I. Introduction

Credit card fraud increasingly begins not with a stolen card, but with a deceptive message: a fake bank SMS, email, call, website, or social media link that tricks the cardholder into giving away confidential information. In the Philippine setting, this is commonly called phishing, and when it leads to a credit card charge that the cardholder did not truly authorize, the issue becomes both a consumer protection dispute and a possible cybercrime or financial fraud case.

This article discusses the Philippine legal framework, the rights and obligations of cardholders, banks, credit card issuers, merchants, payment processors, and fraudsters, and the practical steps to dispute an unauthorized credit card transaction after a phishing scam.

This is a general legal information article, not a substitute for advice from a Philippine lawyer.

II. What Is a Phishing Scam?

Phishing is a form of deception where a fraudster impersonates a legitimate institution, usually a bank, credit card issuer, delivery service, government office, e-wallet provider, or online platform, to obtain sensitive information.

Common phishing methods include:

Fake bank SMS messages warning of suspicious activity.
Emails pretending to be from a credit card issuer.
Fake customer service calls.
Links to counterfeit banking websites.
Social media messages pretending to be official support channels.
QR codes leading to fake payment or verification pages.
Fake delivery fee or customs payment links.
Messages asking the cardholder to “verify” the account.
Fraudulent calls asking for a one-time password or OTP.
Malware links that capture passwords, card numbers, or authentication codes.

The fraudster may obtain any of the following:

Credit card number.
Card verification value or CVV.
Expiration date.
OTP.
Online banking username and password.
Security answers.
Mobile number or SIM details.
Personal information used for account verification.

Once obtained, the fraudster may use the card for online purchases, wallet cash-ins, subscriptions, foreign transactions, gaming credits, travel bookings, or money transfers.

III. What Makes a Transaction “Unauthorized”?

A credit card transaction may be considered unauthorized when the cardholder did not knowingly, freely, and intentionally consent to the charge.

However, phishing cases are legally complicated because the fraudster may have used correct credentials, card details, or OTPs. Banks may argue that the transaction was authenticated. The cardholder may argue that any apparent authorization was obtained through fraud, deception, or manipulation.

An unauthorized transaction may include:

A charge made by a fraudster without the cardholder’s knowledge.
A charge made after the cardholder was tricked into giving card details.
A charge completed after a fraudster obtained the OTP through deception.
A charge made through account takeover.
A transaction that the cardholder did not initiate.
A transaction that was materially different from what the cardholder intended.
A transaction processed after the cardholder reported the card compromised.

The central legal question is often this:

Was the cardholder truly negligent, or did the bank, issuer, merchant, or payment system fail to prevent or respond to fraud?

IV. Applicable Philippine Laws and Regulations

Several Philippine laws and regulatory frameworks may apply.

A. Civil Code of the Philippines

The Civil Code governs obligations, contracts, negligence, damages, and liability.

Relevant principles include:

Obligations arising from law, contracts, quasi-contracts, delicts, and quasi-delicts.
Fraud vitiates consent.
Negligence may give rise to liability.
Parties to a contract must act with good faith.
Damages may be recoverable when a party suffers injury due to another’s fault or negligence.

In a credit card relationship, the cardholder and issuer are bound by contract. But that contract is not interpreted in isolation. Banks and financial institutions are expected to observe high standards of diligence.

B. Consumer Act of the Philippines

The Consumer Act protects consumers from deceptive, unfair, and unconscionable practices. While not every credit card dispute falls neatly under product-consumer issues, the broader policy of consumer protection supports fair treatment of cardholders, transparent billing, and proper dispute handling.

C. Access Devices Regulation Act

The Access Devices Regulation Act addresses fraud involving credit cards, debit cards, account numbers, codes, and other access devices.

Credit cards and related credentials may qualify as access devices. Fraudulent use, possession, trafficking, or unauthorized access may expose the offender to criminal liability.

In phishing cases, the fraudster may be liable for unauthorized access device use, identity misuse, or related fraudulent acts.

