Step-by-Step Guide on How to Report Identity Theft and Fraud

I. Introduction

Identity theft and fraud are no longer limited to stolen wallets, forged signatures, or falsified documents. In the Philippines, these offenses commonly occur through online banking takeovers, SIM-related scams, phishing links, fake loan accounts, unauthorized e-wallet transfers, misuse of government IDs, fake social media profiles, hacked email accounts, fraudulent online purchases, bogus investment solicitations, and impersonation through messaging apps.

A victim may suffer financial loss, damaged credit standing, reputational harm, harassment by collectors, exposure of private information, or even false association with criminal activity. For this reason, reporting identity theft and fraud should not be treated merely as a customer-service matter. It should be handled as a legal, evidentiary, financial, and data-protection issue.

This article explains the Philippine legal framework, the agencies involved, and the practical steps a victim should take to report, document, and pursue remedies for identity theft and fraud.

II. What Is Identity Theft?

Identity theft generally refers to the unauthorized acquisition, possession, use, misuse, transfer, alteration, or deletion of identifying information belonging to another person. In everyday terms, it happens when another person uses your name, ID, image, signature, phone number, account credentials, biometrics, financial details, or other personal information without authority.

In the cybercrime context, identity theft may involve the use of computers, mobile devices, online platforms, digital wallets, social media accounts, email, or electronic communications. The offense becomes especially serious when the stolen identity is used to obtain money, open accounts, borrow funds, deceive others, bypass verification, or commit another crime.

Examples include:

  1. A scammer uses your government ID to open an e-wallet account.
  2. Someone hacks your email and uses it to reset your bank passwords.
  3. A fraudster uses your name and selfie to apply for an online loan.
  4. A person creates a fake Facebook account using your photos and solicits money from your contacts.
  5. A stranger registers a SIM, account, or service using your personal details.
  6. A phishing site captures your username, password, OTP, or card details.
  7. Someone uses your credit card, debit card, bank account, or e-wallet without permission.
  8. A person impersonates you in business, employment, dating, lending, or government transactions.

III. What Is Fraud?

Fraud is the use of deception, false representation, concealment, manipulation, or abuse of confidence to obtain money, property, services, data, or advantage. In the Philippine setting, fraud may fall under several laws depending on the facts.

Fraud may be committed through traditional means, such as forged documents or face-to-face misrepresentation, or through digital means, such as phishing, online marketplace scams, fake investment platforms, hacked accounts, unauthorized fund transfers, romance scams, job scams, or business-email compromise.

Fraud and identity theft often overlap. Identity theft may be the method, while fraud may be the result. For example, when a scammer uses a stolen ID to borrow money from a lending app, the identity theft enables the fraudulent loan.

IV. Relevant Philippine Laws

A. Cybercrime Prevention Act of 2012

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, is one of the primary laws applicable to online identity theft and cyber fraud. It penalizes certain offenses committed through information and communications technology, including computer-related identity theft and computer-related fraud.

Computer-related identity theft generally involves the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person, whether natural or juridical, without right.

Computer-related fraud may include the unauthorized input, alteration, or deletion of computer data or interference with computer systems, resulting in damage or economic loss.

B. Data Privacy Act of 2012

Republic Act No. 10173, or the Data Privacy Act of 2012, protects personal information and sensitive personal information. It applies when personal data has been misused, improperly processed, maliciously disclosed, accessed without authority, or exposed through a personal data breach.

A victim of identity theft may invoke data privacy rights when a company, platform, employer, school, financial institution, online lender, telecom provider, merchant, or other personal information controller mishandled personal data or failed to protect it.

Relevant rights may include the right to be informed, right to access, right to object, right to rectification, right to erasure or blocking, right to damages, and right to file a complaint with the National Privacy Commission.

C. Access Devices Regulation Act

Republic Act No. 8484, as amended, regulates access devices such as credit cards, debit cards, account numbers, and other means of account access. It may apply to credit card fraud, debit card fraud, unauthorized account use, counterfeit access devices, or possession and trafficking of access-device information.

D. Financial Products and Services Consumer Protection Act

Republic Act No. 11765 strengthens the protection of financial consumers. It is relevant when the victim’s bank, e-wallet provider, remittance company, lender, payment platform, insurer, or other financial service provider is involved.

