---

I. Introduction

Credit card phishing scams—where victims are tricked into giving card numbers, OTPs, CVVs, or online banking credentials—remain among the most common cyber-fraud incidents in the Philippines. The legal and regulatory system gives cardholders multiple avenues for relief, but outcomes depend heavily on speed of reporting, quality of documentation, and the way you frame your dispute.

This article explains (1) what to do immediately after a phishing scam, (2) your rights and remedies under Philippine law and regulation, and (3) how to negotiate charge reversals or removals with banks and merchants. This is general information, not individualized legal advice.

---

II. Understanding the Legal Nature of “Phishing” in the Philippines

Phishing is not a single offense; it typically involves several punishable acts under Philippine law:

1. Cybercrime Prevention Act of 2012 (RA 10175)

   • Phishing commonly falls under computer-related fraud, illegal access, and identity theft in a cyber context.
   • The cybercrime framework also enables law enforcement coordination with service providers.

2. Access Devices Regulation Act of 1998 (RA 8484)

   • Penalizes fraudulent use of access devices such as credit cards and card data.

3. Revised Penal Code (as applicable)

   • May cover estafa (swindling) in many fact patterns, especially if deception induced you to part with something of value.

You are the victim of a crime. But for charge disputes, the key issue is not criminal guilt—it’s allocation of liability between you and the bank/merchant.

---

III. Immediate Actions: The First 24 Hours Matter Most

A. Block and Secure the Card

1. Call the bank’s hotline immediately (not a number in the phishing message).
2. Request card blocking and replacement.
3. Disable online/phone transactions temporarily if your bank allows it.
4. Change passwords for banking apps, email, and any linked services.

B. Preserve Evidence

Create a folder (digital and printed) containing:

• Screenshots of phishing texts/emails, fake websites, chat logs
• Call records (time, number, duration)
• Transaction alerts and bank SMS
• Your timeline narrative (what happened, when, and how)

Evidence is the backbone of both chargeback success and any future regulatory complaint.

C. Dispute Unauthorized Transactions Immediately

Even if you “gave OTP,” still report as fraud:

• Tell the bank: “I am a victim of phishing/social engineering; I did not authorize these transactions.”
• Ask for a dispute/chargeback reference number.

D. File a Police / Cybercrime Report (Recommended)

You can report to:

• PNP Anti-Cybercrime Group (ACG)
• NBI Cybercrime Division

The bank may not require this for chargebacks, but it helps if:

• the bank initially rejects your dispute, or
• you need BSP or court escalation.

---

IV. Your Rights as a Credit Card Holder in the Philippines

A. Right to Dispute Unauthorized Transactions

Banks are regulated by the Bangko Sentral ng Pilipinas (BSP) and are expected to maintain effective consumer protection, fraud monitoring, and dispute mechanisms.

In practice, banks typically:

• allow disputes within a set period (often 30 calendar days from transaction posting, sometimes longer depending on bank policy),
• investigate pending transactions and posted ones,
• may issue a provisional credit while investigating.

Even if you disclosed OTP under deception, you can still argue:

• lack of true consent,
• defect in authentication,
• failure of bank fraud controls, especially for suspicious patterns.

B. Right to Transparent Investigation and Written Findings

You can request:

• the bank’s written investigation result,
• the basis for denial, if any.

C. Data Privacy and Security Expectations (RA 10173)

If the scam involved a data breach from an institution (not merely your own disclosure), you may also raise:

• Data Privacy Act obligations,
• reporting to the National Privacy Commission (NPC).

This is more relevant if multiple customers were hit in a similar pattern.

---

V. How Banks Usually Decide Liability

Banks and card networks (Visa/Mastercard/JCB/AmEx) look at:

1. Was the transaction authenticated?

   • OTP use is treated as one sign of authentication, but not conclusive proof of valid consent if induced by fraud.

2. Was there cardholder negligence?

   • Banks often deny if they believe you “voluntarily shared OTP.”
   • Your counterpoint: sharing was under fraudulent misrepresentation, not a voluntary authorization.

3. Was the transaction suspicious enough that the bank should have flagged it? Common red flags you can highlight:

   • unusual merchant category or foreign merchant
   • large amount inconsistent with your history
   • multiple rapid transactions
   • new device or IP anomaly
   • cross-border purchase after local use

4. Merchant compliance If the merchant lacked proper security or used weak verification, the liability may shift away from you.

---

VI. Step-by-Step Charge Dispute / Chargeback Process

Step 1: Notify the Bank (ASAP)

Provide:

• transaction date/time
• amounts
• merchant names
• why unauthorized
• when/how phishing occurred

Step 2: Submit a Sworn Statement / Affidavit of Fraud (If required)

Many banks ask for:

• dispute form
• affidavit of loss/fraud
• ID copies

Be consistent. Contradictions are a common reason for denial.

Step 3: Ask for Temporary Reversal / Provisional Credit

If the charges are big, request:

• temporary credit while investigation is ongoing
• interest/penalty suspension

Step 4: Follow Up in Writing

After hotline calls, send a confirmation email:

• repeating key facts
• attaching evidence
• requesting timeline and reference number

Step 5: Escalate if Denied (see Section IX)

---

VII. Negotiating Removal of Charges: Practical Strategy

The key to negotiation is framing. You want the bank to see that:

1. you are a victim of a crime, and
2. the bank’s systems should have stopped or flagged it.

