A cybercrime complaint in the Philippines is strongest when it shows four things clearly: what happened, when it happened, where online it happened, and why the person you are complaining about is connected to it. Screenshots help, but they are rarely enough by themselves. Investigators and prosecutors usually need account links, transaction records, chat logs, device data, witness statements, and a sworn complaint-affidavit that ties everything together.
This guide explains what evidence is commonly needed for a cybercrime complaint in the Philippines, how to preserve digital proof properly, where to file, and what ordinary complainants often miss when reporting online scams, hacking, cyber libel, identity theft, sextortion, and similar offenses.
What Counts as Evidence in a Philippine Cybercrime Complaint?
In a cybercrime case, “evidence” means any information that can help prove a fact relevant to the offense. For online cases, this usually includes:
- Screenshots
- Chat logs
- URLs and account links
- Email headers
- SMS and call logs
- Transaction receipts
- Bank or e-wallet records
- Device logs
- Login alerts
- Server logs
- Photos, videos, or audio recordings
- Witness affidavits
- Certifications from banks, platforms, employers, or service providers
- The complainant’s sworn narration of events
Under the Cybercrime Prevention Act of 2012, Republic Act No. 10175, cybercrime includes both “pure” cyber offenses, such as illegal access or data interference, and traditional crimes committed through information and communications technology, such as estafa, threats, libel, harassment, trafficking, or child exploitation.
The practical point is simple: your evidence must show both the online act and its connection to the offender.
Legal Basis for Using Digital Evidence in the Philippines
Philippine law recognizes electronic evidence. The Electronic Commerce Act of 2000, Republic Act No. 8792, gives legal recognition to electronic documents and data messages. The Supreme Court’s Rules on Electronic Evidence, A.M. No. 01-7-01-SC, govern how electronic documents, messages, recordings, and related digital proof may be authenticated and presented.
For cybercrime investigations, the Supreme Court also issued the Rule on Cybercrime Warrants, A.M. No. 17-11-03-SC. This covers warrants for:
- Disclosure of computer data
- Interception of computer data
- Search, seizure, and examination of computer data
- Examination of devices lawfully obtained by investigators
This matters because private persons usually cannot obtain subscriber records, IP logs, deleted content, platform records, or telco records on their own. A complainant provides enough initial evidence to justify investigation; law enforcement then uses proper legal processes to obtain deeper technical evidence.
The Supreme Court has also recognized that chat logs and videos may be used as criminal evidence when properly obtained and authenticated, as discussed in People v. Rodriguez, summarized by the Supreme Court Public Information Office.
The Four Things Your Evidence Must Prove
1. The online act happened
Show the actual post, message, transaction, login, upload, demand, threat, impersonation, or unauthorized access.
Example: For an online scam, do not submit only the payment receipt. Also submit the seller’s offer, chat promises, payment instructions, profile link, proof of payment, and what happened after payment.
2. The act is connected to a cybercrime or cyber-related offense
Not every bad online experience is automatically cybercrime. Your evidence should match the offense.
Examples:
- Hacking: unauthorized login, password reset alerts, access logs
- Cyber libel: defamatory post, publication, identity of poster, harm caused
- Online fraud: false representation, payment, non-delivery or deception
- Identity theft: unauthorized use of name, image, ID, number, account, or personal data
- Sextortion: threat, demand, intimate content, account or wallet used
- Data breach: leaked personal data, source, access, misuse, damage
3. The respondent is connected to the account, number, device, wallet, or act
This is often the weakest part of a complaint.
A display name is not enough. A profile photo is not enough. A nickname is not enough.
Helpful identity evidence includes:
- Account URL or username
- Mobile number used
- Email address used
- E-wallet or bank account receiving money
- Delivery address
- Repeated use of the same number or account
- Admissions in chat
- Screenshots showing the respondent controlling the account
- Prior dealings with the same person
- Witnesses who can identify the account user
- Business registration, page ownership, or seller profile records
- Platform, bank, telco, or e-wallet data later obtained through lawful process
4. The evidence is authentic and has not been tampered with
Prosecutors and courts will ask: “How do we know this screenshot or file is real?”
To help establish authenticity:
- Keep the original device where the messages or files are stored.
- Do not delete the chat thread.
- Do not crop or edit screenshots.
- Record the date and time when you captured the evidence.
- Save the full URL, profile link, email header, or transaction reference number.