A financial consumer may file a complaint with the financial institution first, and if unresolved, elevate the matter to the appropriate regulator such as the Bangko Sentral ng Pilipinas, Securities and Exchange Commission, Insurance Commission, or Cooperative Development Authority, depending on the institution involved.

E. Anti-Financial Account Scamming Act

Republic Act No. 12010, the Anti-Financial Account Scamming Act, addresses the use of financial accounts in fraudulent activities. It is especially relevant to money-mule accounts, unauthorized transfers, phishing, social engineering, and schemes involving banks, e-wallets, payment accounts, or other financial accounts.

F. Revised Penal Code

The Revised Penal Code may apply when the conduct involves estafa, falsification, use of falsified documents, unjust vexation, threats, coercion, libel, or other traditional crimes. Not every identity theft case is purely cybercrime. If false documents, forged signatures, or personal misrepresentations are involved, ordinary criminal law may also apply.

G. Special Laws on Lending, Investment, Telecoms, and Consumer Protection

Depending on the facts, other laws may be relevant, including rules on online lending, securities regulation, SIM registration, consumer protection, electronic commerce, and banking regulations. For example, fake investment schemes may involve securities law; unauthorized use of a SIM or phone number may involve telecom-related rules; and abusive collection following identity-based loan fraud may involve rules on lending and data privacy.

V. Immediate Steps After Discovering Identity Theft or Fraud

Step 1: Stay calm and secure your accounts immediately

The first priority is to stop further loss. Change passwords for affected accounts, especially email, banking, e-wallet, social media, cloud storage, and shopping accounts. Use strong, unique passwords and avoid reusing old passwords.

Enable multi-factor authentication. If possible, use an authenticator app or hardware security key instead of SMS-based OTP. Log out all active sessions. Revoke access from suspicious devices and third-party apps.

If your mobile number may have been compromised, contact your telecom provider immediately. Ask about SIM replacement, SIM-swap protection, account notes, and blocking of unauthorized changes.

Step 2: Contact the financial institution or platform

If money was taken, or if an account was opened or used in your name, immediately notify the relevant bank, e-wallet provider, credit card issuer, online lender, marketplace, payment gateway, remittance center, or platform.

Ask for:

  1. Immediate blocking, freezing, or suspension of affected accounts.
  2. Reversal, chargeback, hold, or dispute process.
  3. Incident or reference number.
  4. Transaction details, if legally available.
  5. Written acknowledgment of your report.
  6. Preservation of logs, IP addresses, device data, account history, CCTV, KYC records, and transaction records.
  7. Escalation to the fraud, legal, compliance, or data protection office.

For banks and BSP-supervised financial institutions, use the institution’s official fraud hotline or in-app complaint channel. Time is critical because fund transfers may become harder to trace or recover after they pass through multiple accounts.

Step 3: Preserve all evidence

Evidence must be preserved before accounts are deleted, posts are removed, messages disappear, or websites go offline. Do not rely on memory alone.

Collect and save:

  1. Screenshots of fraudulent accounts, posts, messages, emails, chats, transaction pages, sender details, URLs, QR codes, account names, bank or e-wallet numbers, and timestamps.
  2. Copies of phishing emails, SMS messages, links, and headers where available.
  3. Transaction receipts, bank statements, e-wallet histories, credit card statements, and loan records.
  4. Copies of IDs that may have been compromised.
  5. Demand letters, collection messages, or notices from lenders.
  6. Proof that you did not authorize the transaction.
  7. Police blotter, affidavits, complaint acknowledgments, and reference numbers.
  8. Names, contact numbers, usernames, account handles, email addresses, and phone numbers used by the suspect.
  9. Device information, IP logs, login alerts, and security notices.
  10. Communication with banks, platforms, telcos, merchants, or agencies.

For online evidence, take full-page screenshots showing the date and time. Save the original files when possible. Do not edit screenshots except to redact copies for public sharing. Keep unredacted originals for authorities.

Step 4: Prepare a written chronology

A clear timeline helps investigators, banks, regulators, and lawyers understand the case. Write a chronological statement containing:

  1. When you discovered the incident.
  2. What account, identity document, number, or information was misused.
  3. How you discovered the fraud.
  4. What losses occurred.
  5. What transactions were unauthorized.
  6. What institutions or platforms were involved.
  7. What steps you already took.
  8. Who you contacted and when.
  9. What reference numbers were given.
  10. What relief you are requesting.

