Unauthorized Credit Card Transaction Dispute After Phishing Scam

Introduction

Phishing scams have become one of the most common ways by which credit cardholders in the Philippines lose money through unauthorized transactions. A typical situation looks like this: the cardholder receives a fake SMS, email, call, or social media message pretending to be from a bank, delivery company, e-wallet, online marketplace, government agency, or rewards program. The victim is tricked into clicking a link, entering card details, revealing a one-time password, or approving a transaction. Soon after, unauthorized charges appear on the credit card.

The legal question is often difficult: who should bear the loss — the cardholder, the bank, the merchant, or the scammer?

In the Philippine context, the answer depends on the facts: how the transaction happened, whether the cardholder disclosed confidential information, whether the bank complied with security and notification duties, whether the cardholder promptly reported the fraud, and whether the transaction was properly authenticated.

This article discusses the legal framework, rights, obligations, evidence, dispute process, possible liabilities, and practical remedies available to a Philippine credit cardholder after an unauthorized credit card transaction caused by phishing.

This is general legal information, not legal advice for a specific case.

I. What Is an Unauthorized Credit Card Transaction?

An unauthorized credit card transaction is a charge made without the cardholder’s valid consent or authority.

It may involve:

  1. Card-not-present purchases using stolen card details;
  2. Online purchases after the victim was tricked into entering card information;
  3. Transactions approved using a stolen or fraudulently obtained OTP;
  4. Unauthorized balance conversion or cash advance;
  5. Fraudulent subscriptions;
  6. Use of compromised mobile banking or online banking credentials;
  7. Transactions made after SIM swap, account takeover, or device compromise;
  8. Charges by merchants unknown to the cardholder;
  9. Transactions made after loss or theft of the card;
  10. Recurring payments that continue after cancellation or fraud.

In phishing cases, banks often argue that the transaction was “authorized” because the correct OTP, CVV, password, or account credentials were used. Cardholders often argue that the transaction was still unauthorized because consent was obtained through fraud, deception, social engineering, or manipulation.

The dispute usually turns on whether the bank can validly treat the transaction as authorized merely because security credentials were used.

II. What Is Phishing?

Phishing is a form of fraud where criminals impersonate a trusted person or institution to obtain confidential information or cause the victim to perform an action.

Common Philippine phishing methods include:

1. Fake Bank SMS or Email

The victim receives a message saying the card has been blocked, points will expire, an account must be verified, or suspicious activity must be confirmed. The message contains a link to a fake bank website.

2. Smishing

This is phishing through SMS. It may appear in the same message thread as legitimate bank texts because of sender ID spoofing or message manipulation.

3. Vishing

The victim receives a phone call from someone pretending to be a bank officer, anti-fraud agent, courier, government employee, or merchant representative.

4. Fake Delivery or Customs Notice

The victim is told that a parcel needs a small payment, redelivery fee, tax, or verification.

5. Fake Rewards or Cashback Offer

The victim is told that credit card rewards, rebates, or points are about to expire.

6. Account Takeover

The victim’s online banking account, email, mobile number, or device is compromised, allowing the fraudster to initiate or approve transactions.

7. QR Code or Social Media Scam

The victim is led to a fake payment or verification page through a QR code, Facebook page, marketplace listing, or messaging app.

III. Main Philippine Laws and Rules Involved

Several laws and regulations may apply to unauthorized credit card transactions after phishing.

A. Access Devices Regulation Act

Republic Act No. 8484, known as the Access Devices Regulation Act of 1998, is central to credit card fraud cases.

A credit card is an “access device.” The law penalizes unauthorized use, possession, trafficking, production, or use of access devices and related information. It covers fraudulent use of credit card details, account numbers, and other access credentials.

The scammer may be criminally liable if they obtained or used the cardholder’s details without authority.

However, criminal liability of the scammer is separate from the civil or contractual dispute between the cardholder and the bank. Even if the scammer committed a crime, the bank may still refuse to reverse the charge, and the cardholder may still need to pursue a dispute, complaint, or case.

B. Cybercrime Prevention Act

Republic Act No. 10175, the Cybercrime Prevention Act of 2012, may apply where the phishing scam was committed through computers, websites, mobile phones, fake links, hacking, or online fraud.

Cyber-related offenses may include:

  1. Computer-related fraud;
  2. Identity theft;
  3. Illegal access;
  4. Misuse of devices;
  5. Cyber-squatting or fake websites;
  6. Content-related deception depending on the facts;
  7. A cybercrime component attached to offenses punished under other laws.

Phishing usually has a cybercrime angle because the fraud is committed through electronic communication, fake websites, malicious links, or unauthorized digital access.

C. Financial Products and Services Consumer Protection Act

Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, strengthened consumer protection in financial services.

It recognizes duties of financial service providers, including banks and credit card issuers, to treat consumers fairly, disclose information properly, protect consumer assets, handle complaints, and implement appropriate safeguards.

