Online Scam Website Report Procedure Philippines

Online Scam Website Report Procedure in the Philippines
A comprehensive legal-practice guide (updated to 1 May 2025)

1. Introduction

Online shopping, investment offers, and digital payments surged during—and after—the COVID-19 pandemic. With them came a parallel rise in fraudulent or “scam” websites. Philippine law already prohibits deceit (estafa) under the Revised Penal Code, but today most fraud is carried out “with the use of information and communications technology,” converting a 1930-era crime into cyber-estafa with heavier penalties. The question every practitioner and consumer asks is no longer “Is it illegal?” but “Where and how do I report it, and what happens next?”

2. Governing Laws & Rules

Short title Key sections relevant to online-scam reporting Salient points
Electronic Commerce Act of 2000 (RA 8792) §29–34; §35 notice-and-takedown Recognises electronic documents & signatures; Service providers must preserve “traffic data” for at least 90 days (extended by lawful order) and respond to valid law-enforcement requests.
Cybercrime Prevention Act of 2012 (RA 10175) §4(b)(2) Computer-related fraud; §5, 6, 7; §13-15 Cybercrime warrants Introduces cyber-estafa; authorises warrants to disclose, intercept, search, seize or examine computer data.
Revised Penal Code (Act 3815) Art. 315 Estafa, as modified by RA 10175 §6 Fraud committed through ICT is punished one degree higher.
Consumer Act of 1992 (RA 7394) & DTI E-Commerce MOs Title III, IV; DTI Department AO 10-2, 20-22 Administrative complaints for deceptive sales/advertising; DTI Fair-Trade Enforcement Bureau (FTEB) has nationwide e-commerce jurisdiction.
Access Devices Regulation Act (RA 8484) §9 credit-card & payment-app fraud Common when scams obtain card or e-wallet credentials.
Data Privacy Act (RA 10173) §16–22, §25 Complaints where personal data were misused or leaked.
Financial Products and Services Consumer Protection Act (RA 11765, 2022) §8–10 BSP, SEC, IC ∙ victim redress for fintech and investment scams.
Internet Transactions Act (RA 11967, 2023) Ch. IV E-Commerce Bureau, Online Dispute Resolution Not yet fully operational (IRR expected mid-2025) but will centralise reporting via e-Commerce Bureau portal.
Rules on Cybercrime Warrants (A.M. No. 17-11-21-SC, eff. 2019) WCD, WTD, WSSECD, WID Prescribes procedure for law-enforcement evidence acquisition.

International cooperation. The Philippines ratified the Budapest Convention on Cybercrime (in force 1 July 2018), enabling MLA requests for servers or perpetrators located abroad.

3. Competent Philippine Authorities

Primary agency Typical jurisdiction How to file (2025)
NBI Cybercrime Division (CCD) Complex fraud, multi-victim cases, or preservation of foreign-hosted data Walk-in (Taft Ave HQ or regional CCD), e-Complaint Portal, or email ccd@nbi.gov.ph.
PNP Anti-Cybercrime Group (ACG) Urgent “hot pursuit,” phishing, social-media fraud, SIM-swap, cyber-sex-torsion i-Report portal, 24/7 hotline (+63 2 8414 1560), FB page “PNP ACG” (acceptable as initial blotter).
DICT – Cybercrime Investigation & Coordinating Center (CICC) Central 1326 Hotline (“Cybersecurity Complaint Center”); coordinates domain blocking with NTC Dial 1326 (toll-free PLDT/Smart/Globe), SMS or Viber, or webform cicc.gov.ph/report.
DTI Fair-Trade Enforcement Bureau (FTEB) Consumer scams (non-delivery, counterfeit, price switch) ≤ ₱5 million bit.ly/DTIComplaints or e-Complaint OADR portal; mediation within 10 days.
SEC Enforcement & Investor Protection Dept. (EIPD) Investment-type scams, unregistered securities, forex/crypto pyramids Email epd@sec.gov.ph or sec.gov.ph/investor-complaints; may issue immediate CDO and website blocking request.
BSP Financial Consumer Protection Dept. Online banking & e-wallet fraud (GCash, Maya, etc.) consumeraffairs@bsp.gov.ph; mandatory response by provider within 7 days.
National Privacy Commission (NPC) Phishing sites impersonating legitimate companies; data breaches www.privacy.gov.ph/complaint; online form then sworn complaint-affidavit.
National Telecommunications Commission (NTC) Orders ISPs to block scam domains/IPs under Mem. Circ. 15-2023 Law-enforcement endorsement required; blocking within 48 h from receipt.