The chronology should be factual, concise, and supported by attachments.

Step 5: Execute an affidavit of complaint

For formal criminal complaints, an affidavit is usually required. The affidavit should state the facts based on personal knowledge, identify the offense as far as known, list the evidence, and request investigation and prosecution.

The affidavit should generally include:

  1. Your full name, address, contact details, and identification.
  2. A statement that you are the complainant and victim.
  3. A narrative of the incident.
  4. Description of the stolen or misused identity information.
  5. Description of the fraudulent acts.
  6. Amount of financial loss, if any.
  7. Names or identifiers of suspects, if known.
  8. Platforms, bank accounts, phone numbers, emails, or URLs involved.
  9. Attachments supporting the complaint.
  10. A request for investigation, preservation of evidence, and prosecution.

The affidavit should be signed and notarized when required.

VI. Where to Report Identity Theft and Fraud in the Philippines

A. Report to the bank, e-wallet, credit card issuer, or financial service provider

When the incident involves unauthorized transfers, account takeover, credit card charges, e-wallet withdrawals, online loans, or financial-account misuse, report first to the financial service provider. This is important because the institution can block accounts, preserve transaction data, initiate disputes, and coordinate with other institutions.

Ask for a formal complaint reference number. Submit your evidence in writing. Keep copies of all correspondence.

If the provider does not act, delays action, or gives an unsatisfactory response, escalate to the appropriate regulator.

B. Report to the Bangko Sentral ng Pilipinas

The Bangko Sentral ng Pilipinas handles consumer complaints involving BSP-supervised financial institutions, such as banks, e-money issuers, money service businesses, and other covered entities. A complaint to the BSP is usually appropriate when the issue concerns unauthorized transactions, poor fraud response, failure to assist, failure to provide information, or unresolved financial consumer complaints.

Before filing with the BSP, the victim should generally first file a complaint with the financial institution and allow it to act through its consumer assistance mechanism. If unresolved, the complaint may be elevated to the BSP with supporting documents.

C. Report to the National Privacy Commission

The National Privacy Commission is relevant when the identity theft involves misuse, unauthorized processing, improper disclosure, breach, or mishandling of personal data.

File with the NPC when:

  1. A company exposed your personal data.
  2. A platform refused to correct or delete fraudulent personal information.
  3. Your ID, selfie, account data, or sensitive information was misused.
  4. An online lender used your contacts or personal data unlawfully.
  5. A personal information controller ignored your data privacy rights.
  6. Your data was breached and used for identity theft.
  7. You suffered harm due to negligent or unlawful handling of personal information.

A formal NPC complaint typically requires a prescribed complaint form, supporting documents, and notarization. The complaint should clearly identify the personal information controller or processor involved and the specific data privacy violation.

D. Report to the PNP Anti-Cybercrime Group

The Philippine National Police Anti-Cybercrime Group investigates cybercrime and cyber-related offenses. A report to the PNP ACG is appropriate when the offense involves hacking, phishing, fake accounts, online impersonation, unauthorized access, online fraud, cyber extortion, cyber libel connected to impersonation, or digital evidence.

Victims may file a complaint with the PNP ACG or its appropriate cybercrime units. Bring printed and digital copies of evidence, valid IDs, affidavit, and transaction records.

E. Report to the NBI Cybercrime Division

The National Bureau of Investigation Cybercrime Division also handles cybercrime complaints. It is appropriate for serious, complex, or multi-jurisdictional identity theft and fraud cases, including hacking, online scams, phishing, account takeovers, use of fake identities, and coordinated fraud schemes.

A complainant should prepare an affidavit, evidence folder, screenshots, transaction records, device information, and any known suspect identifiers.

F. Report to the Department of Justice Office of Cybercrime

The DOJ Office of Cybercrime is the central authority on cybercrime-related matters, including coordination and international assistance. While individual investigations are often handled by law enforcement agencies such as the PNP or NBI, the DOJ Office of Cybercrime is relevant for cybercrime policy, coordination, and certain reporting or referral functions.

