Unauthorized Credit Card Charges and Online Subscription Scam

Unauthorized credit card charges and online subscription scams are among the most common forms of consumer financial harm in the digital age. In the Philippine setting, they usually arise in one of several ways: a cardholder discovers purchases never made; a “free trial” quietly turns into recurring charges; a card is used after details are stolen online; a deceptive merchant enrolls the user in a subscription without valid consent; a fake website harvests card information; or a legitimate-looking app or service keeps charging despite cancellation. What begins as a puzzling line item on a billing statement can quickly become a legal problem involving unauthorized transactions, fraud, cybercrime, unfair billing practices, deceptive online conduct, data privacy risks, and potential civil and criminal remedies.

The legal treatment of these cases in the Philippines is not controlled by one rule alone. It involves the intersection of contract law, banking law, consumer principles, electronic commerce, cybercrime law, payment-system practice, card network dispute processes, and criminal law concepts such as estafa, fraud, or unauthorized access, depending on the facts. The immediate practical question is usually not only “Who charged my card?” but also “What should I do first, what rights do I have, who bears the loss, and how do I report it?”

This article explains the Philippine legal framework comprehensively.

I. Two Different Problems Often Get Mixed Together

A proper legal analysis begins by separating two situations that people often describe with the same words.

1. Truly unauthorized credit card charges

These are transactions the cardholder did not authorize at all. Examples include:

  • card details stolen and used by a stranger;
  • card number used after a phishing attack;
  • fraudulent online purchases;
  • recurring charges created without the cardholder’s consent;
  • card-not-present transactions initiated by an unauthorized person;
  • charges after account compromise, malware, skimming, or data breach.

In this category, the central issue is lack of consent.

2. Subscription scam or deceptive subscription

These are cases where the cardholder initially interacted with a website, app, trial offer, or merchant, but the real billing terms were hidden, misleading, manipulated, or unfair. Examples include:

  • a “free trial” that auto-renews without adequate notice;
  • a one-time payment that is secretly converted into monthly billing;
  • a cancellation process designed to fail;
  • a merchant that keeps charging after cancellation;
  • hidden terms buried in deceptive interfaces;
  • a service that promises one thing but bills for something else.

Here, the issue is not always total absence of initial consent. Often the issue is invalid, vitiated, misleading, or overextended consent, coupled with unfair or fraudulent billing behavior.

The distinction matters because the evidence, legal theory, and dispute strategy may differ.

II. Common Fact Patterns in the Philippines

Unauthorized charges and subscription scams typically appear in one or more of the following forms:

  • fraudulent online shopping transactions;
  • card details stolen through phishing emails, fake bank links, or fake delivery notices;
  • card details captured through skimming or merchant compromise;
  • app-store or gaming charges not recognized by the cardholder;
  • recurring charges from streaming, wellness, software, dating, astrology, or “premium service” sites the user barely remembers clicking;
  • “free trial” websites that hide recurring billing terms in tiny text;
  • social media ads leading to low-quality or fake subscription pages;
  • a merchant that continues charging after the user already cancelled;
  • a charge descriptor on the billing statement that does not clearly identify the merchant;
  • family-member or employee misuse of stored card details;
  • account takeover of an online merchant account that already stored the card;
  • unauthorized use of card details in foreign or cross-border online transactions.

Each pattern may support different legal conclusions about consent, negligence, liability allocation, reporting obligations, and recovery.

III. Core Legal Questions

In Philippine legal practice, these cases usually turn on a few core questions:

  • Did the cardholder actually authorize the charge?
  • If there was some initial interaction, was consent valid and informed?
  • Was the merchant deceptive?
  • Was there breach of the issuer’s duty of proper handling, security, and dispute resolution?
  • Did the cardholder fail to promptly report the unauthorized use?
  • Was there phishing, account takeover, or data compromise?
  • Are the charges part of a recurring subscription that the user never clearly agreed to or had already cancelled?
  • Is the issue primarily a bank dispute, a merchant fraud, a cybercrime, or all three?

The legal response should be built around these questions, not around guesswork.

