Online Lending “Deposit and Code” Scam: Legal Steps and Reporting in the Philippines

1) What the “Deposit and Code” Scam Is

The “deposit and code” scam is a form of online lending fraud where a supposed lender (often operating through social media, messaging apps, SMS, or a fake lending app/website) promises quick approval and release of a loan—but requires the borrower to:

  1. Pay a “deposit” first (described as a processing fee, insurance, verification fee, membership fee, refundable deposit, activation fee, etc.), and then
  2. Provide a “code” (often an OTP, verification code, reference code, or “release code”) supposedly to “confirm” the loan release.

In reality, the scammer’s objective is to:

  • Get your money through repeated “deposits,” and/or
  • Use the “code” to steal more money, typically by authorizing an e-wallet/bank transaction, changing account credentials, linking devices, or confirming an unauthorized transfer.

2) How It Typically Works (Common Patterns)

A. The “Advance Fee” / Endless Deposit Loop

  1. You apply and get “approved” quickly.

  2. They demand a deposit before release.

  3. After you pay, they invent another requirement:

    • “Tax fee,” “insurance,” “anti-money laundering clearance,” “release fee,” “late fee,” “code activation,” etc.

  4. Payments continue until you stop; then threats, shaming, or harassment may follow.

B. The “OTP Capture” Variant (The “Code” Is the Theft)

The scammer triggers a real OTP event—like:

  • wallet cash-in/cash-out,
  • password reset,
  • device binding,
  • bank transfer confirmation,
  • linking your number/email to a new device.

They then pressure you: “Send the code so we can release the loan.” If you share it, you may unknowingly authorize a transfer or account takeover.

C. “Fake Disbursement” / Screen-Share / Remote Access

Some scammers ask you to:

  • install a remote access app,
  • screen share,
  • “verify” by logging in while they watch.

This can lead to credential theft, OTP interception, and unauthorized transfers.

D. Identity and Contact-List Exploitation (Sometimes Disguised as Lending)

Scammers may collect:

  • valid IDs, selfies, signatures,
  • contacts, photos, Facebook profile data,
  • phone permissions (SMS/contacts).

This can lead to impersonation, blackmail, doxxing, or debt-shaming tactics, even when no real loan exists.

3) Why It’s Illegal (Philippine Legal Framework)

Depending on the exact conduct, the scam may violate multiple laws:

A. Revised Penal Code (RPC): Fraud and Related Crimes

Estafa (Swindling) is the classic charge when someone defrauds another through deceit causing damage (e.g., you paid because you relied on false promises of a loan). Variants depend on how the deceit was carried out.

Other possible RPC offenses (fact-dependent):

  • Other deceits (where deception causes damage but may not fit a standard estafa mode neatly),
  • Theft (if money was taken without your valid consent—often argued in unauthorized transfer scenarios),
  • Falsification (if documents, IDs, or receipts were fabricated).

B. Cybercrime Prevention Act of 2012 (RA 10175)

When the fraud uses information and communications technologies (ICT), potential cybercrime charges may include:

  • Computer-related fraud (using a computer system to commit fraudulent acts),
  • Computer-related identity theft (misuse of identifying information),
  • Illegal access (unauthorized access to accounts/systems),
  • Computer-related forgery (fabricated electronic data/documents),
  • Aiding or abetting / attempt (where applicable).

RA 10175 is important because it addresses online modalities and can affect jurisdiction, evidence handling, and penalties.

C. Data Privacy Act of 2012 (RA 10173)

If the scam involves unlawful collection or misuse of personal data (IDs, selfies, contacts), or unauthorized access/leakage, potential violations include:

  • Unauthorized processing,
  • Access due to negligence / unauthorized access,
  • Malicious disclosure,
  • Improper disposal (in some cases),
  • Plus exposure to administrative proceedings before the National Privacy Commission (NPC).

D. Lending Company Regulation Act (RA 9474) and SEC Oversight

If the operation claims to be a lending company or financing company but is not properly authorized, or uses deceptive/abusive practices, it may implicate:

  • Operating without authority / misrepresentation,
  • Unfair collection tactics (where harassment/doxxing is involved),
  • SEC enforcement actions (cease-and-desist, revocation, penalties).