G. Report to the Securities and Exchange Commission

If the fraud involves fake investments, unauthorized solicitation, bogus trading platforms, Ponzi schemes, investment contracts, crypto-style investment solicitations, or impersonation of registered corporations, the matter may be reported to the Securities and Exchange Commission.

The SEC is especially relevant when scammers use corporate names, fake certificates of incorporation, fake investment licenses, or social media solicitations promising guaranteed returns.

H. Report to the Insurance Commission or Cooperative Development Authority

If the fraud involves insurance products, pre-need plans, HMOs, or insurance intermediaries, report to the Insurance Commission. If the matter involves a cooperative, report to the Cooperative Development Authority.

I. Report to the telecom provider

If the fraud involves your SIM, phone number, SIM swap, OTP interception, spoofed messages, or unauthorized account changes, immediately report to your telecom provider. Ask for blocking, replacement, account protection, and written confirmation.

J. Report to the platform

If the identity theft occurred through Facebook, Instagram, TikTok, X, Shopee, Lazada, Gmail, Yahoo, Telegram, WhatsApp, Viber, LinkedIn, or another platform, report through the platform’s official impersonation, fraud, hacked account, or privacy channels.

Platform reports are not substitutes for legal complaints, but they may help remove fake accounts, preserve records, or stop ongoing fraud.

VII. Step-by-Step Reporting Process

Step 1: Identify the type of incident

Classify the incident:

  1. Unauthorized financial transaction.
  2. Fake account or impersonation.
  3. Hacked account.
  4. Use of your ID or selfie.
  5. Fraudulent loan or credit application.
  6. SIM or phone-number misuse.
  7. Phishing or malware.
  8. Investment scam.
  9. Data breach or privacy violation.
  10. Marketplace, delivery, or online purchase fraud.

The classification determines where to report and what evidence is needed.

Step 2: Stop the damage

Block cards, freeze accounts, change passwords, disable compromised devices, contact the bank, and warn close contacts if your account is being used to solicit money.

Do not negotiate with scammers. Do not send more money to “unlock” funds, “verify” accounts, or “recover” losses. Do not click additional links sent by the same source.

Step 3: Preserve evidence

Create an evidence folder. Use subfolders such as:

  1. Screenshots.
  2. Transactions.
  3. Messages.
  4. Emails.
  5. Bank or e-wallet documents.
  6. Platform reports.
  7. Government IDs.
  8. Affidavits.
  9. Agency acknowledgments.
  10. Timeline.

Keep both digital and printed copies.

Step 4: File an internal complaint with the institution involved

For banks, e-wallets, online lenders, telcos, platforms, or merchants, file a written complaint. Include:

  1. Your name and contact details.
  2. Account details.
  3. Date and time of incident.
  4. Unauthorized transactions.
  5. Amount involved.
  6. Evidence.
  7. Request for blocking, reversal, investigation, and preservation of records.
  8. Request for written findings.

Step 5: File a police or cybercrime complaint

Proceed to the PNP ACG, NBI Cybercrime Division, or appropriate local police unit. Bring:

  1. Valid government ID.
  2. Affidavit of complaint.
  3. Evidence folder.
  4. Transaction records.
  5. Screenshots and URLs.
  6. Device used, if relevant.
  7. Names, numbers, emails, accounts, or handles of suspects.
  8. Prior complaint acknowledgments from banks or platforms.

Request a copy of the complaint sheet, blotter, referral, or acknowledgment.

Step 6: File with regulators if needed

Depending on the case, file with:

  1. BSP for banks, e-money issuers, and BSP-supervised financial institutions.
  2. NPC for personal data misuse or breach.
  3. SEC for investment scams or corporate impersonation.
  4. Insurance Commission for insurance-related fraud.
  5. CDA for cooperative-related fraud.
  6. DICT/CICC channels where applicable for cyber incident coordination.

Step 7: Follow up in writing

Follow up by email or letter. Always include reference numbers. Keep a log showing:

  1. Date of follow-up.
  2. Person or office contacted.
  3. Summary of response.
  4. Next action required.
  5. Deadline given.