IV. The Contractual Relationship Between Cardholder and Issuer

A credit card is not merely a piece of plastic. It is part of a contractual relationship between the cardholder and the issuing bank or financial institution. That relationship is governed by:

  • the cardholder agreement;
  • the issuer’s terms and conditions;
  • payment system rules and banking practice;
  • consumer and electronic transaction principles;
  • regulatory obligations applicable to financial institutions.

This relationship matters because when unauthorized charges appear, the cardholder usually deals first with the issuer, not the scammer. The issuer is the institution that:

  • receives the billing complaint;
  • blocks or replaces the card;
  • investigates the disputed charge;
  • decides whether to issue provisional credit or reversal under its processes;
  • communicates with the acquiring side or card network;
  • and determines, at least initially, whether the cardholder remains liable.

Thus, the first legal battlefield is often between cardholder and issuer, even though the wrong may have originated with the merchant or fraudster.

V. What Counts as an “Unauthorized Transaction”

An unauthorized transaction is one initiated or processed without the genuine consent of the cardholder or authorized user. In practical terms, this may include:

  • charges by a stranger using stolen card details;
  • transactions after the cardholder account was hacked;
  • charges made through a compromised merchant account;
  • recurring subscription charges where the cardholder never agreed to the subscription;
  • post-cancellation charges;
  • transactions generated through forged consent, fake checkboxes, dark patterns, or hidden terms that defeat meaningful assent.

But the concept becomes more complicated in edge cases, such as:

  • the cardholder gave the number to a merchant once, but not for recurring billing;
  • the cardholder clicked through a trial page without understanding renewal;
  • a family member used the card without permission;
  • the cardholder stored the card on a website that was later hijacked;
  • the user agreed to one service but was billed for another.

These are exactly the cases where banks and merchants often try to shift responsibility, and where careful legal framing matters.

VI. Subscription Scam as Deceptive Consent

A subscription scam does not always look like obvious hacking. Often, it relies on manipulative design and billing deception. Examples include:

  • a “free trial” that requires card details but hides auto-renewal terms;
  • checkout pages designed to look like one-time purchases;
  • cancellation links that do not work;
  • merchants that require phone cancellation but never answer;
  • recurring billing after a user clearly opted out;
  • advertisements that conceal subscription pricing;
  • disguised negative-option billing, where silence is treated as consent to future charges.

In legal terms, these cases may be attacked on the ground that true informed consent to recurring billing was absent or fraudulently obtained.

That distinction is important because the bank may initially say, “You entered your card details.” But that alone does not always end the matter. The question is whether the recurring charges were genuinely authorized under fair and intelligible terms.

VII. Immediate Steps the Cardholder Should Take

The first 24 to 72 hours are critical. Delay can lead to more charges, weaker evidence, and harder recovery.

1. Contact the card issuer immediately

The cardholder should call or use the official channel of the issuer to:

  • report the unauthorized or disputed transaction;
  • request card blocking or temporary suspension;
  • ask for card replacement if compromise is suspected;
  • dispute the charge formally;
  • ask for a reference number for the report.

This is the most important first step.

2. Preserve all evidence

Save and organize:

  • billing statements showing the disputed charges;
  • transaction alerts by SMS, app, or email;
  • screenshots of the merchant site, trial page, cancellation page, or app;
  • emails confirming cancellation, if any;
  • chat logs with merchant support;
  • screenshots of failed cancellation attempts;
  • proof that the charge description is unfamiliar or misleading;
  • records showing where you were at the time, if relevant to prove non-use;
  • any phishing messages or fake websites involved.

3. Change credentials and secure linked accounts

If the charge may have resulted from account compromise, the cardholder should:

  • change passwords for email, merchant accounts, and banking apps;
  • enable two-factor authentication;
  • review stored payment methods across platforms;
  • log out of other sessions where possible.

4. Revoke or cancel the subscription through every available route

If the issue involves a subscription scam rather than pure card theft, the cardholder should still try to:

  • cancel on the merchant site;
  • send written notice of cancellation;
  • unsubscribe through app stores if applicable;
  • request written confirmation.

Even if the merchant is fraudulent, these steps help show that further charges were not authorized.

5. Monitor for additional charges

Fraudsters often test cards with small charges before making larger ones. Subscription scammers may also continue rebilling unless the card is replaced or blocked.