Even when the actor is a pure scammer (not a real lender), SEC reporting can help identify and shut down entities using lending as a cover.

E. Anti-Money Laundering Act (RA 9160, as amended)

Scam proceeds moving through banks/e-wallets often involve:

  • layering through multiple accounts,
  • money mules,
  • rapid cash-out.

While victims generally don’t file “AMLC cases” the way prosecutors file criminal cases, prompt reporting to banks/e-wallets and law enforcement increases the chances that suspicious flows are flagged and preserved.

F. E-Commerce Act (RA 8792) and Electronic Evidence

Electronic records, messages, and digital receipts can be recognized and used, subject to rules on admissibility and authenticity. This matters for building a case using screenshots, chat logs, transaction histories, emails, and platform data.

4) First Response: What to Do Immediately (Hours Matter)

Step 1: Stop the Bleeding

  • Do not send more deposits.
  • Do not share any “code” (OTP/verification codes are for you alone).
  • Cut off contact, but preserve the conversation first (see evidence below).

Step 2: Secure Your Accounts

If you shared a code, clicked links, installed apps, or screen-shared:

  • Change passwords for email, bank/e-wallet, and social media immediately.
  • Enable two-factor authentication where possible.
  • Log out of other sessions/devices.
  • Remove suspicious linked devices, recovery emails, or phone numbers.
  • Uninstall suspicious apps; scan device; consider a full reset if compromise is suspected.

Step 3: Report to Your Bank / E-Wallet Provider at Once

If money was transferred:

  • Use the provider’s fraud channels to report unauthorized transactions.
  • Ask if they can flag the recipient account, initiate an internal investigation, and preserve logs.
  • Provide: transaction reference numbers, timestamps, amounts, recipient details.

Even if funds can’t be reversed automatically, early reporting helps with tracing and preservation.

Step 4: Preserve Evidence Before It Disappears

Scammers delete chats, deactivate numbers, or vanish from social platforms. Capture evidence immediately.

5) Evidence Checklist (Build a Case-Ready File)

Create a folder (cloud + offline backup) and collect:

A. Identity and Contact Points of the Scammer

  • Phone numbers (SIM), emails
  • Social media accounts/pages
  • Messaging app usernames
  • App name, link, website URL
  • Any “agent” names, “company” name, claimed address

B. The “Loan Offer” and Deception

  • Screenshots of ads/posts
  • Loan terms they promised (amount, interest, release date)
  • Messages stating you were “approved”
  • Messages demanding deposits and reasons

C. The “Code” Requests

  • Screenshots showing they asked for OTP/verification code
  • The SMS/email that delivered the OTP (screenshot without revealing sensitive codes publicly; store securely)

D. Payment and Transaction Proof

  • Bank/e-wallet transfer receipts
  • Reference numbers, timestamps
  • Recipient name/number/account details
  • Any QR codes used
  • Statements or transaction history exports (PDF/CSV if available)

E. Device/Platform Evidence

  • Screenshots of the app (permissions requested, login screens)
  • Installation source (store link or APK source)
  • If remote access was used, note the app name and session details

F. Your Narrative Timeline

Write a simple timeline (date/time in PH time):

  1. first contact
  2. approval claim
  3. deposit demands
  4. payments made
  5. code request
  6. losses discovered
  7. reports made

This timeline becomes the backbone of your affidavit.

6) Where to Report in the Philippines (Practical Routing)

1) Law Enforcement (Cyber-Focused)

PNP Anti-Cybercrime Group (ACG) and/or NBI Cybercrime Division are primary entry points for online fraud complaints.

Bring:

  • affidavit/statement (even if initial),
  • IDs,
  • evidence folder (printed key screenshots + digital copy).

They can:

  • evaluate cybercrime angles,
  • assist with preservation requests and subpoenas,
  • coordinate with prosecutors for filing.

2) Local Police / Barangay (Documentation and Immediate Record)

If you need an official record quickly:

  • police blotter entry helps document the incident,
  • useful for bank/e-wallet disputes and formal complaints.