D. Cybercrime Prevention Act

The Cybercrime Prevention Act of 2012 is highly relevant because phishing usually involves computer systems, electronic communications, fraudulent websites, unauthorized access, identity theft, or computer-related fraud.

Possible cybercrime issues include:

Computer-related fraud.
Computer-related identity theft.
Illegal access.
Misuse of devices.
Cyber-squatting or fake domains, depending on the facts.
Fraud conducted through electronic means.

A phishing scam that leads to unauthorized credit card use can therefore have a cybercrime dimension.

E. Data Privacy Act

The Data Privacy Act of 2012 may apply if personal data was collected, processed, disclosed, or compromised. Banks, credit card issuers, merchants, payment processors, and online platforms are personal information controllers or processors depending on their role.

Possible issues include:

Failure to secure personal data.
Improper disclosure of information.
Weak authentication or verification practices.
Failure to notify affected data subjects when required.
Mishandling of fraud reports containing personal information.

The fraudster is usually the direct wrongdoer, but institutions may also face scrutiny if the incident resulted from poor data protection controls.

F. Electronic Commerce Act

The E-Commerce Act recognizes electronic documents, electronic signatures, and electronic transactions. In credit card disputes, banks may rely on electronic logs, OTP records, IP addresses, device IDs, timestamps, and transaction confirmations.

The cardholder may challenge whether those electronic records prove genuine consent, especially where fraud, impersonation, or social engineering was involved.

G. Bangko Sentral ng Pilipinas Rules

Banks and credit card issuers are regulated by the Bangko Sentral ng Pilipinas. BSP rules and circulars generally emphasize:

Consumer protection.
Fair treatment of financial consumers.
Proper disclosure.
Complaint handling.
Cybersecurity and operational risk management.
Fraud risk management.
Secure electronic banking.
Timely resolution of consumer complaints.
Accountability of BSP-supervised financial institutions.

A cardholder may elevate unresolved disputes to the BSP’s consumer assistance channels, especially when the bank refuses to investigate properly, imposes disputed charges unfairly, or fails to explain its decision.

H. Financial Products and Services Consumer Protection Act

The Financial Products and Services Consumer Protection Act strengthens protection for financial consumers. It supports principles such as:

Fair and respectful treatment.
Transparency.
Protection against fraud and abusive practices.
Effective complaint handling.
Accountability of financial service providers.
Suitability and consumer protection controls.

This law is important because credit card issuance and electronic financial services are financial products and services.

V. The Legal Relationship Between the Cardholder and the Credit Card Issuer

A credit card is governed primarily by contract. The cardholder agreement usually provides rules on:

Card use.
Billing.
Payment obligations.
Liability for unauthorized transactions.
Reporting lost or stolen cards.
Use of PINs, OTPs, and passwords.
Dispute periods.
Finance charges.
Minimum payments.
Investigation procedures.
Chargeback rights.
Termination and suspension.

However, a bank cannot rely on contract terms in a way that defeats mandatory law, public policy, consumer protection rules, or the requirement of good faith.

Typical cardholder agreements say that the cardholder must safeguard the card and credentials. Banks often argue that the cardholder is liable where the correct OTP was used. But that does not automatically end the dispute. The context matters.

Important questions include:

Was the OTP obtained through deception?
Was the bank’s warning clear and timely?
Was the transaction unusual compared with the cardholder’s profile?
Was the transaction high-risk?
Was there a sudden foreign or online transaction?
Did the issuer send real-time alerts?
Did the cardholder report the fraud promptly?
Did the issuer block the card immediately after notice?
Did the merchant perform sufficient verification?
Did the bank properly investigate before denying the dispute?

VI. Cardholder Duties After a Phishing Scam

A cardholder must act quickly and responsibly once phishing or unauthorized use is discovered.