VIII. The Card Issuer’s Role and Possible Liability

The issuer is not automatically the wrongdoer, but it has important duties in how it handles disputed transactions. Depending on the facts and the governing contractual and regulatory framework, the issuer may be expected to:

  • receive and log disputes properly;
  • act promptly to block further misuse;
  • investigate the charge;
  • distinguish fraud from legitimate billing;
  • explain the basis for denying or approving reversal;
  • avoid unfairly insisting that the cardholder pay plainly unauthorized transactions;
  • comply with regulatory expectations on consumer handling, complaints, and electronic transaction security.

If the issuer handles the matter arbitrarily, fails to process the dispute properly, ignores timely notice, or imposes unreasonable burdens on the cardholder, additional legal issues may arise beyond the original scam.

IX. Cardholder Liability and Why Prompt Notice Matters

Most card agreements and industry practice place heavy importance on prompt reporting. This is because:

  • early notice may prevent further losses;
  • delay can suggest acquiescence or make tracing harder;
  • issuers often rely on notice periods for dispute eligibility;
  • continuing use of the card after suspicious activity can complicate the case.

This does not mean a cardholder automatically loses all protection if reporting is delayed. But delay can weaken recovery and may become a major point in issuer defenses.

The cardholder should therefore act as soon as the suspicious charge is discovered.

X. Disputes Involving Recurring Billing

Recurring billing disputes are among the most contested because the merchant often says the user consented at sign-up. A recurring-charge case may involve one or more of the following claims:

  • there was no consent to recurring charges at all;
  • the terms were hidden or misleading;
  • the recurring charge began after a free trial without adequate disclosure;
  • the charge continued after cancellation;
  • the amount billed did not match the stated plan;
  • the subscription was impossible to cancel despite reasonable efforts;
  • the merchant used a deceptive or unrecognizable billing descriptor;
  • the service was not delivered as promised.

The legal strength of the cardholder’s case increases when there is clear proof of:

  • hidden terms,
  • misleading design,
  • unsuccessful cancellation attempts,
  • written cancellation notice,
  • or charges continuing long after revocation.

XI. Merchant Fraud, Cybercrime, and Deceptive Online Conduct

Depending on the facts, the merchant or platform may be liable not only for breach of contract or unfair billing, but also for fraud or cyber-enabled misconduct.

Possible scenarios include:

  • fake websites harvesting card data;
  • cloned checkout pages;
  • merchants charging for phantom subscriptions;
  • deliberate failure to honor cancellation;
  • false representations that the charge is refundable when it is not;
  • “free trial” traps created to induce undisclosed recurring payments;
  • use of malware, phishing, spoofing, or fake payment portals.

In Philippine legal terms, such conduct may implicate:

  • estafa, where deceit induced the payment or ongoing charges;
  • cybercrime-related offenses, where the conduct was carried out through digital systems or unlawful access;
  • civil fraud and damages;
  • and possibly privacy or data-security violations if card information was mishandled.

XII. Estafa and Fraud in Credit Card Scam Cases

A scam involving unauthorized charges or deceptive subscription billing may amount to estafa if there was deceit that caused the cardholder to part with money or suffer financial damage.

Examples include:

  • fake merchants presenting non-existent products or services;
  • deceptive trial offers masking recurring charges;
  • pretending a charge is for one item when it is really for a subscription plan;
  • inducing the user to “verify” a card through a fake payment page;
  • posing as a bank, courier, or streaming service and stealing card details.

The essence of the criminal issue is that money was obtained or attempted to be obtained through fraud.

XIII. Cybercrime Dimensions

Because many of these incidents occur online, the Cybercrime Prevention Act may also be relevant. This is especially so where the case involves:

  • phishing;
  • unauthorized access to accounts;
  • online fraud;
  • fraudulent manipulation of digital billing systems;
  • online impersonation of banks or merchants;
  • cross-border online subscription traps.

The cyber element matters both legally and practically because it helps determine which enforcement bodies are appropriate and how electronic evidence should be handled.

XIV. Data Privacy and Card Information Exposure

Unauthorized credit card charges often go hand in hand with data compromise. The cardholder may have submitted:

  • full card number;
  • expiry date;
  • CVV or security code;
  • billing address;
  • email address;
  • phone number;
  • identity information.