4. Evidence & Documentary Requirements

  1. Preservation is Priority.
    Immediately take full-screen screenshots (include URL bar, date-time overlay, and any transaction reference numbers).

  2. Export raw data—chat logs (HTML/TXT), e-mail headers, WHOIS records, domain-registration invoices, courier tracking pages, payment confirmations (PDF or print-to-file).

  3. Hash-value verification. Under the Rules on Electronic Evidence, attaching an SHA-256 hash of each file plus date of last access strengthens authenticity.

  4. Affidavit of Complaint. Must be notarised (or consularised if executed abroad) and should:

    • Identify parties (including any aliases, URLs, or registered business names).
    • Narrate acts constituting fraud with dates in chronological order.
    • Cite violated provisions (e.g., RA 10175 §4(b)(2), Art. 315 RPC, RA 8792 §33).
    • State reliefs sought (criminal prosecution, blocking, asset freeze, restitution).

  5. Certification Against Forum Shopping (if you simultaneously file a civil action for damages).

  6. Other Proofs: delivery receipts, SMS from courier, phone-recording transcripts (authenticated under Rule on Cybercrime Warrants if recorded surreptitiously).

5. Step-by-Step Reporting Workflow

Stage 1 – Immediate, Self-Help

Action Why How
1 ▷ Collect & secure evidence Domains disappear quickly. Use offline storage or cloud drive with version history.
2 ▷ Notify the platform/host Many scams run on marketplaces or shared hosting. Platforms often take down within 24 h of a detailed report. “Report seller” button, e-mail abuse@, or ICANN registrar abuse contact.
3 ▷ Freeze the payment trail Banks/e-wallets can flag the recipient account under RA 11449 (anti-mule accounts) while investigation is pending. Call customer-service hotline and request Transaction Dispute reference number.

Stage 2 – File the Official Complaint

  1. Choose the proper venue. For example, investment scam → SEC plus NBI; counterfeit goods → DTI; credit-card skimming → BSP & PNP-ACG.
  2. Submit the notarised affidavit with USB or cloud link containing digital evidence. Many agencies now accept electronic affidavits with qualified electronic signatures (QES) per DICT Circular 10-2022.
  3. Receive a control/blotter number; keep it for follow-up and to support asset-freeze requests with AMLC.

Stage 3 – Investigation & Preservation

  • Law-enforcement request for a WTD (Warrant to Disclose Computer Data) to obtain subscriber info from ISPs or social-media companies.
  • WSS/WID (search/seizure or interception) when the suspect’s devices are located in the Philippines.
  • NTC website blocking issued upon NBI/PNP or SEC endorsement; service providers must comply within 48 h or face ₱200,000/day administrative fines (MC 15-2023).

Stage 4 – Prosecution & Remedies

  • DOJ-Office of Cybercrime reviews the case file; fiscal conducts inquest (if suspect arrested) or pre-trial investigation.
  • Information filed in RTC Cybercrime Special Court; estafa values determine penalty range.
  • Civil action for restitution may be joined with the criminal case, or pursued in Small Claims Court (≤ ₱400,000, per OCA Cir. 103-2022).
  • Administrative Mediation before DTI or SEC may result in refund even while criminal case is pending.

