I. Introduction

Identity theft and unauthorized use of identification documents are increasingly common in the Philippines, especially with the growth of online banking, mobile wallets, digital lending apps, social media accounts, e-commerce platforms, SIM registration, and electronic government services. A person’s name, photograph, signature, address, birthdate, government-issued ID, tax identification number, PhilSys number, mobile number, email address, bank account details, or biometric data may be misused to commit fraud, obtain loans, open accounts, register SIM cards, access services, impersonate the victim, or damage the victim’s reputation.

In the Philippine legal context, identity theft is not limited to one single offense. It may involve violations of the Cybercrime Prevention Act, Data Privacy Act, Revised Penal Code, Access Devices Regulation Act, SIM Registration Act, banking and financial regulations, and rules on falsification, fraud, estafa, libel, unjust vexation, harassment, and unauthorized processing of personal information.

This article discusses what identity theft is, what laws may apply, where and how to report it, what evidence to preserve, what remedies may be available, and what practical steps a victim should take.

II. Meaning of Identity Theft and Unauthorized Use of ID

Identity theft generally refers to the unauthorized acquisition, possession, use, transfer, or exploitation of another person’s identifying information for an unlawful, fraudulent, or deceptive purpose.

Unauthorized use of ID may include:

using another person’s government-issued ID without permission;
submitting another person’s ID to open a bank, e-wallet, lending, or trading account;
using another person’s photo, name, or signature to impersonate them;
registering a SIM card using another person’s identity documents;
applying for loans or credit using another person’s personal data;
creating fake social media accounts using another person’s identity;
using another person’s ID for employment, tenancy, travel, education, or government transactions;
presenting a forged, altered, or stolen ID;
using screenshots or photocopies of IDs obtained from online transactions;
using someone’s personal information to access accounts, reset passwords, or bypass verification systems.

Identity theft may occur even if the victim’s physical ID was not stolen. A photograph, scanned copy, screenshot, photocopy, or digital record may be enough for an offender to misuse a person’s identity.

III. Relevant Philippine Laws

A. Cybercrime Prevention Act of 2012

The Cybercrime Prevention Act of 2012, or Republic Act No. 10175, is one of the most important laws for online identity theft. It expressly recognizes computer-related identity theft.

Computer-related identity theft generally involves the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person, whether natural or juridical, without right, through the use of information and communications technology.

This law may apply when identity theft is committed through:

fake online accounts;
hacked accounts;
phishing links;
fraudulent emails;
mobile apps;
online lending platforms;
e-wallets;
online banking;
social media impersonation;
digital document submission;
unauthorized access to databases;
use of stolen personal data online.

If the unauthorized use of identity involves computers, mobile phones, internet platforms, apps, online accounts, or electronic systems, the matter may fall under cybercrime jurisdiction.

Possible related cybercrime offenses include:

illegal access;
computer-related fraud;
computer-related forgery;
computer-related identity theft;
cyber libel, if defamatory content is posted;
misuse of devices;
data interference or system interference, if accounts or systems are tampered with.

Complaints involving online identity theft may be reported to cybercrime units of law enforcement agencies.

B. Data Privacy Act of 2012

The Data Privacy Act of 2012, or Republic Act No. 10173, protects personal information and sensitive personal information. Identity documents usually contain sensitive or protected personal data, such as full name, address, birthdate, photo, signature, government ID numbers, civil status, and sometimes health, financial, or biometric information.

The Data Privacy Act may apply when a person, company, platform, lender, employer, school, government office, or other entity improperly collects, uses, stores, shares, discloses, or processes personal information.

Possible violations may include:

unauthorized processing of personal information;
processing for unauthorized purposes;
improper disposal of personal data;
unauthorized disclosure;
malicious disclosure;
negligent handling of personal information;
concealment of security breaches involving sensitive personal information;
unauthorized access due to negligence;
failure to implement reasonable security measures.