For phishing-related unauthorized transactions, this law is relevant because the bank is expected to maintain consumer protection mechanisms, cybersecurity safeguards, complaint handling systems, and fair dispute resolution processes.

D. Bangko Sentral ng Pilipinas Regulations

Banks and credit card issuers in the Philippines are regulated by the Bangko Sentral ng Pilipinas, or BSP.

BSP rules and circulars generally require banks and financial institutions to maintain:

  1. Effective risk management systems;
  2. Consumer assistance mechanisms;
  3. cybersecurity controls;
  4. fraud monitoring systems;
  5. clear disclosure of terms and fees;
  6. secure digital channels;
  7. complaint-handling procedures;
  8. timely action on consumer complaints.

A cardholder may file a complaint with the bank first, and if unresolved, elevate the matter to the BSP’s consumer assistance channels.

E. Data Privacy Act

Republic Act No. 10173, the Data Privacy Act of 2012, may be relevant if the phishing scam involved compromise, misuse, unauthorized disclosure, or negligent handling of personal information.

If the unauthorized transaction resulted from a breach of the bank’s systems, merchant systems, payment processor, or another personal information controller or processor, data privacy issues may arise.

However, if the cardholder was deceived into entering details on a fake website not controlled by the bank, the bank may argue that there was no data breach on its part. The cardholder may still ask whether the bank had sufficient safeguards, warnings, fraud detection, and transaction controls.

F. Consumer Act and Civil Code Principles

The Civil Code of the Philippines may apply through principles on obligations and contracts, negligence, fraud, damages, good faith, abuse of rights, and quasi-delicts.

Relevant concepts include:

  1. Fraud or dolo — consent obtained by deception;
  2. Negligence or culpa — failure to observe required care;
  3. Good faith — both bank and cardholder must act honestly and reasonably;
  4. Contractual obligations — credit card terms and conditions bind the parties, subject to law and public policy;
  5. Damages — actual, moral, exemplary, attorney’s fees, and litigation expenses may be claimed in appropriate cases.

IV. Contractual Relationship Between Cardholder and Bank

A credit card dispute is not only a fraud issue. It is also a contract issue.

When a person accepts and uses a credit card, they are bound by the cardholder agreement. These agreements usually provide that the cardholder must:

  1. Keep the card secure;
  2. Protect the PIN, CVV, OTP, username, password, and other credentials;
  3. Promptly report loss, theft, suspicious transactions, or compromise;
  4. Review statements of account;
  5. Pay valid charges;
  6. Cooperate in investigations;
  7. Be responsible for transactions made before notice of loss or compromise, subject to law and bank rules.

Banks, on the other hand, generally have duties to:

  1. Process transactions securely;
  2. maintain fraud monitoring systems;
  3. send transaction alerts where applicable;
  4. provide dispute procedures;
  5. investigate reported unauthorized transactions;
  6. protect customer information;
  7. comply with BSP consumer protection rules;
  8. avoid unfair, abusive, or unreasonable practices.

The bank cannot simply rely on its contract if the contractual provision is contrary to law, public policy, consumer protection rules, or basic fairness.

V. The Central Issue: Was the Transaction Truly Authorized?

In phishing cases, the most contested issue is whether the transaction was authorized.

A. Bank’s Common Position

Banks often say the transaction is valid because:

  1. The correct card details were entered;
  2. The correct CVV was used;
  3. The OTP was entered;
  4. The transaction passed 3D Secure authentication;
  5. The transaction came from the cardholder’s registered mobile number, email, device, or IP pattern;
  6. The cardholder failed to keep credentials confidential;
  7. The cardholder clicked a phishing link;
  8. The cardholder voluntarily provided information;
  9. The transaction was not reported immediately;
  10. The cardholder agreement places responsibility on the cardholder.

B. Cardholder’s Common Position

Cardholders usually argue that:

  1. They did not intend to buy from the merchant;
  2. They were deceived by a fake bank message or call;
  3. Their consent was obtained through fraud;
  4. The bank failed to detect unusual transaction behavior;
  5. The bank failed to block suspicious transactions;
  6. The bank’s OTP or alert system was inadequate;
  7. The transaction amount, merchant, location, or timing was suspicious;
  8. The bank did not act promptly after report;
  9. The bank failed to provide sufficient proof that the transaction was valid;
  10. The transaction should be reversed because it was unauthorized.

C. The Hard Question

The legal and factual question is not always simply: “Was an OTP used?”

A better question is:

Did the cardholder knowingly, freely, and validly authorize the specific transaction, with full awareness of the merchant, amount, and purpose?

If the cardholder was deceived into entering an OTP for what they believed was account verification, but the OTP actually approved a purchase, there is a strong factual argument that the cardholder did not knowingly authorize that purchase.

However, banks may still argue that the cardholder’s disclosure of the OTP was negligence.

VI. OTPs, 3D Secure, and Authentication: Are They Conclusive?

A one-time password or 3D Secure approval is strong evidence that a transaction passed authentication. But it should not always be treated as conclusive proof that the cardholder genuinely authorized the transaction.