A. Immediately Contact the Bank

The first step is to call the official bank hotline or use the official mobile app or website. The cardholder should:

Report the card as compromised.
Ask for immediate card blocking.
Request a replacement card.
Report the specific unauthorized transactions.
Ask for a reference number.
Ask whether a temporary credit or hold on collection can be applied.
Ask for the bank’s dispute form and required documents.

B. File a Written Dispute

A verbal report is not enough. The cardholder should submit a written dispute by email, app, branch, or official channel.

The dispute should include:

Cardholder’s name.
Masked card number.
Date and time of incident.
Description of phishing scam.
Disputed transaction details.
Merchant name.
Amount.
Currency.
Date posted.
Date discovered.
Date reported.
Request for reversal.
Request for investigation.
Request to suspend interest, penalties, and collection on the disputed amount pending investigation.

C. Preserve Evidence

The cardholder should keep:

Screenshots of phishing SMS, email, or website.
Caller number.
URLs clicked.
Email headers if available.
Bank alerts.
OTP messages.
Transaction notifications.
Chat transcripts.
Timeline of events.
Police or cybercrime report.
Bank reference numbers.
Dispute forms.
Billing statements.
Proof that the cardholder did not receive the goods or benefit from the transaction.

D. Do Not Delete Messages

Fraud evidence is often lost because victims delete embarrassing or suspicious messages. The cardholder should preserve everything.

E. Change Passwords

The cardholder should change passwords for:

Online banking.
Email.
Mobile wallet.
Shopping platforms.
Social media accounts.
Telco account.
Any account using the same password.

F. Report to Authorities

Depending on the seriousness, the cardholder may report to:

Philippine National Police Anti-Cybercrime Group.
National Bureau of Investigation Cybercrime Division.
The bank’s fraud department.
BSP consumer assistance channels.
National Privacy Commission, if personal data issues are involved.

VII. The Bank’s Duties in Handling the Dispute

A bank or credit card issuer should not dismiss a dispute merely because the card details or OTP were used. It should conduct a real investigation.

The bank should review:

Transaction logs.
Authentication records.
Merchant category.
Device fingerprint.
IP address and geolocation.
Prior spending behavior.
Whether transaction alerts were sent.
Whether the transaction was 3D Secure authenticated.
Whether there were multiple failed attempts.
Whether the transaction pattern was suspicious.
Whether the merchant has fraud history.
Whether the cardholder reported promptly.
Whether the bank blocked the card in time.
Whether chargeback rights are available.
Whether the transaction was card-present or card-not-present.

The bank must treat the cardholder fairly and provide a reasoned decision. A bare denial is weak consumer dispute handling.

VIII. OTP Use: Does It Automatically Make the Cardholder Liable?

No. The use of an OTP is strong evidence of authentication, but it should not always be treated as absolute proof that the cardholder knowingly authorized the transaction.

A phishing victim may have been deceived into disclosing the OTP. The legal analysis may consider whether the cardholder was grossly negligent, ordinarily negligent, or reasonably deceived by a sophisticated scam.

Banks frequently argue:

OTP was sent to the registered mobile number.
OTP was entered correctly.
The transaction passed authentication.
The cardholder violated the duty not to share OTPs.
Therefore, the cardholder is liable.

Cardholders may respond:

Consent obtained by fraud is not genuine consent.
The phishing message impersonated the bank.
The bank’s fraud detection failed.
The transaction was unusual or suspicious.
The merchant or payment processor had weak safeguards.
The bank failed to act after timely notice.
The bank’s terms should not override consumer protection law.
The bank must prove more than mere OTP use.

The outcome depends heavily on evidence.

IX. Negligence, Gross Negligence, and Shared Responsibility

A key issue is whether the cardholder was negligent.

A. Ordinary Negligence

Ordinary negligence may exist where a cardholder failed to exercise reasonable care, such as clicking a suspicious link despite warning signs.

B. Gross Negligence

Gross negligence is more serious. It may involve a reckless disregard of obvious risks, such as knowingly giving a stranger the full card number, CVV, expiry date, online banking password, and OTP despite clear warnings.