For example, if a company collects IDs for verification but later leaks them, sells them, allows employees to misuse them, or fails to secure them, the victim may consider filing a complaint with the National Privacy Commission.

The Data Privacy Act is especially relevant where the issue concerns data handling by institutions, online platforms, apps, employers, businesses, schools, financial entities, or government offices.

C. Revised Penal Code

The Revised Penal Code may apply when the unauthorized use of identity involves fraud, falsification, deception, or damage to another person.

Relevant offenses may include:

1. Estafa

Estafa may be committed when the offender defrauds another person by abuse of confidence, deceit, false pretenses, fraudulent acts, or misrepresentation. If someone uses another person’s identity to obtain money, loans, goods, services, or credit, estafa may be involved.

Examples:

using another person’s ID to borrow money;
pretending to be the victim to solicit payments;
using a victim’s identity to deceive buyers or sellers;
applying for loans under another person’s name;
receiving money by impersonating another person.

2. Falsification of Public or Commercial Documents

If an offender falsifies, alters, fabricates, or misuses a public document, private document, or commercial document, falsification may be charged.

Government IDs, notarized documents, official records, employment documents, loan applications, bank forms, and SIM registration documents may be relevant.

Falsification may involve:

forging a signature;
altering a name, birthdate, photo, or ID number;
making it appear that a person participated in a transaction when they did not;
counterfeiting a document;
using a falsified document;
making false statements in a narration of facts in a document.

3. Use of Falsified Documents

Even if a person did not personally forge the document, knowingly using a falsified document may create criminal liability.

4. Usurpation of Name or Authority

The Revised Penal Code penalizes certain forms of using another name or pretending to have authority. Depending on the facts, impersonation may fall under this or related provisions.

5. Libel or Cyber Libel

If the offender uses the victim’s identity to post defamatory statements, create humiliating content, accuse the victim of crimes, or damage their reputation online, libel or cyber libel may be implicated.

6. Grave Coercion, Unjust Vexation, Threats, or Harassment

If identity misuse is accompanied by harassment, threats, blackmail, intimidation, or repeated unwanted communications, other offenses may be considered.

D. Access Devices Regulation Act

The Access Devices Regulation Act of 1998, or Republic Act No. 8484, may apply when identity theft involves credit cards, debit cards, ATM cards, account numbers, electronic serial numbers, personal identification numbers, access codes, or similar devices and account credentials.

This law is relevant when someone uses another person’s identity or information to:

obtain a credit card;
use another person’s card;
access bank accounts;
obtain goods or services using another person’s account;
use unauthorized account numbers;
commit financial fraud through access devices.

Identity theft often overlaps with access device fraud, especially in banking, e-wallet, online shopping, and credit card cases.

E. SIM Registration Act

The SIM Registration Act, Republic Act No. 11934, requires registration of SIM cards using valid identification and personal information. Unauthorized use of another person’s ID to register a SIM card may give rise to liability, especially if the SIM is later used for scams, fraud, harassment, threats, phishing, or other unlawful acts.

A victim who discovers that their identity was used to register an unknown SIM should immediately report the matter to:

the telecommunications provider;
the Philippine National Police Anti-Cybercrime Group;
the National Bureau of Investigation Cybercrime Division;
the National Telecommunications Commission, where appropriate.

The victim should request deactivation, investigation, and documentation confirming that the SIM was not registered or used by them.

F. Anti-Financial Account Scamming and Related Regulations

Identity theft may also be connected to financial account scams, mule accounts, unauthorized online banking access, e-wallet fraud, and digital payment schemes. Banks, e-money issuers, financing companies, lending companies, and financial institutions are subject to regulatory duties concerning know-your-customer procedures, fraud monitoring, consumer protection, and data protection.

Victims should report unauthorized financial accounts, transactions, or loans to the concerned bank, e-wallet provider, lending company, financing company, or credit bureau. They should also request blocking, account freezing, reversal review, fraud investigation, and written confirmation of the disputed account or transaction.