6. Special & Sector-Specific Procedures

Scenario Additional step
Crypto-asset or foreign-exchange Ponzi File Investor Complaint Form with SEC-EIPD; SEC can issue Freeze Order with AMLC and request NTC blocking of promo pages.
Data-breach-based scam (phishing using leaked info) Parallel complaint with NPC; NPC may order company to notify all affected customers within 72 h and impose up to ₱5 million fines.
Cross-border hosting (server outside PH) NBI/DOJ sends MLA request under Budapest Convention Art. 35 “24/7 Points of Contact.”
Government phishing site Report to DICT-NCIRT via 1326; DICT can invoke §15 RA 10175 to immediately block absent court order where compromising critical infrastructure.

7. Time Limits & Prescription

  • Cyber-estafa: 15 years (Art. 90 RPC, penalty > 6 years).
  • Administrative consumer complaint (DTI): Must be filed within 10 days of discovering the violation for perishable goods, otherwise 2 years for durable goods/services.
  • Investment solicitation without SEC registration: imprescriptible while the fraudulent solicitation continues.

8. Role of Private-Sector Intermediaries

  1. ISPs & social-media platforms must:

    • Retain traffic data 6 months (RA 10175 §20).
    • Obey cybercrime warrants within 72 hours.
    • Implement an accessible reporting mechanism (RA 11967 Ch. VI once IRR in force).

  2. Banks & E-wallets (BSP-regulated VASPs) must adopt real-time fraud monitoring and, upon written request from enforcement, place a 72-hour hold on suspected proceeds of crime.

  3. Domain Registrars—ICANN Registrar Accreditation Agreement Art. 3.18 requires a dedicated 24/7 abuse contact and timely response (<24 data-preserve-html-node="true" h) to law-enforcement.

9. Template Complaint-Affidavit Outline

  1. Heading & Title (“Affidavit-Complaint for Violation of RA 10175 §4(b)(2) in relation to Art. 315 RPC”)
  2. Personal circumstances of affiant.
  3. Jurisdictional paragraph (where offense committed / accessed).
  4. Statement of facts (numbered paragraphs).
  5. Applicable laws violated.
  6. Evidence list (Annex “A” to “G”).
  7. Prayer—for prosecution, blocking, asset freeze, restitution.
  8. Verification and Certification of Non-Forum Shopping.
  9. Signature & Jurat.

(Practitioners often append a hash manifest—a table showing filenames, SHA-256 hashes, and file sizes—to comply with Rule 5, Sec. 2 Rules on Electronic Evidence.)

10. Consumer-Level Preventive Tips (Brief)

  • Always check a merchant’s DTI Business Name or SEC company registration via bnrs.dti.gov.ph or sec.gov.ph/verify.
  • For investments, demand the SEC Secondary Licence (e.g., Broker-Dealer, Lending Co., Crowd-Funding Portal).
  • Pay with instruments that offer dispute resolution (credit card, escrow, e-wallet “buyer protect”).
  • Use DICT’s cybersafe.gov.ph guides and subscribe to CICC alerts via Viber channel “CyberSafePH”.

11. Conclusion

The Philippine regime against online scams is no longer a single statute but a lattice of criminal, civil, and administrative remedies bolstered by the Cybercrime Prevention Act and steadily evolving sector-specific rules. Effective redress still starts with quick evidence preservation and proper routing of the complaint to the specialised agency that can (i) investigate, (ii) freeze assets, and (iii) block the malicious website. While the forthcoming Internet Transactions Act promises a “one-stop e-Commerce Bureau,” today a vigilant complainant—or counsel—must still steer the case through multiple fora. Done correctly, the procedure can lead not only to criminal conviction but full restitution and permanent removal of the scam site from Philippine cyberspace.

This material is for informational purposes and does not constitute legal advice. Where specific action is contemplated, consult Philippine counsel or the relevant government office.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login