A. Authentication Is Not Always Consent

Authentication proves that the system received correct credentials. It does not always prove that the person understood the real nature of the transaction.

For example, if a phishing page says, “Enter OTP to cancel unauthorized transaction,” but the OTP actually approves a new transaction, the cardholder may argue that the OTP was procured by fraud.

B. The Content of the OTP Message Matters

The OTP message is important evidence. It may show:

  1. The merchant name;
  2. The transaction amount;
  3. The warning not to share the OTP;
  4. The purpose of the OTP;
  5. The date and time;
  6. Whether the message was clear or confusing.

If the OTP message clearly stated the merchant and amount, and the cardholder still entered it on a fake page, the bank may argue cardholder negligence.

If the OTP message was vague, misleading, delayed, incomplete, or did not clearly identify the transaction, the cardholder may argue that the bank’s authentication process was insufficient.

C. Strong Authentication Is Not a Substitute for Fraud Monitoring

Even if an OTP was used, banks may still be expected to have fraud detection systems. A transaction may be suspicious if it is:

  1. Unusually large;
  2. Made to a high-risk merchant;
  3. Made immediately after credential change;
  4. Made from a new device or location;
  5. Made in rapid succession;
  6. Inconsistent with the cardholder’s spending pattern;
  7. Made after several failed attempts;
  8. Followed by multiple transactions;
  9. Connected to known fraud patterns.

A bank’s investigation should not stop at “OTP was used.”

VII. Liability of the Cardholder

A cardholder may be held liable if the bank proves that the cardholder authorized the transaction or was negligent under the cardholder agreement and applicable rules.

Possible grounds for cardholder liability include:

  1. Sharing OTP, CVV, PIN, password, or login credentials;
  2. Clicking a suspicious link despite clear warnings;
  3. Ignoring OTP messages showing merchant and amount;
  4. Failing to report the fraud promptly;
  5. Allowing another person to use the card;
  6. Using an unsecured device;
  7. Responding to a fake call and revealing confidential data;
  8. Confirming or approving a transaction without verifying details;
  9. Delayed review of statements;
  10. Breach of cardholder agreement.

However, liability is not automatic. The circumstances must still be examined.

A cardholder who was tricked does not become a fraudster. The question is whether the cardholder’s conduct fell below the standard of reasonable care expected from a credit card user.

VIII. Liability of the Bank or Card Issuer

A bank may be responsible, fully or partially, if it failed to comply with legal, contractual, regulatory, or consumer protection duties.

Possible grounds for bank liability include:

  1. Failure to implement adequate authentication controls;
  2. Failure to send timely transaction alerts;
  3. Failure to act immediately after report;
  4. Failure to block further transactions after notification;
  5. Failure to properly investigate;
  6. Failure to provide documents supporting denial of the dispute;
  7. Failure to detect obviously suspicious transactions;
  8. Failure to maintain secure systems;
  9. Misleading communications;
  10. Unfair shifting of all loss to the consumer;
  11. Violation of BSP consumer protection standards;
  12. Failure to respond to complaints within reasonable time;
  13. Failure to explain the basis of denial;
  14. Failure to reverse finance charges during a valid dispute, where applicable under bank policy or rules;
  15. Poor fraud risk management.

Banks are not insurers against all fraud. But they are expected to exercise a high degree of diligence because banking is imbued with public interest.

IX. Liability of the Merchant

The merchant may be involved if the transaction was processed despite suspicious circumstances.

Merchant liability may arise where:

  1. The merchant failed to follow card network rules;
  2. The merchant accepted suspicious transactions;
  3. The merchant failed to verify identity when required;
  4. Goods were delivered to a fraudster despite red flags;
  5. The merchant ignored chargeback notices;
  6. The merchant participated in the fraud;
  7. The merchant was fake or shell-like;
  8. The transaction description was misleading;
  9. Refund policies were abused;
  10. The merchant failed to preserve transaction records.

In many credit card disputes, the cardholder does not directly sue or deal with the merchant at first. The bank usually initiates a chargeback process under card network rules, where available.

X. Liability of the Scammer

The scammer may be criminally and civilly liable.

Possible offenses may include:

  1. Estafa under the Revised Penal Code;
  2. Access device fraud under Republic Act No. 8484;
  3. Cybercrime offenses under Republic Act No. 10175;
  4. Identity theft;
  5. Computer-related fraud;
  6. Data privacy offenses, depending on the facts;
  7. Falsification or use of fictitious names;
  8. Money laundering-related concerns if proceeds were moved through accounts or e-wallets.

The difficulty is practical enforcement. Scammers often use fake identities, mule accounts, foreign websites, prepaid numbers, disposable emails, or cryptocurrency channels.

Still, a police or cybercrime report can help support the cardholder’s bank dispute.

XI. Immediate Steps After Discovering the Fraud

A cardholder should act fast. Delay can weaken the dispute.

1. Lock or Block the Card

Use the bank app, hotline, or branch to block the card immediately.