If these were harvested, stored, or misused improperly, data privacy and security issues may arise. This is especially serious where:

  • the merchant or platform was fake;
  • personal data was later used in further fraud;
  • the cardholder account was exposed in a breach;
  • identity theft follows the charge incident.

The case then becomes bigger than just billing reversal. It becomes a wider issue of digital financial safety.

XV. Criminal, Civil, and Contractual Dimensions May Coexist

A single unauthorized charge dispute can involve several simultaneous relationships:

1. Cardholder versus issuer

This concerns dispute handling, liability allocation, and reversal of charges.

2. Cardholder versus merchant

This concerns fraud, deceptive subscription billing, or non-delivery.

3. State versus offender

This concerns criminal liability, such as estafa or cybercrime.

4. Cardholder versus platform intermediaries or data handlers

This may involve privacy, negligence, or ancillary claims depending on the facts.

Thus, a credit card scam is not always just a billing complaint. It may mature into a broader legal case.

XVI. Where to Report in the Philippines

The correct reporting path depends on the facts, but the following are usually relevant.

A. The card issuer or bank

This is always the first and most practical step. The cardholder should:

  • dispute the charge;
  • request investigation;
  • request reversal or provisional handling under the issuer’s process;
  • request card replacement.

B. The merchant or platform

If the problem is a subscription scam rather than pure card theft, written notice to the merchant matters. This helps prove cancellation, objection, and lack of continued consent.

C. NBI Cybercrime Division or PNP Anti-Cybercrime Group

These are especially appropriate where the case involves:

  • phishing;
  • fake websites;
  • online fraud;
  • repeated fraudulent charges;
  • hacked accounts;
  • deceptive subscription schemes run online;
  • foreign or anonymous digital offenders.

D. Office of the Prosecutor

Where deceit and financial damage are clear, a criminal complaint-affidavit for estafa or related offenses may be considered.

E. Regulatory complaint channels involving financial institutions

If the issuer mishandles the complaint, the cardholder may also need to escalate to the appropriate banking or financial regulatory complaint mechanism applicable in the Philippines.

XVII. Chargeback and Dispute Processes

Although often treated as mere operational procedures, chargeback or dispute processes are very important in practice. These are the mechanisms by which a disputed card transaction is challenged through the issuer and payment network framework.

In unauthorized charge or subscription scam cases, the cardholder should focus on proving one of the following:

  • cardholder did not authorize the transaction;
  • recurring billing was not authorized;
  • service was cancelled but charges continued;
  • merchant used deceptive billing;
  • transaction was fraudulent;
  • service was not as described or not delivered in a way relevant to the dispute.

These processes are not themselves criminal proceedings, but they often determine whether the cardholder gets money back quickly while broader legal action remains pending.

XVIII. The Importance of Written Cancellation and Merchant Notice

In subscription scam cases, the strongest evidence is often proof that the cardholder tried to stop the billing. This may include:

  • cancellation confirmation emails;
  • screenshots of the account showing cancellation;
  • chat logs with support;
  • emails objecting to continued charges;
  • proof that the cancellation page failed or was inaccessible;
  • help desk tickets;
  • app-store cancellation logs.

Without this, the merchant may argue that the subscription remained active by the cardholder’s own choice.

XIX. Common Defenses Raised by Banks and Merchants

The issuer or merchant may argue one or more of the following:

  • the card details were correctly entered, so the transaction is presumed valid;
  • the merchant has a click-through record showing consent;
  • the cardholder failed to report promptly;
  • the cardholder shared the card details negligently;
  • the cardholder did not actually cancel;
  • the charge was part of disclosed auto-renewal terms;
  • the user benefited from the service;
  • the dispute concerns a valid family-member or household use, not fraud.

These defenses are not always correct, but they must be answered with evidence. A cardholder cannot rely on bare denial alone if there are logs, sign-up flows, or device records in play.

XX. Household Use, Shared Devices, and Family Disputes

Sometimes the charge is not caused by a stranger or merchant scam but by:

  • a family member using the card without permission;
  • a child subscribing to a service;
  • an employee or helper accessing stored payment details;
  • a former partner using a saved card profile.

These cases can still be unauthorized as against the cardholder, but the legal treatment may differ. The issuer may investigate whether the user was effectively an authorized household user or whether the facts show a genuine third-party misuse.