3) Prosecutor’s Office (Criminal Complaint Filing)

For cases like estafa and cyber-related fraud, the formal criminal process typically requires filing a complaint-affidavit with the Office of the City/Provincial Prosecutor (venue can depend on where elements occurred or where the victim was when the acts/effects happened).

A cybercrime case often benefits from:

  • law enforcement support for technical details,
  • stronger identification of suspects, accounts, and logs.

4) Securities and Exchange Commission (SEC)

Report if:

  • they claim to be a lending/financing company,
  • they use an online lending brand/app,
  • they harass/doxx,
  • they appear unregistered or deceptive.

SEC complaints can support broader enforcement and takedowns.

5) National Privacy Commission (NPC)

Report if:

  • they collected IDs/selfies/contacts without valid basis,
  • they threaten to message your contacts,
  • they actually leaked your data or engaged in “debt-shaming,”
  • they used your identity to scam others.

NPC processes can be administrative and can complement criminal complaints.

6) Platform Reports (Often Overlooked, Still Useful)

Report the account/page/number to:

  • Facebook/Instagram/TikTok,
  • messaging apps,
  • Google Play/App Store (if an app is involved),
  • telco spam/fraud channels.

This helps disrupt operations and can preserve metadata if acted on quickly.

7) How to File a Strong Complaint-Affidavit (Philippine Practice)

A clear affidavit beats a long one. Aim for:

A. Caption and Parties

  • You as complainant

  • Respondent: “John Doe/ Jane Doe” if unknown, plus identifiers:

    • phone numbers,
    • usernames,
    • wallet/bank recipient details,
    • alleged company name.

B. Statement of Facts (Chronological)

Include:

  • how you encountered the offer,
  • what they promised,
  • what they required (deposit + code),
  • why you believed them (deceit),
  • what you paid and how,
  • what happened after payment (no loan, more demands, theft via OTP, etc.),
  • total damage.

C. Attach Exhibits

Label exhibits:

  • Exhibit “A” – screenshots of approval claim
  • Exhibit “B” – demand for deposit
  • Exhibit “C” – proof of payment
  • Exhibit “D” – request for “code”
  • Exhibit “E” – OTP SMS/email (securely)
  • Exhibit “F” – account takeover/unauthorized transfer proof

D. Identify Offenses (Do Not Overcomplicate)

You can allege:

  • Estafa under the Revised Penal Code, and
  • applicable cybercrime offenses under RA 10175 (when ICT was used),
  • plus Data Privacy Act violations when personal data abuse is present.

Prosecutors determine the final charge; your job is to present facts and evidence.

E. Request for Preservation/Subpoena

Ask that the prosecutor/law enforcement:

  • subpoena banks/e-wallets for account holder/KYC info,
  • obtain platform records (where feasible),
  • preserve transaction logs and IP/device data.

8) Understanding Possible Criminal Charges (Fact-Dependent)

1) Estafa (Swindling)

Most “deposit-first loan release” schemes fit estafa because:

  • there is deceit (false promise of loan release),
  • the victim relies on it and pays,
  • damage occurs.

2) Computer-Related Fraud (RA 10175)

When the scam uses online systems to:

  • manipulate transactions,
  • induce OTP disclosure to authorize transfers,
  • misuse e-wallet/bank systems.

3) Computer-Related Identity Theft (RA 10175)

When:

  • your ID/selfie/personal data is used to open accounts, borrow, or scam others,
  • accounts are impersonated.

4) Illegal Access / Account Takeover (RA 10175)

When:

  • they gain unauthorized access to your wallet/bank/email/social accounts,
  • they reset passwords using captured codes.

5) Data Privacy Act Violations (RA 10173)

When:

  • personal data is collected or shared unlawfully,
  • contact lists are harvested and used to shame/harass,
  • data is disclosed maliciously.

9) Civil Remedies and Recovery Options

A. Civil Action for Damages / Restitution

In many criminal cases, the civil action for recovery of damages is commonly pursued alongside the criminal action (rules and strategy vary). Recovery may include:

  • return of money (actual damages),
  • consequential damages,
  • moral damages (in appropriate cases),
  • exemplary damages (in exceptional cases).