2. Call the Bank’s Fraud Hotline

Report the exact transactions and ask for:

  1. Blocking of the card;
  2. Replacement card;
  3. Temporary reversal or dispute tagging;
  4. Investigation reference number;
  5. Written acknowledgment;
  6. Copy of dispute form;
  7. Instructions on supporting documents.

3. Change Passwords

Change passwords for:

  1. Online banking;
  2. Email;
  3. Mobile wallet;
  4. Shopping apps;
  5. Social media;
  6. Any account using the same credentials.

4. Secure the Mobile Number

If SIM swap is suspected, contact the telco immediately.

5. Preserve Evidence

Do not delete:

  1. SMS messages;
  2. Emails;
  3. Call logs;
  4. Screenshots;
  5. Fake website URLs;
  6. OTP messages;
  7. Transaction alerts;
  8. Bank app notifications;
  9. Messenger or Viber conversations;
  10. Statement of account;
  11. Dispute acknowledgments.

6. File a Written Dispute

A phone call is useful, but a written dispute is stronger.

7. File a Police or Cybercrime Report

Report to the Philippine National Police Anti-Cybercrime Group, National Bureau of Investigation Cybercrime Division, or local police station, depending on accessibility.

8. Escalate to BSP if Needed

If the bank denies the claim or fails to respond properly, the cardholder may elevate the matter to the BSP consumer assistance mechanism.

XII. Evidence Needed for a Strong Dispute

A strong dispute is evidence-driven.

Useful evidence includes:

  1. Credit card statement showing the disputed transaction;
  2. Screenshot of transaction alert;
  3. OTP message;
  4. SMS or email from scammer;
  5. Fake website link or screenshot;
  6. Call log showing scam call;
  7. Timeline of events;
  8. Proof that the cardholder did not receive goods or services;
  9. Proof that the transaction was inconsistent with prior spending;
  10. Bank complaint reference number;
  11. Police or cybercrime report;
  12. Affidavit of denial;
  13. Screenshots of bank warnings, or lack of warnings;
  14. Correspondence with the merchant, if any;
  15. Proof of immediate reporting;
  16. Screenshot showing card lock time;
  17. Device security logs, where available;
  18. Email compromise or SIM swap documents, if relevant.

XIII. Timeline of Events: Why It Matters

A clear timeline can make or break the dispute.

The timeline should include:

  1. When the phishing message was received;
  2. When the link was clicked or call was answered;
  3. What information was entered or disclosed;
  4. When the OTP was received;
  5. What the OTP message said;
  6. When the transaction occurred;
  7. When the cardholder received the alert;
  8. When the cardholder contacted the bank;
  9. When the card was blocked;
  10. When the written dispute was filed;
  11. When the police or cybercrime report was filed;
  12. When the bank responded;
  13. When the bank denied or approved the reversal.

Prompt reporting strengthens the cardholder’s position. A delay allows the bank to argue that the cardholder failed to mitigate the loss.

XIV. How to Write the Bank Dispute Letter

A good dispute letter should be direct, factual, and supported by documents.

It should include:

  1. Cardholder’s name;
  2. Last four digits of the card;
  3. Account or customer number, if needed;
  4. Transaction date;
  5. Merchant name;
  6. Amount;
  7. Currency;
  8. Statement date;
  9. Reason for dispute;
  10. Statement that the cardholder did not authorize the transaction;
  11. Description of phishing incident;
  12. Date and time of report to bank;
  13. Request for reversal;
  14. Request to suspend charges, interest, and penalties on the disputed amount;
  15. Request for investigation documents;
  16. Attached evidence;
  17. Contact details;
  18. Signature.

The letter should avoid speculation. It should not falsely deny facts. If the cardholder entered an OTP because of deception, it is usually better to explain the deception rather than make a blanket denial that can be contradicted by bank logs.

XV. Sample Dispute Letter

[Date]

[Name of Bank] Credit Card Disputes / Fraud Department [Bank Address or Email]

Subject: Dispute of Unauthorized Credit Card Transaction Due to Phishing

Dear Sir/Madam:

I am writing to formally dispute the following credit card transaction:

Cardholder Name: [Name] Credit Card Number: **** **** **** [Last 4 digits] Transaction Date: [Date] Merchant: [Merchant Name] Amount: [Amount] Reference Number: [If available]

I did not knowingly authorize this transaction and did not receive any goods or services from the merchant. The transaction occurred after I was targeted by a phishing scam involving [briefly describe SMS/email/call/fake website]. I believed I was dealing with [bank/legitimate entity], but later discovered that the communication was fraudulent.

Upon discovering the unauthorized transaction, I immediately reported the matter to your hotline on [date and time], under reference number [reference number], and requested that my card be blocked. I also took steps to secure my accounts and preserve the evidence.