- Back up files in a read-only folder or external drive.
- For businesses, preserve logs and have an IT officer prepare an incident report.
- For important files, record hash values if a forensic examiner or IT professional can assist.
Evidence Checklist by Type of Cybercrime
| Type of complaint | Evidence usually needed |
|---|---|
| Online scam, phishing, or computer-related fraud | Chat logs, seller profile, account links, offer or listing, proof of payment, bank/e-wallet reference numbers, delivery records, demand for refund, proof of non-delivery or deception |
| Hacking or illegal access | Login alerts, password reset emails, device notifications, IP or access logs, screenshots of unauthorized activity, proof of account ownership, affected device |
| Identity theft or dummy account | Fake profile URL, screenshots, proof of your real identity, posts/messages made by the fake account, reports from people contacted by the fake account |
| Cyber libel | Exact defamatory post or message, URL, screenshot with date/time, proof that others saw it, proof it refers to you, explanation of falsity, identity of original author |
| Online threats or grave coercion | Complete threat messages, sender details, account links, timeline, screenshots, recordings if lawful, proof of fear or action demanded |
| Sextortion or blackmail | Threat messages, payment demands, wallet/bank details, account links, proof of possession or threatened release of intimate content, timeline of demands |
| Non-consensual intimate image sharing | URL or account link where content was posted, screenshots showing existence and location of upload, proof of lack of consent, identity clues, witness statements |
| Data privacy violation or data leak | Leaked data sample, source link, screenshots, proof data belongs to you, proof of unauthorized disclosure or misuse, communications with the entity involved |
| Business email compromise or corporate hacking | Email headers, suspicious domains, server logs, access logs, payment instructions, bank records, internal incident report, device or endpoint logs |
How to Preserve Digital Evidence Before Filing
Digital evidence disappears quickly. Posts are deleted, accounts change names, scammers block victims, messages auto-delete, and platforms may retain certain data only for a limited time.
Use this practical preservation process:
Capture the full context. Take screenshots showing the sender, date, time, message content, profile name, username, and URL. For social media, capture the post and the profile page.
Save the exact link. Copy the URL of the post, profile, page, marketplace listing, group post, video, or account. A screenshot without a link is harder to verify.
Record a screen video for disappearing content. For Stories, reels, live streams, or disappearing messages, a screen recording showing how you navigated to the content may be more useful than isolated screenshots.
Export data when possible. Some platforms allow you to download your account data, chat history, or transaction history. Keep the exported file unchanged.
Preserve the original device. Do not factory reset your phone, delete the app, clear cache, or reformat your laptop before investigators review the evidence.
Back up safely. Save copies in a secure folder, external drive, or cloud storage. Label files clearly by date and platform.
Prepare a timeline. A simple timeline helps investigators understand the case faster: first contact, promise or threat, payment, follow-up, blocking, damage.
Report to the platform, bank, or e-wallet, but do not rely on that alone. Platform reports may help preserve or remove harmful content, but they are not a substitute for a sworn criminal complaint.
Documents Usually Needed When Filing
The exact requirements vary by office, but most cybercrime complaints need the following:
| Document | Purpose |
|---|---|
| Valid government ID or passport | Proves identity of complainant |
| Complaint-affidavit | Sworn written statement of facts |
| Evidence printouts and digital copies | Supports the allegations |
| Screenshots with URLs and timestamps | Shows online act and location |
| Transaction records | Proves payment, loss, or financial trail |
| Witness affidavits | Supports identification, publication, damage, or timeline |
| Device containing original messages/files | Helps authentication and forensic review |
| Special Power of Attorney, if represented | Allows another person to file or follow up |
| Apostilled or consularized documents, if executed abroad | Helps use foreign documents or affidavits in Philippine proceedings |
A complaint-affidavit should normally state:
- Your complete name, address, contact number, and email
- Respondent’s name, alias, username, number, email, or account link, if known
- A clear narration of events in chronological order
- The exact dates and times of relevant acts
- The platform or technology used
- The amount lost, if any
- The harm suffered
- A list of attached evidence
- A statement that the facts are true based on your personal knowledge or authentic records
Where to File a Cybercrime Complaint in the Philippines
Cybercrime complaints are commonly filed with:
| Office | Common role |
|---|---|
| NBI Cybercrime Division | Investigation, cybercrime intake, digital evidence review |
| PNP Anti-Cybercrime Group | Police cybercrime investigation and case build-up |
| City or Provincial Prosecutor’s Office | Preliminary investigation and determination of probable cause |
| DOJ Office of Cybercrime | Cybercrime policy, coordination, international assistance, central authority functions |
| National Privacy Commission | Data privacy complaints involving misuse, unauthorized disclosure, or improper handling of personal data |
For urgent scams, hacking, sextortion, or threats, victims usually report first to the NBI or PNP cybercrime units so evidence can be assessed and preservation steps can be considered quickly.