C. No Negligence or Excusable Conduct

A cardholder may argue that there was no negligence where the scam was sophisticated, appeared to come from an official sender, used spoofed sender IDs, replicated the bank’s website, or occurred during a confusing live call by someone who already knew personal details.

D. Comparative or Shared Responsibility

In some cases, responsibility may be shared. A court, regulator, or dispute body may consider whether both the cardholder and bank contributed to the loss.

For example:

The cardholder disclosed OTP after deception.
The bank failed to flag a highly unusual transaction.
The merchant shipped goods to an address unrelated to the cardholder.
The bank delayed blocking the card after notice.

X. The Importance of Timing

Timing is crucial.

The cardholder should establish:

When the phishing contact occurred.
When the unauthorized transaction occurred.
When the bank sent the alert.
When the cardholder discovered the transaction.
When the cardholder reported it.
When the bank blocked the card.
Whether further transactions occurred after the report.

If unauthorized transactions occurred after the cardholder reported the compromise, the bank’s liability argument becomes stronger against itself, because it had notice and a duty to prevent further loss.

XI. Chargeback Rights

A chargeback is a process where a credit card issuer reverses a disputed transaction through the card network, subject to rules and deadlines.

Possible chargeback grounds include:

Fraudulent transaction.
Card-not-present fraud.
Goods or services not received.
Duplicate processing.
Incorrect amount.
Unauthorized transaction.
Merchant misrepresentation.
Cancelled recurring transaction still charged.

However, chargebacks are subject to strict rules. The bank may require documents and must act within network deadlines.

A cardholder should specifically ask the issuer:

Was a chargeback filed?
Under what reason code?
What documents were submitted?
Did the merchant contest the chargeback?
What evidence did the merchant provide?
Was arbitration pursued?
Why was the chargeback denied?

Banks sometimes deny disputes internally without clearly explaining whether a chargeback was actually attempted. The cardholder should request clarification.

XII. Common Bank Defenses

Banks may deny liability by arguing:

The transaction was authenticated by OTP.
The cardholder shared confidential information.
The transaction used correct card details.
The cardholder agreed to the terms and conditions.
The cardholder failed to report immediately.
The bank sent fraud warnings.
The merchant completed the transaction properly.
The transaction was not a bank system breach.
The fraud resulted from the cardholder’s own negligence.
The bank cannot recover funds from the merchant.

These defenses are not automatically conclusive. They must be evaluated against facts, law, regulations, and fairness.

XIII. Common Cardholder Arguments

A cardholder may argue:

The transaction was not knowingly authorized.
The cardholder was deceived by phishing.
Fraud vitiated consent.
The bank failed to detect a suspicious transaction.
The transaction was inconsistent with normal spending behavior.
The bank failed to provide adequate warning.
The bank delayed blocking the card.
The merchant failed to verify the transaction.
The bank failed to pursue chargeback properly.
The bank imposed finance charges unfairly while the dispute was pending.
The bank’s investigation was incomplete.
The denial letter was unsupported by evidence.
The bank violated financial consumer protection standards.

XIV. What Evidence Helps the Cardholder?

Strong evidence includes:

Immediate fraud report to the bank.
Bank reference number.
Screenshots of phishing messages.
Screenshots of fake website.
Proof of spoofed sender ID.
Call logs.
Police or cybercrime report.
Affidavit of the cardholder.
Billing statement showing disputed charge.
Proof that the transaction was inconsistent with cardholder behavior.
Proof that cardholder was elsewhere or asleep.
Proof that merchant address, delivery address, IP address, or device was not connected to cardholder.
Proof that other customers experienced the same phishing campaign.
Proof that the bank had prior warnings about similar scams.
Proof of delayed bank response.
Proof that charges continued after the report.