I respectfully request that the disputed amount be reversed and that any interest, penalties, fees, or finance charges related to the disputed transaction be suspended or removed while the investigation is pending. I also request a written explanation of your findings and copies or details of the records relied upon in evaluating this dispute, including authentication logs, merchant information, transaction authorization details, and chargeback status, to the extent allowed by law and applicable rules.

Attached are copies of the relevant documents, including [list attachments: transaction alert, statement, screenshots, phishing message, OTP message, police report, etc.].

Thank you.

Sincerely, [Name] [Contact Number] [Email Address]

XVI. Should the Cardholder Pay the Disputed Amount While Investigation Is Pending?

This is a practical issue.

Banks may still include the disputed amount in the statement of account while investigation is pending. If the cardholder does not pay, interest, late payment charges, and negative credit consequences may arise depending on the bank’s policy.

The cardholder should ask the bank in writing to:

  1. Temporarily suspend collection of the disputed amount;
  2. Reverse or hold finance charges;
  3. Avoid reporting the disputed amount as delinquent;
  4. Confirm whether minimum payment is still required;
  5. Clarify whether non-payment affects credit standing.

If the cardholder can afford it, some choose to pay under protest to avoid interest, then continue the dispute. Others refuse to pay the disputed portion and document the refusal. The best approach depends on the amount, bank policy, risk tolerance, and legal strategy.

A payment made under protest should be clearly stated in writing, so it is not treated as admission that the transaction is valid.

XVII. Chargeback: What It Is and Why It Matters

A chargeback is a reversal process under card network rules, usually involving the issuing bank, acquiring bank, merchant, and card network.

The cardholder asks the issuing bank to dispute the transaction. The issuing bank may raise a chargeback against the merchant’s acquiring bank. The merchant may accept or fight the chargeback. Evidence is exchanged.

Important points:

  1. Chargeback rules have strict deadlines;
  2. The bank must act promptly;
  3. Not every transaction qualifies;
  4. Successful chargeback may depend on the reason code;
  5. OTP-authenticated transactions may be harder to charge back;
  6. Digital goods, wallet top-ups, and quasi-cash transactions can be difficult;
  7. Merchant evidence can defeat a chargeback;
  8. Chargeback denial does not always end legal remedies.

Cardholders should ask the bank whether a chargeback was filed, what reason code was used, and what evidence the merchant submitted.

XVIII. Common Bank Denial Reasons

Banks commonly deny phishing-related disputes using language such as:

  1. “Transaction was authenticated by OTP.”
  2. “Cardholder participated in the transaction.”
  3. “Valid credentials were used.”
  4. “No bank system breach was found.”
  5. “The transaction was 3D Secure authenticated.”
  6. “The cardholder shared confidential information.”
  7. “The dispute is not eligible for chargeback.”
  8. “The transaction was completed prior to reporting.”
  9. “The merchant provided proof of valid transaction.”
  10. “The cardholder is liable under the terms and conditions.”

A denial should not always be accepted at face value. The cardholder may request reconsideration and ask for the factual basis of the denial.

XIX. How to Respond to a Denial

A reconsideration letter should focus on gaps in the bank’s investigation.

Possible points:

  1. The use of OTP does not conclusively prove informed consent;
  2. The OTP was obtained by fraud;
  3. The transaction was inconsistent with ordinary card usage;
  4. The bank failed to explain its fraud detection analysis;
  5. The bank failed to provide merchant documentation;
  6. The transaction alert was delayed or unclear;
  7. The bank failed to timely block the transaction or card;
  8. The bank failed to assist with chargeback;
  9. The cardholder reported promptly;
  10. The cardholder did not receive goods or services;
  11. The bank’s denial merely quoted terms and conditions without addressing the facts.

The cardholder may also elevate the matter to BSP or pursue court remedies.

XX. Complaint to the Bangko Sentral ng Pilipinas

If the bank does not resolve the complaint, the cardholder may file a consumer complaint with the BSP.

Before escalating, the cardholder should usually have:

  1. Filed a written complaint with the bank;
  2. Obtained a reference number;
  3. Waited for the bank’s response or allowed a reasonable period;
  4. Gathered documentary evidence;
  5. Prepared a concise statement of facts.

A BSP complaint should include:

  1. Name of bank;
  2. Cardholder information;
  3. Transaction details;
  4. Timeline;
  5. Copies of communications;
  6. Bank’s denial or failure to respond;
  7. Specific relief requested.

BSP complaint mechanisms are not the same as a court judgment. BSP may facilitate resolution, require explanation, or evaluate regulatory compliance. It may not always directly order the kind of damages a court can award.

XXI. Criminal Complaint

The victim may file a criminal complaint against unknown persons or identified suspects.

Possible venues include:

  1. PNP Anti-Cybercrime Group;
  2. NBI Cybercrime Division;
  3. Local police cybercrime desk, if available;
  4. Prosecutor’s office, if suspects are known and evidence is sufficient.

The complaint should include:

  1. Affidavit of complaint;
  2. Screenshots of phishing messages;
  3. Fake website URL;
  4. Bank transaction records;
  5. OTP messages;
  6. Call logs;
  7. Phone numbers used;
  8. Email headers, if available;
  9. Merchant or recipient account details;
  10. Bank certificates or statements;
  11. Any identified mule account, wallet, or delivery address.