A barangay blotter may help document harassment, threats, or neighborhood-related incidents, but barangay proceedings usually cannot compel social media platforms, banks, e-wallets, telcos, or foreign service providers to disclose cyber data.
Are Screenshots Enough?
Screenshots are useful, but they are often only starter evidence.
A screenshot may show that something appeared on your phone, but it may not prove:
- Who controlled the account
- Whether the screenshot was altered
- Whether the post was actually public
- Whether others saw it
- Whether payment went to the respondent
- Whether the respondent used the device, number, or wallet
- Whether the data came from the original platform
A stronger complaint includes screenshots plus links, transaction records, original chat threads, device access, witnesses, and any identity clues.
For example, in an online scam complaint, the best evidence package usually includes:
- Marketplace listing or post
- Seller profile URL
- Complete chat from first contact to payment
- Payment instruction message
- GCash, Maya, bank, or remittance receipt
- Receiver name, number, account, or reference number
- Proof of non-delivery
- Follow-up demands or blocking
- Screenshot showing the account later changed name or disappeared, if applicable
Special Issues for Cyber Libel Evidence
Cyber libel is based on libel under Articles 353 and 355 of the Revised Penal Code, committed through a computer system under RA 10175. In Disini v. Secretary of Justice, the Supreme Court upheld cyber libel but treated it as applying to the original author of the allegedly libelous statement, with important constitutional limits.
For cyber libel, evidence should show:
- The exact defamatory statement
- The URL or location of the post
- Date and time of posting or discovery
- That the statement refers to the complainant
- That it was seen or could be seen by third persons
- Why it is false or defamatory
- Who authored, posted, or controlled the account
- Damage to reputation, business, employment, or relationships
A private message sent only to the complainant may not be libel if there was no publication to a third person, although it may be relevant to another offense depending on the content, such as threats, unjust vexation, harassment, extortion, or coercion.
Cyber libel also has time limits. In Causing v. People, the Supreme Court held that cyber libel follows the Revised Penal Code rules on prescription. Complaints should be filed promptly, especially because online posts can be deleted and platform records can become harder to obtain.
Special Issues for Foreigners, OFWs, and Victims Abroad
A cybercrime complaint may still be filed in the Philippines even if the complainant is abroad, especially when the offender is in the Philippines, the account or payment trail is connected to the Philippines, the victim is in the Philippines, or an element of the offense occurred here.
Foreigners and OFWs should prepare:
- Passport or valid ID
- Philippine address or local contact, if any
- Complete affidavit
- Digital evidence in original format
- Proof of remittance or international transfer, if relevant
- Special Power of Attorney if someone in the Philippines will file or follow up
- Documents notarized abroad and apostilled, if applicable
- Certified English translation if documents are in another language
For documents executed abroad, Philippine authorities may require consular acknowledgment or an apostille, depending on the country where the document was signed. The Department of Foreign Affairs authentication and apostille process is commonly relevant when foreign documents need to be used in Philippine proceedings.
For foreign platforms or service providers, Philippine law enforcement may need to course requests through proper legal channels. Under the cybercrime warrant rules, processes involving persons or service providers outside the Philippines may involve the DOJ Office of Cybercrime and international cooperation mechanisms.
Common Mistakes That Weaken Cybercrime Complaints
Cropping or editing screenshots
Cropped screenshots may hide important details such as URLs, timestamps, usernames, or message sequence. Keep the original and submit clean copies.
Relying only on the display name
Scammers often change names and photos. Always capture the profile link, username, account ID, phone number, email address, and payment channel.
Deleting the conversation after taking screenshots
The original chat thread is often more valuable than screenshots. Do not delete it.
Resetting the device too early
For hacking and unauthorized access cases, the device may contain logs, malware traces, session data, or authentication records. Preserve it.
Posting accusations online
Publicly naming a suspect before a case is properly filed can create separate legal risks, especially if identity is uncertain.