B. Small Claims (When Appropriate)

If the dispute is essentially a money claim against an identifiable defendant and fits the court’s small claims framework, it can be an option. However, scams often involve:

  • unknown identities,
  • multiple accounts,
  • cross-platform evidence needs,

which may make criminal/cybercrime routes more practical first.

C. Bank/E-Wallet Dispute and Fraud Claims

Outcomes depend on:

  • whether the transaction was authorized (e.g., you entered OTP yourself),
  • how quickly you reported,
  • provider policies and evidence.

Even when providers deny “refund,” official reports and subpoenas can still aid tracing and prosecution.

10) Special Situation: Harassment, Threats, and “Debt-Shaming”

Some scam operations pivot to intimidation:

  • threats to post your ID,
  • messages to your contacts,
  • accusations that you “owe” money,
  • edited photos, defamatory posts.

Potential legal angles:

  • Data Privacy Act (unlawful disclosure/processing),
  • Cybercrime provisions for offenses committed through ICT,
  • Grave threats / coercion (RPC, depending on wording and context),
  • Unjust vexation and related harassment concepts (fact-dependent),
  • Libel/cyber libel issues may arise when defamatory statements are published online (highly technical—facts and defenses matter).

Practical steps:

  • Preserve evidence of threats and posts,
  • Report to platform for takedown,
  • File with NPC when personal data is involved,
  • Include harassment facts in your cybercrime complaint.

11) How to Identify Legitimate Lenders (Preventive Legal/Practical Checks)

Red Flags (High Confidence Indicators of a Scam)

  • Requires advance deposit before releasing a loan.
  • Pressures you to send OTP/verification codes.
  • Uses urgency: “Release in 10 minutes—send code now.”
  • Refuses verifiable documentation, physical address, or verifiable registration.
  • Communicates only through disposable numbers/accounts.
  • Asks for remote access or screen sharing.
  • Requires you to “cash-in” to receive money (nonsensical).

Safer Practices

  • Verify the lender’s legitimacy through official registration records and regulatory status (SEC oversight is common for lending/financing companies).
  • Prefer established financial institutions or known licensed entities.
  • Never grant excessive app permissions (contacts/SMS) to a loan app.
  • Treat OTPs as signatures: whoever has the OTP can move your money.

12) A Practical “One-Page Action Plan” for Victims

  1. Stop paying. Stop sharing codes.

  2. Secure accounts: passwords, 2FA, logout sessions, remove linked devices.

  3. Report to bank/e-wallet immediately with references and screenshots.

  4. Preserve evidence: chats, receipts, URLs, profiles, timeline.

  5. File reports:

    • PNP ACG / NBI Cybercrime (core),
    • local police blotter (supporting),
    • SEC (if posed as lender/OLA),
    • NPC (if personal data abuse/harassment).

  6. Prepare affidavit-complaint with labeled exhibits and a clear timeline.

  7. Monitor accounts and identity: watch for SIM swap, new accounts, impersonation.

13) Common Questions (Philippine Context)

“I voluntarily sent the money. Can I still file a criminal case?”

Yes. Estafa centers on deceit that induced you to part with money. “Voluntary payment” does not excuse fraud.

“I gave the OTP. Does that mean I authorized the theft?”

It can complicate bank/e-wallet recovery, but it does not automatically eliminate criminal liability—especially if the OTP was obtained through deception and used to commit fraud or unauthorized access. Report quickly and preserve the proof that the OTP was solicited as a “loan release code.”

“I only chatted with them; I didn’t pay. Should I report?”

If you shared IDs, selfies, or contact lists—or they’re using a fake lending brand—reporting can still help prevent harm, especially through platform reporting and NPC/SEC channels when applicable.

“They’re threatening to message my contacts.”

Preserve the threats and report. Where personal data is involved, NPC reporting is particularly relevant, alongside cybercrime reporting.

14) Key Takeaways

  • The “deposit and code” scheme is typically fraud (estafa) plus potential cybercrime and data privacy violations.
  • The “code” is often an OTP used to steal funds or hijack accounts.
  • Fast action—account security + provider reporting + evidence preservation—improves recovery and prosecution chances.
  • In the Philippines, primary reporting routes are PNP ACG / NBI Cybercrime, with SEC and NPC as important parallel channels when the operation pretends to be a lender or abuses personal data.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login