A criminal complaint is useful, but it may not immediately reverse the credit card charge. The bank dispute should proceed separately.

XXII. Civil Case or Small Claims

Depending on the amount and facts, a cardholder may consider civil remedies.

Possible claims may include:

  1. Recovery of the disputed amount;
  2. Damages for negligence;
  3. Breach of contract;
  4. Violation of consumer protection obligations;
  5. Moral damages, where justified;
  6. Attorney’s fees;
  7. Costs of suit.

For smaller amounts, small claims may be considered, but the suitability depends on the nature of the claim, parties, amount, and procedural rules in force. Credit card disputes involving banks may involve complex legal and factual issues, so legal advice is often needed before filing.

XXIII. Estafa, Fraud, and Phishing

Phishing scams may constitute estafa if the offender defrauded the victim through deceit and caused damage.

Elements generally involve:

  1. Deceit or fraudulent representation;
  2. Reliance by the victim;
  3. Damage or prejudice;
  4. Causal connection between deceit and loss.

If committed through information and communications technology, cybercrime laws may increase or affect penalties depending on the offense charged.

XXIV. Access Device Fraud

Credit card details, OTPs, account numbers, and similar credentials may fall within access-device-related fraud scenarios.

Acts involving unauthorized possession, use, production, trafficking, or control of access devices or access device data may be punishable.

In a phishing situation, the offender may have obtained access device information by deceit and used it to initiate unauthorized transactions.

XXV. Data Privacy Issues

A phishing victim should consider whether personal data was compromised.

Relevant questions include:

  1. How did the scammer know the victim’s name, bank, card type, or recent transaction?
  2. Was the SMS targeted or generic?
  3. Did the message appear in a legitimate sender thread?
  4. Was the card number already known to the scammer?
  5. Was there a breach involving a merchant, bank, courier, or platform?
  6. Did the bank notify customers of any compromise?
  7. Were unauthorized changes made to personal information?

If a personal data breach is suspected, the victim may consider a complaint with the National Privacy Commission, especially if there is evidence that a personal information controller failed to protect data.

XXVI. SIM Swap and Mobile Number Takeover

Some unauthorized transactions happen after criminals take control of the victim’s SIM card or mobile number.

Signs of SIM swap include:

  1. Sudden loss of mobile signal;
  2. Inability to receive calls or texts;
  3. Unauthorized SIM replacement;
  4. OTPs no longer received by the cardholder;
  5. Password reset alerts;
  6. Unauthorized account login notices.

If SIM swap is suspected, the victim should immediately contact the telco and request records of SIM replacement, account changes, or suspicious activity.

Potentially responsible parties may include the scammer, mule account holders, and possibly a negligent telco representative if improper SIM replacement occurred.

XXVII. Mule Accounts and Money Trail

Phishing proceeds often pass through mule bank accounts, e-wallets, crypto wallets, or merchants.

A mule account is an account used to receive or move scam proceeds. The account holder may be complicit or may claim to have been deceived.

Victims should ask the bank or law enforcement whether the transaction was:

  1. A merchant purchase;
  2. Wallet top-up;
  3. Cash advance;
  4. Fund transfer;
  5. Quasi-cash transaction;
  6. Online gambling or gaming-related transaction;
  7. Cryptocurrency-related purchase;
  8. Payment gateway transaction.

The classification matters because some transaction types are harder to reverse.

XXVIII. Special Problem: E-Wallet or Payment Gateway Transactions

Many fraudulent credit card charges are not direct purchases of goods. They may be routed through payment gateways, e-wallets, or online platforms.

The statement may show a merchant name that is not the actual scammer. For example, the charge may appear as a payment processor, digital wallet, app store, food platform, or marketplace.

In these cases, the cardholder should ask:

  1. What was the final recipient?
  2. Was the transaction a wallet cash-in?
  3. Was there a delivery address?
  4. Was there a user account tied to the purchase?
  5. Was the transaction reversible?
  6. Was the payment gateway notified?
  7. Did the bank initiate retrieval or chargeback?

XXIX. Bank’s Duty of Diligence

Philippine jurisprudence has repeatedly recognized that banking is affected with public interest and banks are expected to exercise high standards of diligence. While specific liability still depends on the facts, this principle helps cardholders argue that banks must not casually dismiss fraud complaints.

In credit card phishing disputes, bank diligence may be assessed based on:

  1. Quality of authentication;
  2. clarity of OTP messages;
  3. adequacy of customer warnings;
  4. speed of fraud response;
  5. effectiveness of transaction monitoring;
  6. accuracy of investigation;
  7. fairness of dispute resolution;
  8. transparency of denial;
  9. compliance with BSP regulations;
  10. handling of disputed amounts.

XXX. Cardholder’s Duty of Care

Cardholders also have duties.