Step 8: Consider civil, criminal, and administrative remedies

A victim may pursue:

  1. Criminal complaint for cybercrime, estafa, falsification, access device fraud, or related offenses.
  2. Administrative complaint before regulators.
  3. Data privacy complaint before the NPC.
  4. Bank or e-wallet dispute.
  5. Civil action for damages.
  6. Injunctive or takedown relief in appropriate cases.
  7. Correction, deletion, or blocking of false records.

VIII. What to Include in a Complaint

A strong complaint should answer the following:

  1. Who is the complainant?
  2. What personal information was stolen or misused?
  3. When did the incident occur?
  4. How was the fraud discovered?
  5. What accounts, platforms, institutions, or devices were involved?
  6. What amount was lost?
  7. What evidence supports the complaint?
  8. Who are the suspected persons or accounts?
  9. What actions were already taken?
  10. What relief is requested?

The complaint should be factual. Avoid speculation. State what is known, what is suspected, and what documents support each point.

IX. Sample Structure of an Affidavit of Complaint

An affidavit may follow this general structure:

  1. Title: Affidavit of Complaint.
  2. Personal details of complainant.
  3. Statement of capacity as victim.
  4. Description of identity information misused.
  5. Chronology of events.
  6. Description of fraudulent acts.
  7. Financial loss or harm suffered.
  8. Evidence attached.
  9. Actions already taken.
  10. Request for investigation and prosecution.
  11. Jurat and notarization.

X. Evidence Checklist

For identity theft and fraud, gather:

  1. Government IDs.
  2. Proof of ownership of affected account.
  3. Screenshots of fake profile, fraudulent posts, or messages.
  4. URLs and account links.
  5. Email headers and sender addresses.
  6. SMS sender details.
  7. Call logs.
  8. Bank statements.
  9. E-wallet transaction history.
  10. Credit card statements.
  11. Loan notices.
  12. Collection messages.
  13. Platform complaint acknowledgments.
  14. Bank or e-wallet reference numbers.
  15. Police blotter or complaint acknowledgment.
  16. Notarized affidavit.
  17. Proof of non-consent.
  18. Proof of location or activity showing impossibility, if relevant.
  19. Device security alerts.
  20. Any correspondence with the suspect.

XI. Special Situations

A. Fake social media account using your name or photos

Report the account to the platform for impersonation. Take screenshots before reporting. Save the profile URL, username, posts, messages, and list of mutual contacts approached by the fake account.

If money is solicited or reputational damage occurs, file a cybercrime complaint. If personal data is misused, consider an NPC complaint.

B. Hacked Facebook, email, or messaging account

Use the platform’s account recovery process immediately. Change passwords for linked email accounts. Revoke unknown sessions. Warn contacts not to send money.

File a cybercrime complaint if the account was used for fraud, extortion, threats, or identity theft.

C. Unauthorized bank or e-wallet transaction

Immediately report to the bank or e-wallet provider. Ask for blocking, dispute investigation, and preservation of records. File a cybercrime complaint if phishing, hacking, social engineering, or unauthorized access was involved. Escalate to BSP if the financial institution fails to properly handle the complaint.

D. Fraudulent online loan in your name

Request the lender’s records, including application details, ID used, selfie, phone number, bank account, IP address, and disbursement account. Demand correction or cancellation if you did not apply. If the lender refuses, consider complaints with the NPC and relevant regulators.

If collectors harass you or your contacts, preserve messages and call logs. Harassment, misuse of contact lists, public shaming, and unauthorized disclosure of debt information may raise separate legal issues.

E. Stolen ID used for account opening

Report to the institution where the account was opened. Ask for account freezing, KYC review, and confirmation that the account was fraudulent. File a police or cybercrime complaint and consider an NPC complaint if the institution failed to protect or verify personal data properly.

F. SIM swap or mobile number takeover

Contact the telco immediately. Ask for blocking, replacement, and investigation. Notify banks and e-wallets linked to the number. Change account recovery methods. File a cybercrime complaint if the number was used to intercept OTPs or access accounts.

G. Investment scam using your identity or involving your funds

Preserve all solicitations, payment records, names of agents, group chats, websites, corporate documents, and promised returns. Report to law enforcement and the SEC. If bank or e-wallet accounts were used, report to the relevant financial institution.