This is especially important because not all “unrecognized charges” are bank-side fraud. Some are internal misuse disputes.

XXI. Cross-Border and Foreign Merchant Problems

Many online subscription scams use foreign merchants, foreign billing processors, or obscure overseas descriptors. This creates practical complications:

  • the merchant may be hard to identify;
  • customer service may be inaccessible;
  • the jurisdictional and documentary trail is weaker;
  • the charge descriptor may be vague;
  • the site may disappear quickly.

Still, these facts do not make the case legally hopeless. The cardholder should preserve:

  • the descriptor as it appears on the statement;
  • website screenshots;
  • URLs;
  • emails;
  • payment confirmations;
  • cancellation attempts;
  • issuer dispute records.

Cross-border character often strengthens the importance of issuer-side dispute handling and cybercrime reporting.

XXII. Civil Recovery and Damages

Apart from reversal of the charge, a cardholder may consider civil claims in the proper case, including:

  • recovery of unauthorized or fraudulently obtained amounts;
  • actual damages;
  • moral damages, if the circumstances justify them;
  • exemplary damages where conduct was oppressive or fraudulent;
  • attorney’s fees.

Civil action becomes more significant where:

  • the issuer acted in bad faith;
  • the merchant intentionally deceived consumers;
  • multiple charges accumulated;
  • identity theft caused broader losses;
  • or the incident caused substantial measurable harm.

XXIII. What Not to Do

Victims often weaken their position by doing the following:

  • delaying notice to the issuer;
  • continuing to use a compromised card;
  • arguing with the scam site without preserving evidence;
  • deleting phishing messages or emails too early;
  • assuming small charges are harmless;
  • accepting vague oral assurances from merchant support without written confirmation;
  • failing to replace the card where details may be compromised;
  • paying additional “cancellation fees” to obvious scam sites;
  • using unofficial bank contact numbers found in suspicious texts or emails.

A clean, documented response is far stronger than a reactive one.

XXIV. Best Legal Framing of the Complaint

The strongest legal framing depends on the facts, but it is usually more effective to describe the problem precisely, such as:

  • unauthorized card-not-present transaction;
  • fraudulent recurring charge without valid consent;
  • deceptive online subscription billing;
  • post-cancellation recurring charge;
  • phishing-induced unauthorized credit card use;
  • online merchant fraud using hidden auto-renewal terms.

This is better than simply saying, “My bank scammed me,” unless the complaint truly concerns bank misconduct.

XXV. Practical Sequence of Response

A disciplined response in the Philippine setting usually follows this order:

  1. Block or suspend the card through the issuer immediately.
  2. Dispute the unauthorized or deceptive charge formally.
  3. Preserve statements, alerts, screenshots, and cancellation proof.
  4. Change passwords and secure linked accounts.
  5. Notify the merchant in writing if a subscription is involved.
  6. Request card replacement if compromise is suspected.
  7. Monitor for additional or test charges.
  8. Escalate to cybercrime authorities if fraud, phishing, or fake websites are involved.
  9. Consider criminal or civil complaint if the conduct involves clear deceit or significant loss.

This sequence protects both recovery and evidence.

Conclusion

In the Philippines, unauthorized credit card charges and online subscription scams are not merely “billing inconveniences.” Depending on the facts, they may involve fraud, estafa, deceptive recurring billing, cybercrime, privacy compromise, and improper handling by the issuer or merchant. The law does not treat every disputed charge the same. Some are pure unauthorized transactions; others are subscription scams built on hidden terms, fake trials, failed cancellation systems, or online deception.

The most important legal and practical principle is speed: prompt reporting to the card issuer, immediate preservation of evidence, cancellation or revocation where relevant, and early escalation when fraud is evident. A cardholder who documents the transaction history, the absence of valid consent, the cancellation attempts, and the digital traces of deception is in the strongest position to challenge liability and pursue recovery.

The central point is simple: a card charge is not automatically lawful just because it appeared on a billing statement or because card details were once entered online. In Philippine law, when billing is unauthorized, fraudulently induced, or deceptively extended into recurring charges, the cardholder may have grounds to dispute, report, and seek recovery and accountability.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login