G. Special Laws on Government IDs and Public Documents

Depending on the ID involved, additional laws or administrative rules may apply. Misuse of the following documents may trigger specific agency procedures or penalties:

Philippine Identification System ID or PhilID;
passport;
driver’s license;
Social Security System ID;
GSIS ID;
PhilHealth ID;
Pag-IBIG ID;
voter’s ID or certification;
Professional Regulation Commission ID;
postal ID;
senior citizen ID;
person with disability ID;
student ID;
employment ID;
police clearance;
NBI clearance;
barangay certification.

A report should be filed with the issuing agency if the ID was lost, stolen, copied, forged, or misused.

IV. Common Forms of Identity Theft in the Philippines

A. Loan App Identity Misuse

One of the most common situations involves online lending apps or informal lenders. A victim may discover that a loan was taken out using their name, phone number, ID, contact list, or photo.

Sometimes the victim did not borrow money at all. In other cases, the victim may have merely submitted an ID for one transaction, after which the ID was reused.

Victims should document:

the lender’s name;
app name;
screenshots of demands;
loan reference numbers;
collection messages;
threats;
names and numbers of collectors;
proof that the victim did not receive the loan proceeds;
bank or e-wallet records;
ID copies submitted, if any.

Reports may be filed with law enforcement, the National Privacy Commission, the Securities and Exchange Commission for lending or financing companies, and the relevant app platform.

B. E-Wallet and Online Banking Fraud

Identity documents may be used to create or verify e-wallet accounts. Fraudsters may also take over existing accounts using stolen personal information.

Victims should immediately:

contact the e-wallet or bank;
request account freezing or restriction;
change passwords and PINs;
disable linked devices;
revoke unauthorized sessions;
dispute unauthorized transactions;
request transaction logs;
file a police or cybercrime report.

Time is critical because financial institutions may impose reporting periods for unauthorized transactions.

C. Fake Social Media Accounts

A fake account using another person’s name, face, or photos may be used for scams, harassment, defamation, romance fraud, or extortion.

The victim should:

preserve the profile URL;
take screenshots showing the profile, posts, messages, date, and time;
report the account to the platform;
avoid engaging unnecessarily with the impersonator;
inform friends or contacts;
file a cybercrime complaint if the account is used for fraud, threats, sexual exploitation, defamation, or harassment.

A simple fake account may be a platform violation, but if it is used to obtain money, damage reputation, threaten, blackmail, or commit fraud, criminal laws may apply.

D. Unauthorized SIM Registration

A person may discover that their ID was used to register SIM cards they do not own. This is serious because SIM cards are often used for scams, phishing, OTP interception, fake accounts, and fraudulent transactions.

The victim should contact the telco and ask for:

verification of SIMs registered under their identity;
deactivation of unauthorized SIMs;
a written incident report or reference number;
preservation of registration logs;
escalation to fraud or legal department.

A law enforcement report should also be made.

E. Employment and Recruitment Scams

Some scammers collect IDs under the guise of job applications, online recruitment, modeling, part-time work, or overseas employment. The IDs may later be used for fraud.

Victims should be cautious when submitting IDs to unknown recruiters, especially if the recruiter asks for:

multiple IDs;
selfies holding IDs;
bank account information;
OTPs;
payment for processing;
copies of birth certificates;
signatures on blank forms.

If misuse occurs, reports may be made to law enforcement, the Department of Migrant Workers for overseas recruitment issues, the Department of Labor and Employment for labor-related concerns, and the National Privacy Commission for misuse of personal data.

F. Real Estate, Rental, and Marketplace Transactions

IDs are commonly exchanged in rental applications, meetups, online selling, vehicle rentals, courier transactions, and payment verification. Scammers may use a real person’s ID to appear trustworthy.