A reasonably careful cardholder should:

  1. Never share OTPs;
  2. Never enter card details through links in SMS or email;
  3. Use only official bank apps and websites;
  4. Verify calls through official hotline;
  5. Lock card when not in use, if available;
  6. Set transaction limits;
  7. Activate alerts;
  8. Review statements;
  9. Report suspicious transactions immediately;
  10. Avoid saving card details on untrusted websites;
  11. Keep phone and email secure;
  12. Use strong passwords and two-factor authentication;
  13. Avoid reusing passwords;
  14. Be cautious of urgency, threats, rewards, and fake verification requests.

Failure to observe these precautions may be used by the bank to argue negligence.

XXXI. Comparative Fault: Can Liability Be Shared?

In some cases, both the cardholder and bank may have contributed to the loss.

For example:

  1. The cardholder entered the OTP on a phishing site;
  2. The bank’s OTP message failed to clearly state the transaction purpose;
  3. The transaction was unusually large;
  4. The bank failed to flag it;
  5. The cardholder reported immediately;
  6. The bank delayed blocking the card.

In such cases, liability may arguably be allocated based on comparative negligence or equitable considerations, depending on forum and facts.

A full reversal is possible in some cases. A partial settlement is also possible.

XXXII. Finance Charges, Late Fees, and Credit Standing

A disputed fraudulent transaction can grow because of interest, penalties, and late charges.

The cardholder should demand in writing that the bank:

  1. Freeze the disputed amount;
  2. Reverse interest and penalties related to the disputed transaction;
  3. Prevent adverse credit reporting while the matter is under investigation;
  4. Confirm that collection calls will stop for the disputed amount;
  5. Separate undisputed purchases from disputed charges.

If the bank continues to impose finance charges after a timely dispute, this may become a separate consumer protection issue.

XXXIII. Collection Harassment

If a bank or collection agency pressures the cardholder to pay a disputed fraudulent transaction, the cardholder should document:

  1. Calls;
  2. texts;
  3. emails;
  4. threats;
  5. time and frequency of calls;
  6. names of agents;
  7. collection letters;
  8. disclosure to third parties;
  9. abusive language;
  10. threats of public shaming or criminal case.

Unfair, abusive, or excessive collection conduct may be subject to complaint.

XXXIV. Credit Information and Negative Reporting

If the disputed transaction causes non-payment, the bank may report delinquency to credit bureaus or credit information systems. This can affect future loans, credit cards, and financing.

The cardholder should request that the bank not report the disputed amount as delinquent while the fraud investigation is pending. If already reported, the cardholder may ask for correction or notation of dispute.

XXXV. Prescription and Deadlines

Different deadlines may apply:

  1. Bank-specific dispute filing period;
  2. credit card network chargeback deadlines;
  3. deadline to report unauthorized transactions under the cardholder agreement;
  4. criminal prescription periods;
  5. civil action prescription periods;
  6. regulatory complaint timelines.

The safest approach is to report immediately and file the written dispute as soon as possible.

Waiting for the statement of account may be risky if the transaction alert was already received earlier.

XXXVI. Practical Red Flags That Help the Cardholder’s Case

A dispute may be stronger if:

  1. The cardholder reported within minutes or hours;
  2. The transaction was unusual compared to prior spending;
  3. The merchant was foreign or unknown;
  4. Multiple attempts occurred;
  5. The transaction was made while the cardholder was asleep or abroad/locally inconsistent;
  6. No goods or services were received;
  7. The OTP message was unclear;
  8. The bank failed to notify promptly;
  9. The cardholder never used the merchant before;
  10. The bank delayed blocking the card;
  11. The bank gave only a template denial;
  12. There were public reports of similar scams using the same sender or merchant.

XXXVII. Facts That Weaken the Cardholder’s Case

A dispute may be weaker if:

  1. The cardholder knowingly shared the OTP with another person;
  2. The OTP message clearly stated the amount and merchant;
  3. The cardholder delayed reporting for days or weeks;
  4. The cardholder previously transacted with the merchant;
  5. Goods or services were delivered to the cardholder’s address;
  6. The transaction was done from the cardholder’s device and account;
  7. The cardholder gave inconsistent statements;
  8. The cardholder deleted evidence;
  9. The cardholder ignored repeated fraud warnings;
  10. The cardholder authorized a family member or employee to use the card.

Even then, the case is not automatically lost. The bank’s own conduct still matters.

XXXVIII. What to Ask the Bank During Investigation

The cardholder should ask for:

  1. Transaction authorization logs;
  2. Authentication method used;
  3. OTP message content;
  4. date and time OTP was sent;
  5. merchant category code;
  6. acquiring bank or payment processor;
  7. chargeback status;
  8. merchant evidence;
  9. delivery or fulfillment details;
  10. IP address or device data, where disclosable;
  11. basis for denial;
  12. applicable cardholder agreement provision;
  13. whether fraud rules or chargeback rules were applied;
  14. whether similar fraud reports were received involving the merchant;
  15. why the transaction was not flagged.