XV. What Evidence Helps the Bank?

The bank may rely on:

OTP logs.
SMS delivery records.
3D Secure authentication record.
IP address.
Device ID.
Transaction timestamp.
Cardholder agreement.
Fraud warnings sent to the customer.
Call recordings.
App login logs.
Confirmation that the cardholder’s registered number received the OTP.
Merchant confirmation.
Card network records.
Prior similar transactions by the cardholder.
Delay in reporting by the cardholder.

But the bank should be prepared to disclose enough information to support a fair decision, subject to privacy and security limits.

XVI. Interest, Penalties, and Collection During Dispute

A major practical concern is whether the cardholder must pay the disputed amount while investigation is ongoing.

Card issuers often require at least payment of undisputed amounts. The cardholder should ask the issuer in writing to:

Temporarily suspend collection of the disputed amount.
Reverse or hold finance charges related to the disputed amount.
Prevent negative credit reporting while the dispute is pending.
Stop collection calls on the disputed amount.
Confirm that payment of undisputed amounts will not be treated as admission of liability.

If the bank refuses, the cardholder may still choose to pay under protest to avoid compounding interest, then continue the dispute. The payment should be documented as payment under protest and not an admission that the transaction was valid.

Sample wording:

“Any payment made on this account is made under protest and solely to avoid additional charges, penalties, or adverse credit consequences. It should not be construed as admission that the disputed transaction is valid or authorized.”

XVII. Filing a Complaint with the BSP

If the bank denies the dispute or fails to act, the cardholder may escalate to the BSP’s consumer assistance mechanism.

A BSP complaint should include:

Name of bank or issuer.
Account or card details, masked.
Chronology of events.
Copies of dispute letters.
Bank’s response or denial.
Screenshots and evidence.
Requested relief.
Proof that the cardholder first raised the matter with the bank.

Possible requests include:

Reversal of unauthorized transaction.
Reversal of interest and penalties.
Suspension of collection.
Proper investigation.
Written explanation of denial.
Confirmation that no adverse credit reporting will occur while under dispute.

The BSP generally expects the consumer to first attempt resolution with the financial institution.

XVIII. Filing a Criminal Complaint

A phishing scam may justify a criminal complaint against unknown persons.

The complaint may involve:

Cybercrime.
Access device fraud.
Estafa or fraud-related offenses.
Identity theft.
Unauthorized access.
Use of fake websites or electronic communications to defraud.

The cardholder should bring:

Valid ID.
Credit card statement.
Screenshots.
URLs.
Phone numbers.
Email addresses.
Chat logs.
Call logs.
Bank certification or transaction record, if available.
Affidavit narrating the facts.

The fact that the fraudster is unknown does not prevent filing. Authorities may investigate digital traces, accounts, IP addresses, receiving merchants, wallets, delivery addresses, and phone numbers.

XIX. National Privacy Commission Issues

A complaint to the National Privacy Commission may be relevant where:

The phishing was linked to a suspected data breach.
The fraudster knew confidential personal data that should not have been public.
The bank or merchant mishandled personal data.
The institution failed to secure personal information.
The institution failed to provide proper data breach notification.
The cardholder’s personal data was used for identity theft.

However, not every phishing case is a data privacy violation by the bank. The cardholder must show some connection between the institution’s personal data processing and the harm.

XX. Civil Action Against the Bank or Responsible Parties

A cardholder may consider civil action if losses are significant and administrative remedies fail.

Possible causes of action may include:

Breach of contract.
Damages for negligence.
Quasi-delict.
Violation of consumer protection duties.
Bad faith.
Unjust enrichment, depending on facts.
Declaratory relief or injunction in appropriate cases.

Possible damages include:

Reversal or reimbursement of disputed charges.
Interest and penalties paid.
Actual damages.
Moral damages, if legally justified.
Exemplary damages, in proper cases.
Attorney’s fees, when allowed.

Litigation can be costly, so the amount involved, available evidence, and likelihood of success should be carefully assessed.

XXI. Liability of Merchants and Payment Gateways

The merchant may also be involved in the dispute.