Sending intimate images to multiple people to “prove” the case
For non-consensual intimate image cases, preserve evidence carefully and show it only to proper authorities. If minors are involved, do not download, forward, repost, or circulate the material.
Waiting too long
Delay can cause loss of platform records, deletion of accounts, disappearance of payment trails, and prescription issues.
Practical Timeline: What Usually Happens After Filing
| Stage | What happens |
|---|---|
| Intake and initial interview | Investigator reviews your complaint, ID, and evidence |
| Evidence assessment | Office checks whether facts may support a cybercrime or related offense |
| Sworn statement or affidavit | You execute or submit a complaint-affidavit |
| Case build-up | Investigator may request more documents, examine devices, or identify needed warrants |
| Preservation or data request | Law enforcement may seek preservation or disclosure through proper legal process |
| Referral to prosecutor | Complaint may be filed for preliminary investigation |
| Preliminary investigation | Prosecutor evaluates probable cause and may require counter-affidavits |
| Court filing | If probable cause is found, an Information may be filed in court |
The NBI Citizen’s Charter for computer crime complaints shows that initial intake and interview may be handled on the same visit, but full investigation, data requests, prosecutor review, and court action can take much longer depending on complexity, platform cooperation, and completeness of evidence.
Frequently Asked Questions
Can I file a cybercrime complaint without knowing the real name of the scammer?
Yes. You can start with the username, phone number, email address, profile link, wallet number, bank account, or other identifiers. Investigators may use lawful processes to identify the person behind the account.
Are screenshots accepted as evidence in Philippine courts?
Yes, screenshots may be used, but they must be authenticated. Courts and prosecutors give more weight to screenshots supported by original files, device access, URLs, timestamps, witnesses, platform records, or other corroborating evidence.
What if the cybercriminal deleted the post or account?
Deleted content can still sometimes be investigated if you preserved screenshots, URLs, account IDs, notifications, transaction records, or device data. Report quickly because service provider records may be time-sensitive.
Can police trace an IP address from a Facebook, Gmail, Telegram, or TikTok account?
They cannot simply demand private platform data without legal basis. Depending on the case, law enforcement may need a cybercrime warrant, preservation request, disclosure order, or international assistance process.
What evidence do I need for an online scam complaint?
Prepare the listing or offer, complete chat history, seller profile link, payment instructions, payment receipt, receiver account details, proof of non-delivery or deception, and follow-up messages. Include your affidavit explaining the full timeline.
What evidence do I need for cyber libel?
You need the exact post or message, URL, screenshot with date and time, proof it refers to you, proof it was published or seen by others, explanation of why it is defamatory and false, and evidence connecting the respondent to the original post.
Can I file a cybercrime complaint from abroad?
Yes, but you may need a properly notarized, consularized, or apostilled affidavit and a Special Power of Attorney if a representative will act for you in the Philippines. Keep original digital evidence and provide complete contact details.
Should I report first to the platform, bank, or e-wallet?
For scams and account abuse, report immediately to the platform, bank, or e-wallet to preserve records or attempt account freezing. But for criminal liability, also file with the NBI, PNP cybercrime unit, or prosecutor.
Can a cybercrime complaint help recover my money?
A criminal complaint may support restitution, damages, or related recovery efforts, but money recovery is not automatic. Fast reporting to banks, e-wallets, remittance centers, and law enforcement gives the best chance of tracing or freezing funds.
What if the evidence includes private or sensitive personal information?
Handle it carefully. The Data Privacy Act of 2012, RA 10173, protects personal data, but it also allows lawful processing when relevant to determining criminal liability or protecting rights in legal proceedings. Share sensitive evidence only with proper authorities and necessary parties.
Key Takeaways
- A strong cybercrime complaint needs more than screenshots.
- Preserve URLs, usernames, timestamps, transaction records, original chats, and the device containing the evidence.
- Your evidence should prove the act, the online location, the timeline, the damage, and the link to the respondent.
- For scams, the money trail is often as important as the chat history.
- For hacking, preserve devices, login alerts, and access logs before resetting anything.
- For cyber libel, capture the exact post, URL, publication details, and proof connecting the original author.
- For foreigners and OFWs, affidavits and SPAs executed abroad may need apostille or consular formalities.
- File promptly because posts, accounts, logs, and platform data can disappear quickly.