Victims whose IDs are used by scammers should preserve evidence showing that they did not participate in the transaction, such as:

conversations with complainants;
screenshots where the ID was sent;
fake profile links;
proof of location;
proof that the bank or e-wallet account was not theirs;
affidavit of denial;
prior reports of lost or compromised ID.

V. Where to Report Identity Theft in the Philippines

A. Philippine National Police Anti-Cybercrime Group

For online identity theft, fake accounts, phishing, e-wallet fraud, online scams, cyber libel, hacking, and digital impersonation, a complaint may be filed with the PNP Anti-Cybercrime Group or its regional cybercrime units.

The complainant should bring:

valid ID;
screenshots;
URLs and usernames;
transaction records;
messages;
email headers, if available;
bank or e-wallet reference numbers;
affidavits;
proof of ownership of the misused identity;
proof that the account, loan, transaction, or SIM was unauthorized.

The PNP may issue a police report, blotter, referral, or investigation record.

B. National Bureau of Investigation Cybercrime Division

The NBI Cybercrime Division also handles cybercrime complaints, including identity theft, online scams, hacking, phishing, cyber libel, and online impersonation.

Victims may submit evidence and execute a sworn complaint-affidavit. The NBI may conduct digital investigation, trace online activity where possible, issue subpoenas through proper processes, and refer cases for prosecution.

C. National Privacy Commission

The National Privacy Commission handles complaints involving violations of data privacy rights and misuse of personal information by personal information controllers or processors.

A complaint with the NPC may be appropriate when:

a company mishandled the victim’s ID;
a lender or app misused personal data;
personal data was disclosed without consent;
IDs were leaked or exposed;
a business failed to secure collected IDs;
an organization refuses to correct or delete unauthorized data;
sensitive personal information was processed unlawfully.

The NPC process generally focuses on data privacy accountability, compliance, investigation, and administrative remedies. Criminal prosecution may still be separate.

D. Banks, E-Wallets, Lending Companies, and Financial Institutions

If identity theft involves financial accounts or transactions, the first urgent report should be made to the concerned institution.

The victim should request:

immediate blocking or freezing;
fraud investigation;
transaction dispute;
written acknowledgment;
reference number;
copies of relevant account documents where legally available;
confirmation that the account or transaction is disputed;
correction of records;
removal of unauthorized debt under the victim’s name.

Financial institutions may require a notarized affidavit of denial, police report, valid ID, specimen signature, and transaction dispute form.

E. Credit Information Corporation and Credit Bureaus

If a fraudulent loan or credit account appears under the victim’s name, the victim should request correction or dispute of credit records. This may involve contacting the lender first, then disputing entries with the relevant credit reporting system.

The victim should preserve written proof that the debt is disputed and unauthorized.

F. Telecommunications Companies

For SIM-related identity misuse, the victim should report directly to the telco. The victim should request deactivation of unauthorized SIMs, investigation, and preservation of records.

The report should include:

victim’s full name;
ID used;
mobile numbers involved, if known;
proof that the SIM is not owned or used by the victim;
copy of police or cybercrime report, if available;
affidavit of denial, if requested.

G. Issuing Government Agencies

If a specific government ID is lost, stolen, copied, forged, or misused, the issuing agency should be informed. This helps establish a record that the document may be compromised.

Examples:

passport: Department of Foreign Affairs;
driver’s license: Land Transportation Office;
PhilID: Philippine Statistics Authority or PhilSys channels;
PRC ID: Professional Regulation Commission;
SSS, GSIS, PhilHealth, Pag-IBIG: respective agencies;
voter records: Commission on Elections;
senior citizen or PWD ID: local government unit.

H. Barangay and Police Blotter

A barangay blotter or police blotter may help establish an early record of the incident. While a blotter is not the same as a criminal conviction or full investigation, it can be useful for:

proving that the victim reported promptly;
supporting bank or platform disputes;
supporting affidavits;
documenting harassment or threats;
showing that an ID was lost or misused.

