • A relative may possess a family member’s ID for safekeeping, but not use it to register accounts.

Consent obtained through fraud, intimidation, deception, or abuse may not be valid.

XIII. Minors and Vulnerable Persons

Using the ID or personal information of minors, elderly persons, persons with disabilities, or persons who cannot understand the transaction may aggravate the factual seriousness of the case. Additional laws may apply depending on the context, especially if exploitation, trafficking, online abuse, financial abuse, or coercion is involved.

XIV. Public IDs Commonly Misused

Frequently misused IDs include:

  • Philippine National ID;
  • Passport;
  • Driver’s license;
  • UMID;
  • SSS ID;
  • GSIS ID;
  • PRC ID;
  • Voter’s ID or voter certification;
  • Postal ID;
  • PhilHealth ID;
  • TIN ID;
  • Senior citizen ID;
  • PWD ID;
  • Student ID;
  • Company ID;
  • Barangay ID or clearance;
  • Police or NBI clearance.

The legal consequence may differ depending on whether the ID is public, official, private, falsified, expired, or used in an official transaction.

XV. Identity Theft, Falsification, and Estafa Compared

Identity theft focuses on unauthorized use of another person’s identifying information.

Falsification focuses on making, altering, or using a false document.

Estafa focuses on fraud that causes damage or obtains money, property, or benefit.

A single act may involve all three. For example, a person who edits another person’s ID, uploads it to an online lender, receives loan proceeds, and leaves the victim with collection notices may potentially face identity theft, falsification, estafa, data privacy, and financial fraud liability.

XVI. Jurisdiction and Venue

Where the offense is committed online, jurisdiction may involve the place where the offender acted, where the system was accessed, where the victim suffered damage, where the fraudulent account was opened, or where the transaction occurred. Cybercrime cases often require coordination with specialized law enforcement units and digital forensic investigators.

For criminal complaints, venue and jurisdiction should be carefully assessed because filing in the wrong place may delay the case.

XVII. Data Breaches and Leaked IDs

Many identity-theft cases begin with leaked IDs from employers, lenders, apps, recruitment agencies, schools, travel agencies, hotels, or photocopying establishments. A data breach does not automatically prove a particular person committed identity theft, but it may establish how the ID became available.

Organizations that store ID copies must implement reasonable and appropriate security measures. Poor storage practices, unrestricted employee access, unencrypted files, careless disposal, or sharing through unsecured channels can lead to liability.

XVIII. Preventive Measures

Individuals should:

  • Avoid sending ID copies unnecessarily;
  • Watermark ID copies with the purpose and date;
  • Cover nonessential details when allowed;
  • Avoid posting IDs online;
  • Use strong passwords and two-factor authentication;
  • Monitor accounts;
  • Report lost IDs quickly;
  • Keep records of where ID copies were submitted.

Businesses should:

  • Collect only necessary IDs;
  • Verify identity carefully;
  • Limit employee access;
  • Encrypt stored copies;
  • Set retention periods;
  • Delete unnecessary ID copies;
  • Train personnel;
  • Maintain breach-response procedures;
  • Comply with privacy notices and lawful processing requirements.

XIX. Sample Watermark for ID Copies

A useful precaution is to place a visible watermark on ID copies, such as:

“FOR [SPECIFIC PURPOSE] ONLY — SUBMITTED TO [ENTITY] — [DATE] — NOT VALID FOR LOANS, SIM REGISTRATION, OR OTHER TRANSACTIONS.”

This does not guarantee absolute protection, but it can deter misuse and help prove that the ID copy was intended only for a specific transaction.

XX. Conclusion

Identity theft using another person’s ID in the Philippines may trigger multiple laws at the same time. The conduct may be punished as computer-related identity theft, falsification, use of falsified documents, estafa, data privacy violation, access-device fraud, SIM registration fraud, financial-account fraud, or money laundering, depending on the facts.

The most important questions are: Was the ID used without authority? Was it altered or falsified? Was it used online? Was money, property, credit, or benefit obtained? Was personal data processed or disclosed? Did the victim suffer damage?

For victims, fast action is essential. They should preserve evidence, report the misuse, notify relevant institutions, request correction or suspension of fraudulent accounts, and consider criminal, civil, and data privacy remedies. For businesses, the lesson is equally clear: IDs are not mere attachments. They are sensitive identity documents, and mishandling them can create serious legal exposure.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login