A merchant may be liable or lose the chargeback if it failed to:

Verify the buyer.
Use secure payment authentication.
Detect suspicious transaction patterns.
Confirm high-risk orders.
Prevent shipment to fraud-linked addresses.
Maintain proper transaction records.
Comply with card network rules.

Payment gateways and processors may also be relevant where there were weak fraud controls or suspicious account activity.

However, from the cardholder’s perspective, the immediate contractual relationship is usually with the credit card issuer. The issuer then deals with merchants and card networks through the chargeback system.

XXII. SIM Spoofing, Sender ID Spoofing, and Social Engineering

Many phishing scams in the Philippines involve SMS spoofing, where a fraudulent message appears in the same message thread as legitimate bank alerts. This makes scams more convincing.

A cardholder may argue that:

The message appeared to come from the bank’s official sender ID.
The fraudulent message was mixed with genuine bank messages.
The scam exploited weaknesses in telecommunications systems.
The cardholder acted under a reasonable belief that the communication was legitimate.

This does not automatically absolve the cardholder, but it may reduce the force of a bank’s argument that the cardholder acted carelessly.

XXIII. When the Cardholder Gave the OTP

The most difficult phishing cases are those where the cardholder gave the OTP.

Banks usually treat OTP disclosure as a serious violation of security obligations. Still, legal responsibility should depend on the entire context.

Relevant factors include:

Was the OTP message clear that it was for a purchase?
Did the OTP message state the amount and merchant?
Did the OTP message warn not to share the OTP?
Was the OTP requested by someone pretending to be a bank employee?
Did the fraudster know personal information that made the call credible?
Was the transaction amount shown in the OTP message?
Was the cardholder rushed, threatened, or manipulated?
Was the phishing site visually identical to the bank site?
Did the bank’s fraud detection system flag the transaction?
Did the cardholder report immediately after realizing the fraud?

A cardholder’s case is stronger if the OTP message did not clearly identify the transaction, amount, or merchant, or if the bank failed to warn effectively.

XXIV. Drafting the Dispute Letter

A strong dispute letter should be calm, factual, and evidence-based.

It should include:

A clear statement that the transaction was unauthorized.
A concise timeline.
Details of the phishing scam.
Transaction details.
The date and time of report.
A request for reversal.
A request for investigation records or explanation.
A request to suspend interest and penalties.
A statement reserving all legal rights.

Example structure:

Introduction.
Account and transaction details.
Narrative of phishing incident.
Immediate actions taken.
Legal and consumer protection basis.
Request for relief.
Reservation of rights.
Attachments.

XXV. Sample Dispute Letter

Subject: Formal Dispute of Unauthorized Credit Card Transaction Due to Phishing

Dear [Bank/Credit Card Issuer],

I am formally disputing the following transaction on my credit card account:

Cardholder Name: [Name]
Card Number: XXXX-XXXX-XXXX-[Last 4 Digits]
Merchant: [Merchant Name]
Transaction Date: [Date]
Posting Date: [Date]
Amount: [Amount]
Reference Number: [If available]

I did not knowingly authorize this transaction. The transaction arose from a phishing scam where I was deceived by a fraudulent communication impersonating your institution or a legitimate service provider. Upon discovering the unauthorized transaction, I immediately reported the matter through your official channel on [date and time], with reference number [reference number].

I request that your office immediately investigate this matter, reverse the disputed charge, and suspend the imposition of finance charges, penalties, and collection activity relating to the disputed amount while the investigation is pending.

Please also confirm whether a chargeback has been filed, the applicable reason code, the status of the chargeback, and any documents or findings used in evaluating this dispute.

This letter is submitted without prejudice to my rights under applicable Philippine laws, Bangko Sentral ng Pilipinas regulations, consumer protection laws, cybercrime laws, data privacy laws, and other available remedies.

Attached are copies of relevant screenshots, transaction alerts, call logs, and other supporting documents.