For serious identity theft, a blotter should not be the only action. It should be followed by reports to the relevant law enforcement, financial institution, platform, or regulator.

VI. Evidence to Preserve

Evidence is crucial. Victims should preserve original files whenever possible, not just screenshots. They should avoid deleting messages, emails, call logs, or account notifications.

Important evidence includes:

screenshots of fake accounts, posts, messages, and profiles;
URLs or profile links;
phone numbers and email addresses used by the offender;
transaction receipts;
bank or e-wallet statements;
loan reference numbers;
collection notices;
demand letters;
emails and email headers;
SMS logs;
call logs;
screenshots showing dates and times;
copies of IDs misused;
proof of ID loss or prior submission;
proof of non-participation in the transaction;
affidavit of denial;
police report or blotter;
correspondence with banks, telcos, platforms, or agencies;
names of witnesses;
device information, where relevant.

When preserving digital evidence, it is best to capture:

the full screen;
date and time;
account name;
URL;
sender details;
transaction reference;
complete message thread;
not only cropped images.

For websites or social media accounts, URLs are very important because usernames and display names can be changed.

VII. Immediate Steps for Victims

A person who discovers identity theft should act quickly.

Step 1: Secure Accounts

Change passwords for email, banking, e-wallets, social media, cloud storage, and government portals. Use strong unique passwords and enable multi-factor authentication.

Step 2: Contact Banks and E-Wallets

Report unauthorized accounts or transactions immediately. Request freezing, investigation, and dispute handling.

Step 3: Report Fake Accounts

Report impersonation accounts to the platform, but preserve evidence first. Do not rely only on platform takedown.

Step 4: File a Police or Cybercrime Report

For online misuse, report to cybercrime authorities. For lost IDs, fraud, or document misuse, report to the police and relevant agency.

Step 5: Execute an Affidavit of Denial or Loss

An affidavit may be needed to dispute fraudulent loans, SIM registrations, accounts, or transactions.

Step 6: Notify the ID-Issuing Agency

If a government ID was compromised, report it to the issuing agency and request replacement or annotation where available.

Step 7: Monitor Credit and Financial Records

Check for unauthorized loans, accounts, or collection notices. Dispute inaccurate records promptly.

Step 8: Preserve All Communications

Do not delete threats, demands, messages, or emails. Save copies in secure storage.

VIII. Affidavit of Denial

An affidavit of denial is often required when a victim disputes an unauthorized account, loan, SIM registration, transaction, or document.

It usually states:

the victim’s identity;
that the victim did not apply for the account, loan, SIM, or transaction;
that the victim did not authorize anyone to use their ID;
when and how the victim discovered the misuse;
that the signature, photograph, account, phone number, email, or transaction is not theirs, if applicable;
that the victim is willing to cooperate with investigation;
attached evidence.

The affidavit should be truthful, specific, and consistent with available evidence. False statements in a sworn affidavit may expose the affiant to criminal liability.

IX. Sample Affidavit of Denial

Republic of the Philippines [City/Municipality]

AFFIDAVIT OF DENIAL

I, [Name], Filipino, of legal age, and residing at [Address], after being duly sworn, state:

I am the owner of the personal information and identification documents bearing my name, photograph, and other personal details.
I recently discovered that my name, personal information, and/or identification document were used in connection with [describe account, loan, SIM registration, transaction, fake account, or document].
I categorically deny having applied for, opened, registered, authorized, signed, participated in, benefited from, or consented to the said [account/loan/SIM/transaction/document].
I did not authorize any person to use my name, personal information, photograph, signature, or identification document for the said purpose.
I did not receive any proceeds, goods, services, benefit, or consideration from the said transaction.
I discovered the unauthorized use on or about [date] when [explain how discovered].
I am executing this affidavit to attest to the truth of the foregoing, to deny the unauthorized transaction, to support my complaint or dispute, and for whatever lawful purpose it may serve.