The bank may not disclose everything because of security, privacy, or network rules, but asking creates a record and may expose weaknesses in a template denial.

XXXIX. Suggested Structure for Reconsideration Letter

[Date]

[Name of Bank] Credit Card Disputes / Fraud Department

Subject: Request for Reconsideration — Unauthorized Transaction Dispute

Dear Sir/Madam:

I respectfully request reconsideration of your denial of my dispute involving the following transaction:

Transaction Date: [Date] Merchant: [Merchant] Amount: [Amount] Card Number: **** **** **** [Last 4 digits] Dispute Reference Number: [Reference]

Your denial appears to rely mainly on the fact that the transaction was authenticated through [OTP/3D Secure/online credentials]. However, the OTP or authentication step was obtained through a phishing scam. I did not knowingly authorize a purchase from the merchant, did not intend to transact with the merchant, and did not receive goods or services from the merchant.

I reported the incident on [date and time], immediately after discovering the unauthorized transaction. I also requested that the card be blocked and submitted supporting documents.

I respectfully request that the bank consider the following:

  1. The transaction was induced by fraud and deception;
  2. Authentication does not necessarily prove informed consent to the specific transaction;
  3. The transaction was unusual and inconsistent with my normal card usage;
  4. I promptly reported the matter and cooperated with the investigation;
  5. I did not benefit from the transaction;
  6. I request details of the bank’s fraud review, chargeback action, and merchant evidence.

Please provide a written explanation of the specific factual and legal basis for the denial, including the transaction logs, authentication details, merchant response, and chargeback status, to the extent allowed by law and applicable rules.

I also reiterate my request for reversal of the disputed amount and removal of all related interest, penalties, and charges.

Sincerely, [Name]

XL. Possible Remedies

Depending on the facts, a cardholder may pursue one or more of the following remedies:

  1. Bank dispute;
  2. Chargeback request;
  3. Reconsideration;
  4. BSP consumer complaint;
  5. Complaint with National Privacy Commission, if data privacy issues exist;
  6. Criminal complaint with PNP or NBI;
  7. Complaint against telco, if SIM swap is involved;
  8. Complaint against merchant or payment gateway;
  9. Civil action for recovery or damages;
  10. Negotiated settlement;
  11. Payment under protest while pursuing dispute;
  12. Request for restructuring of undisputed amount, if needed.

XLI. Common Misconceptions

“The bank must always reverse fraud.”

Not always. The bank will investigate and may deny the dispute if it believes the cardholder authorized the transaction or was negligent.

“If an OTP was used, the cardholder always loses.”

Not necessarily. OTP use is strong evidence, but phishing may show that apparent authorization was fraudulently obtained.

“A police report automatically forces reversal.”

No. It helps support the claim, but the bank still conducts its own investigation.

“A BSP complaint is the same as a lawsuit.”

No. BSP consumer assistance is regulatory and facilitative. Court action may still be needed for damages or contested legal claims.

“Not paying the disputed amount has no consequence.”

It can create interest, penalties, collection action, and credit reporting issues. The cardholder should handle payment strategy carefully.

“Deleting scam messages protects privacy.”

It weakens evidence. Preserve everything.

XLII. Prevention Measures

To reduce future risk:

  1. Use card lock controls;
  2. Set low transaction limits;
  3. Disable online or international transactions when not needed;
  4. Use virtual cards where available;
  5. Never click banking links in SMS or email;
  6. Type the bank website manually or use the official app;
  7. Never share OTPs;
  8. Read OTP messages carefully;
  9. Use a separate email for banking;
  10. Secure the SIM with telco account protections;
  11. Turn on app notifications;
  12. Avoid saving cards on random websites;
  13. Use password managers;
  14. Monitor statements weekly;
  15. Report suspicious messages to the bank and telco.

XLIII. Key Takeaways

An unauthorized credit card transaction after a phishing scam in the Philippines involves overlapping issues of fraud, banking law, consumer protection, cybersecurity, contract, evidence, and negligence.

The strongest cardholder position usually requires showing that:

  1. The transaction was not knowingly authorized;
  2. The cardholder was deceived by phishing;
  3. The cardholder acted promptly;
  4. The cardholder preserved evidence;
  5. The cardholder did not benefit from the transaction;
  6. The transaction was suspicious or unusual;
  7. The bank’s investigation or security controls were inadequate;
  8. The bank’s denial was unsupported or unfair.

The bank’s strongest position usually rests on showing that:

  1. Valid credentials were used;
  2. The OTP clearly identified the transaction;
  3. The cardholder disclosed confidential information;
  4. The bank followed security procedures;
  5. The transaction was properly authenticated;
  6. The cardholder delayed reporting;
  7. The cardholder agreement assigns liability to the cardholder.

Ultimately, these cases are fact-intensive. A phishing victim should move quickly, preserve evidence, dispute in writing, demand clear explanations, escalate when necessary, and avoid treating a template bank denial as the final word.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login