Sincerely, [Name]

XXVI. Possible Outcomes of a Dispute

The bank may:

Reverse the charge fully.
Issue temporary credit while investigating.
Deny the dispute.
Partially reverse charges.
Reverse principal but not interest.
Ask for more documents.
File a chargeback.
Decline chargeback due to late filing or authentication.
Refer the matter to its fraud team.
Close the card and issue a replacement.

If denied, the cardholder should request a detailed written explanation and escalate when appropriate.

XXVII. What to Do If the Bank Denies the Dispute

The cardholder may:

Ask for reconsideration.
Request the complete basis of denial.
Ask whether chargeback was filed.
Ask for copies or summaries of transaction authentication records.
Submit additional evidence.
File a BSP complaint.
File a police or cybercrime complaint.
Consult a lawyer.
Consider small claims or civil action, depending on the amount and remedy.
Pay under protest if needed to avoid further financial harm.

A denial is not necessarily final, especially if the bank’s investigation was superficial.

XXVIII. Preventive Measures for Cardholders

Cardholders should:

Never share OTPs.
Never click links in SMS or emails claiming to be from the bank.
Use only the official app or manually typed official website.
Lock or freeze the card when not in use, if the bank allows.
Set low transaction alerts.
Disable international or online transactions when not needed.
Use virtual cards for online purchases.
Monitor statements frequently.
Report suspicious messages to the bank.
Use strong unique passwords.
Enable biometric authentication where available.
Avoid saving card details on unfamiliar sites.
Check merchant names carefully in OTP messages.
Treat urgent account warnings as suspicious.
Call the official hotline printed on the card.

XXIX. Preventive Measures for Banks and Issuers

Banks should:

Improve fraud detection systems.
Use transaction risk scoring.
Warn customers clearly in OTP messages.
Include amount and merchant in OTP alerts.
Detect unusual card-not-present transactions.
Provide instant card lock features.
Respond quickly to fraud reports.
Improve dispute transparency.
Educate customers continuously.
Coordinate with telcos against sender ID spoofing.
Monitor phishing domains.
Provide easy reporting channels.
Avoid unfairly shifting all fraud risk to consumers.
Preserve evidence for investigation.
Train frontliners to handle fraud reports properly.

XXX. Key Legal Issues in a Phishing-Based Credit Card Dispute

The most important legal issues are:

Consent Did the cardholder genuinely authorize the transaction?
Fraud Was the cardholder deceived into giving information?
Negligence Did the cardholder fail to exercise reasonable care?
Bank diligence Did the issuer use appropriate fraud prevention and response systems?
Authentication Does OTP or 3D Secure authentication conclusively prove authorization?
Consumer protection Did the bank handle the dispute fairly?
Chargeback compliance Did the issuer properly pursue card network remedies?
Timing Was the fraud reported promptly?
Evidence Can each party prove its version of events?
Damages What financial and non-financial harm resulted?

XXXI. Practical Checklist for Victims

A victim should do the following immediately:

Call the official bank hotline.
Block the card.
Request replacement.
Get a reference number.
File a written dispute.
Preserve screenshots and messages.
Change passwords.
Report to cybercrime authorities if needed.
Monitor other accounts.
Ask for chargeback.
Ask to suspend finance charges.
Pay undisputed amounts.
Escalate to BSP if unresolved.
Consult a lawyer for large losses.

XXXII. Conclusion

Unauthorized credit card transactions after phishing scams occupy a difficult legal space. The fraudster is the primary wrongdoer, but the dispute between cardholder and issuer often turns on authentication, negligence, fraud detection, reporting time, and consumer protection duties.

In the Philippines, a cardholder should not assume that the use of card details or OTP automatically ends the matter. At the same time, cardholders must act quickly, preserve evidence, and show that they did not knowingly authorize the transaction.

The strongest disputes are those supported by a clear timeline, prompt reporting, preserved phishing evidence, formal written objections, and persistent escalation through the bank, BSP, and law enforcement where appropriate.