IN WITNESS WHEREOF, I have signed this affidavit on [date] at [place].

[Signature] [Name]

SUBSCRIBED AND SWORN to before me this [date], affiant exhibiting competent proof of identity: [ID details].

X. Sample Incident Report Outline

A written complaint or incident report should include:

Subject: Complaint for Identity Theft and Unauthorized Use of Identification

Complainant: Full name, address, contact number, email

Incident: Brief description of identity misuse

Date Discovered: Exact or approximate date

How Discovered: Collection notice, bank alert, fake account report, telco notice, message from third party, credit report, etc.

Information Misused: Name, ID, photo, signature, mobile number, email, address, account details

Suspect: Name, username, phone number, email, account, or “unknown,” if unidentified

Damage: Financial loss, fraudulent debt, reputational harm, harassment, account compromise, emotional distress

Actions Taken: Bank report, platform report, police blotter, password changes, account freezing

Evidence Attached: Screenshots, IDs, messages, receipts, statements, affidavit, URLs

Request: Investigation, preservation of records, blocking, correction of records, prosecution, or assistance

XI. Difference Between Civil, Criminal, Administrative, and Regulatory Remedies

Identity theft can give rise to several types of remedies.

A. Criminal Complaint

A criminal complaint seeks investigation and prosecution of the offender. It may involve cybercrime, estafa, falsification, fraud, libel, threats, or other offenses.

Filed with:

PNP;
NBI;
prosecutor’s office;
cybercrime units.

B. Civil Action

A civil action may seek damages for injury caused by the identity theft, such as financial loss, moral damages, reputational harm, or expenses incurred.

C. Administrative Complaint

An administrative complaint may be filed against a company, professional, public officer, or regulated entity that mishandled personal data or violated rules.

Examples:

complaint with National Privacy Commission;
complaint with Securities and Exchange Commission against abusive lending companies;
complaint with Bangko Sentral-regulated institutions through their consumer channels;
complaint with government agencies against public officers or improper ID handling.

D. Platform or Institutional Dispute

This is a non-court remedy directed to banks, e-wallets, telcos, apps, marketplaces, social media platforms, or lenders. It seeks account blocking, takedown, reversal, correction, or investigation.

These remedies may proceed separately. Filing a platform report does not necessarily replace a criminal complaint. Filing a police report does not automatically correct bank or credit records. Each affected institution may require direct notice.

XII. Liability of Companies That Mishandle IDs

Businesses and organizations that collect IDs have duties to protect personal data. They should collect only what is necessary, use it only for declared lawful purposes, store it securely, restrict employee access, dispose of it properly, and prevent unauthorized disclosure.

A company may face liability where:

it collects excessive ID copies without purpose;
it stores IDs in unsecured folders or shared drives;
employees misuse customer IDs;
IDs are leaked due to weak security;
IDs are sold or shared with third parties without authority;
the company refuses to correct inaccurate records;
the company ignores data subject rights;
the company conceals a breach;
the company fails to notify affected individuals or regulators when required.

Victims may invoke rights under the Data Privacy Act, including rights to be informed, access, object, erasure or blocking, damages, rectification, and data portability, subject to legal limitations.

XIII. Rights of the Victim

A victim of identity theft may have the right to:

file a criminal complaint;
request investigation by law enforcement;
dispute unauthorized financial transactions;
request correction of inaccurate records;
request blocking or deactivation of fraudulent accounts;
demand takedown of fake accounts or infringing content;
file a privacy complaint;
request information from entities that processed their data;
request preservation of records;
seek damages where legally justified;
be protected from harassment by collectors;
deny fraudulent obligations through affidavit and documentary evidence.

The exact remedy depends on the facts and the institution involved.

XIV. Dealing with Debt Collectors

Identity theft victims sometimes receive collection messages for loans they did not obtain. Victims should not ignore the matter, but they should also not admit liability for a fraudulent debt.