H. Marketplace scam

Save the product listing, seller profile, chat history, payment proof, delivery details, and platform complaint. Report to the platform. If payment was made through a bank or e-wallet, report the transaction. File a cybercrime or fraud complaint if deception is clear.

XII. Remedies Available to Victims

Depending on the facts, remedies may include:

  1. Blocking or freezing of fraudulent accounts.
  2. Reversal or chargeback of unauthorized transactions.
  3. Correction of false loan or account records.
  4. Takedown of fake profiles or fraudulent posts.
  5. Criminal investigation and prosecution.
  6. Regulatory action against negligent institutions.
  7. Data privacy remedies.
  8. Civil damages.
  9. Cease-and-desist or corrective action.
  10. Recovery of funds where traceable and legally recoverable.

No single agency can provide all remedies. A victim often needs to pursue parallel steps: bank dispute, cybercrime complaint, privacy complaint, and platform takedown.

XIII. Common Mistakes Victims Should Avoid

  1. Deleting messages or posts before taking screenshots.
  2. Sending more money to scammers.
  3. Publicly accusing a person without sufficient proof.
  4. Posting unredacted IDs, account numbers, or private information online.
  5. Relying only on platform reporting without filing legal complaints.
  6. Waiting too long before reporting unauthorized transactions.
  7. Failing to get reference numbers.
  8. Giving OTPs, passwords, or remote access to supposed “support agents.”
  9. Using the same password after account compromise.
  10. Ignoring small unauthorized charges, which may be test transactions.

XIV. How to Protect Yourself After Reporting

After filing reports, continue securing your identity:

  1. Replace compromised cards.
  2. Change all passwords.
  3. Enable multi-factor authentication.
  4. Review account recovery emails and phone numbers.
  5. Monitor bank, credit card, and e-wallet transactions.
  6. Check for unknown loans or accounts.
  7. Limit public exposure of IDs and personal documents.
  8. Watermark ID copies when submitting them.
  9. Avoid sending IDs through unsecured channels.
  10. Use official apps and websites only.
  11. Beware of recovery scams.
  12. Regularly review privacy settings on social media.

XV. When to Get a Lawyer

Legal assistance is advisable when:

  1. The financial loss is substantial.
  2. A bank, lender, or platform refuses to act.
  3. You are being collected from for a debt you did not incur.
  4. Your identity is being used in criminal activity.
  5. You received a demand letter, subpoena, or complaint.
  6. Your employer, business, or reputation is affected.
  7. You need to file a formal criminal complaint.
  8. You need damages or injunctive relief.
  9. The case involves multiple jurisdictions.
  10. Sensitive personal information, minors, or confidential records are involved.

A lawyer can help prepare affidavits, organize evidence, identify proper offenses, communicate with institutions, and represent the victim before investigators, prosecutors, courts, or regulators.

XVI. Practical Reporting Matrix

For unauthorized bank or e-wallet transactions, report to the financial institution, then to the BSP if unresolved, and to PNP ACG or NBI Cybercrime if cyber fraud is involved.

For fake social media profiles, report to the platform, then to PNP ACG or NBI Cybercrime if fraud, threats, or reputational harm occurred, and to the NPC if personal data was misused.

For misuse of ID documents, report to the institution that accepted the ID, then to the NPC for data misuse and to law enforcement for identity theft or fraud.

For fraudulent loans, report to the lender, demand correction, file with NPC if personal data was mishandled, and report to law enforcement if identity theft or falsification occurred.

For investment scams, report to the SEC and law enforcement, and notify banks or e-wallets used to transfer funds.

For SIM-related identity theft, report to the telecom provider, notify linked financial institutions, and file a cybercrime complaint if accounts were accessed or OTPs intercepted.

XVII. Conclusion

Identity theft and fraud in the Philippines require fast, organized, and legally informed action. The victim should secure accounts, preserve evidence, notify financial institutions and platforms, file complaints with the proper law enforcement agencies, and elevate regulatory issues to the appropriate government body.

The most effective response is not a single report but a coordinated paper trail: written complaints, reference numbers, affidavits, evidence folders, agency acknowledgments, and consistent follow-ups. Proper documentation improves the chance of stopping further harm, recovering funds, correcting false records, holding offenders accountable, and protecting the victim’s legal rights.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login