A victim may respond in writing:

denying the loan;
requesting proof of application, signed documents, disbursement records, and KYC records;
stating that the identity was used without consent;
demanding suspension of collection while under investigation;
asking for deletion or correction of inaccurate records;
warning against harassment, public shaming, or contacting third parties;
attaching affidavit of denial and police report, when available.

Collectors should not harass, threaten, shame, or disclose debt information to unauthorized third parties. Abusive collection practices may be reported to regulators and law enforcement, depending on the circumstances.

XV. Unauthorized Use of ID by a Known Person

If the offender is known, such as a relative, former partner, co-worker, employee, tenant, landlord, recruiter, agent, or acquaintance, the same laws may apply. The fact that the offender personally knew the victim does not automatically make the act lawful.

Common known-person scenarios include:

a partner using the victim’s ID to borrow money;
a relative using an ID for a SIM or loan;
an employee copying customer IDs;
a landlord misusing tenant documents;
a recruiter using applicant IDs;
a co-worker using another person’s credentials;
a former partner creating fake accounts.

The victim should still preserve evidence and file the proper report. If the offender had prior lawful access to the ID, the key issue may be whether the later use exceeded consent or was for an unauthorized purpose.

XVI. Unauthorized Use of ID by a Business or App

Many identity theft cases begin when a victim submits an ID to a business, seller, app, lender, recruiter, or online platform. The submission of an ID for one legitimate purpose does not automatically authorize the recipient to use it for another purpose.

For example, submitting an ID to verify a delivery, rental, application, or purchase does not authorize the recipient to:

open a loan account;
register a SIM;
create a fake profile;
submit the ID to another company;
sell the ID;
store it indefinitely without reason;
use it for unrelated marketing;
disclose it publicly.

Consent under data privacy law must be specific, informed, and freely given. Even when consent exists, processing must still be lawful, fair, necessary, and proportional.

XVII. Lost or Stolen IDs

If an ID is lost or stolen, the owner should:

file a police report or affidavit of loss;
notify the issuing agency;
request replacement, cancellation, or reissuance where applicable;
monitor accounts and credit records;
avoid posting the lost ID online;
report suspicious transactions immediately;
keep copies of the report and replacement request.

A prior affidavit of loss or police report can help show that later transactions using the ID were unauthorized.

XVIII. Preventive Measures

To reduce the risk of identity theft:

watermark ID copies with the purpose, date, and recipient;
avoid sending IDs through unsecured chats;
do not send selfies holding IDs unless necessary and legitimate;
verify the company or person requesting the ID;
avoid sharing OTPs, PINs, passwords, or security codes;
cover nonessential information when allowed;
use strong passwords and multi-factor authentication;
monitor bank, e-wallet, and credit records;
avoid posting IDs, tickets, certificates, or documents online;
transact only with verified businesses and platforms;
ask why the ID is needed and how it will be stored;
request deletion of ID copies when no longer necessary.

A useful watermark may state:

“For verification with [Company Name] only, submitted on [Date]. Not valid for loans, SIM registration, or other transactions.”

This does not guarantee protection, but it can deter misuse and help prove limited consent.

XIX. Special Considerations for PhilSys or National ID

The PhilSys ID and PhilSys Number are sensitive identifiers. Unauthorized collection, storage, disclosure, or use may raise privacy and security concerns.

A victim whose PhilID, ePhilID, PhilSys Number, or related data is misused should report to the relevant PhilSys or PSA channels, the institution involved, and law enforcement if fraud occurred.

Because national ID information may be used for identity verification across multiple systems, compromise should be treated seriously.

XX. When the Victim Is Wrongly Accused

Sometimes a victim of identity theft is accused of being the scammer because the offender used the victim’s ID. The victim should avoid panic and collect exculpatory evidence.

Helpful evidence may include:

proof that the phone number, email, bank account, or e-wallet used by the scammer is not the victim’s;
proof of location at the time of transaction;
proof that the victim previously lost or submitted the ID elsewhere;
conversations showing the victim was also surprised;
police report;
affidavit of denial;
platform records;
proof of account ownership or non-ownership;
NBI or PNP complaint acknowledgment.

The victim should cooperate with investigators but should avoid making speculative admissions or signing documents without understanding them.

XXI. Time Sensitivity

Identity theft should be reported promptly. Delays may make it harder to:

trace accounts;
preserve logs;
freeze funds;
reverse transactions;
identify IP addresses;
deactivate SIMs;
dispute loans;
correct credit records;
prevent further misuse.

Many platforms and institutions retain logs only for limited periods. Early reporting also helps show good faith and non-participation.

XXII. Practical Reporting Checklist

Before filing a report, prepare:

valid government ID;
affidavit of denial or affidavit of loss;
screenshots and URLs;
transaction records;
bank or e-wallet statements;
fake account links;
messages and call logs;
collection notices;
proof of unauthorized use;
list of affected institutions;
timeline of events;
names, numbers, emails, and usernames involved;
prior correspondence with banks, telcos, platforms, or agencies.

For online matters, printouts may be useful, but digital copies should also be preserved.

XXIII. Possible Legal Outcomes

Depending on the evidence, an identity theft complaint may result in:

takedown of fake accounts;
blocking of fraudulent accounts;
deactivation of unauthorized SIMs;
freezing of suspicious funds;
correction of records;
dismissal of fraudulent debt claims;
administrative sanctions against companies;
criminal charges against offenders;
civil claims for damages;
data privacy enforcement action;
settlement or restitution.

Not every complaint results in prosecution. Success depends on evidence, traceability, cooperation of institutions, availability of records, and proof of the offender’s identity and intent.

XXIV. Limits and Challenges in Identity Theft Cases

Identity theft cases can be difficult because offenders often use:

fake names;
prepaid SIMs;
mule accounts;
public Wi-Fi;
VPNs;
stolen devices;
fake addresses;
dummy social media profiles;
compromised accounts;
overseas platforms.

However, victims should still report. Even if the offender is not immediately identified, reports help establish the victim’s denial, protect against future liability, trigger account restrictions, and support correction of records.

XXV. Legal and Practical Importance of Early Documentation

The victim’s strongest protection is a clear paper trail. A person who reports promptly, preserves evidence, sends written disputes, and obtains acknowledgment from institutions is in a better position to deny liability and prove unauthorized use.

A proper documentation trail may include:

incident discovery notes;
screenshots and digital evidence;
police or cybercrime report;
affidavit of denial;
written notice to bank, telco, lender, or platform;
complaint reference numbers;
regulator complaint, if necessary;
follow-up letters;
proof of account freezing, takedown, or correction.

The goal is not only to punish the offender but also to prevent the victim’s name from being connected to fraudulent accounts, debts, scams, or criminal activity.

XXVI. Conclusion

Identity theft and unauthorized use of ID in the Philippines may involve cybercrime, fraud, falsification, data privacy violations, financial account misuse, SIM registration abuse, and reputational harm. The correct response depends on how the identity was misused, whether the act occurred online, whether money or documents were involved, and which institution processed or accepted the victim’s information.

A victim should act quickly by securing accounts, preserving evidence, notifying affected institutions, filing appropriate reports, executing an affidavit of denial when needed, and pursuing correction of records. Reports may be made to the PNP Anti-Cybercrime Group, NBI Cybercrime Division, National Privacy Commission, banks, e-wallet providers, telcos, credit reporting entities, issuing government agencies, and other regulators depending on the facts.

Identity theft is both a legal and practical emergency. Prompt reporting, careful documentation, and consistent denial of unauthorized transactions are essential to protect the victim from financial loss, reputational damage, and wrongful liability.