A. Use a Clear Narrative

Write a 1–2 page timeline:

• how you were contacted
• what you believed at the time
• what exactly you shared and why
• when you realized the fraud
• how fast you reported

Speed = credibility.

B. Emphasize Lack of Real Consent

You can state:

• “Any OTP disclosure was obtained through deceit and is void of true consent.”
• “I did not receive the benefit of the goods/services and did not authorize the seller.”

C. Highlight Bank Duty of Care

Without being hostile:

• “The transactions were anomalous compared to my profile; fraud controls should have triggered verification.”
• “The bank has a duty to protect consumers from foreseeable risks and unauthorized use.”

D. Ask for Specific Remedies

Request:

1. full reversal of fraudulent charges
2. waiver of interest, penalties, and late fees
3. removal from credit reporting / CIC negative mark if any
4. replacement card and security review

E. If Partial Liability is Proposed

Banks sometimes offer “split liability.” Options to negotiate:

• bank absorbs principal; you pay none
• bank reverses but requires a police report
• installment without interest (last resort)

Do not accept partial liability unless:

• you’re sure escalation won’t work, or
• amount is small and closure matters more than principle.

---

VIII. Sample Dispute / Negotiation Letter (PH Context)

You can adapt this to email or a bank form:

Subject: Dispute of Unauthorized Credit Card Transactions – Phishing Fraud

Dear [Bank/Disputes Team],

I am formally disputing the following credit card transactions as unauthorized and a product of phishing/social engineering fraud:

• Transaction Date/Time: [date/time]
• Merchant: [merchant]
• Amount: PHP [amount]
• Reference/ARN (if available): [ref]

Summary of Incident: On [date/time], I received a fraudulent [call/text/email] posing as [bank/merchant]. I was deceived into believing the communication was legitimate. Under this misrepresentation, the fraudster obtained sensitive information and caused the above transactions to be processed. I did not authorize these purchases nor receive any benefit from them.

I reported the incident immediately on [date/time] via hotline and requested card blocking. Attached are screenshots and records supporting my report, including a timeline of events.

Request: In view of the absence of valid consent and the fraudulent nature of these transactions, I respectfully request:

1. Full reversal/chargeback of the disputed amounts;
2. Waiver of all related interest, penalties, and fees;
3. Written confirmation of the dispute reference number and investigation timeline.

I am willing to provide any further documentation required, including an affidavit of fraud and cybercrime report.

Thank you for your prompt action.

Sincerely, [Name] [Card last 4 digits] [Contact number] [Email]

---

IX. Escalation Path if the Bank Refuses

If the bank denies despite strong facts, escalate in this order:

A. Bank’s Internal Appeals / Supervisory Channel

• Ask for reconsideration.
• Request escalation to customer protection/complaints unit.

B. BSP Consumer Assistance Mechanism

You may file a complaint with BSP’s consumer protection channels. Attach:

• dispute letter
• bank denial
• evidence
• police/cyber report (if available)

BSP can compel banks to respond formally and often prompts reconsideration.

C. DTI / Private Merchant Complaints (If Merchant is Local)

If the fraudulent charge is tied to a Philippine merchant:

• you can also complain to DTI for consumer protection, unfair trade, or merchant non-cooperation.

D. National Privacy Commission (NPC) (If Data Breach Suspected)

If you have reason to believe your bank or merchant leaked data:

• file a Data Privacy complaint with NPC.

E. Civil Action (Last Resort)

Possible claims:

• damages for negligence / breach of contract
• specific performance to reverse charges
• injunction against collections This is heavier and usually reserved for high-value cases.

---

X. Dealing With Collection, Credit Score, and Harassment

1. While dispute is pending, request suspension of collections.

2. If a collector calls:

   • state: “This account is under formal dispute; please coordinate with the bank’s disputes team.”

3. If harassment occurs:

   • document calls/messages
   • complain to BSP and the bank’s compliance office

4. If the bank reports you negatively to credit systems:

   • demand correction after reversal
   • include this request in BSP escalation if needed.

---

XI. Common Mistakes That Hurt Your Case

1. Late reporting Waiting weeks makes banks suspect authorization.

2. Admitting “I authorized it” in panic Avoid language implying consent.

3. Inconsistent story Stick to one accurate timeline.

4. Paying the fraudulent amount “to avoid penalties” without reservation If you must pay to avoid delinquency, do it with written notice that payment is “under protest and without admission of liability.”

5. Not escalating Many reversals happen only after BSP involvement.

---

XII. Prevention Tips After You Recover

• Never share OTP, CVV, card PIN, or full card number via call/text.
• Bookmark your bank’s real website and app.
• Enable transaction alerts and set low online limits.
• Use virtual cards for e-commerce if available.
• Treat “urgent account verification” messages as fraud by default.
• Report phishing numbers to your telco and bank.

---

XIII. Key Takeaways

1. Report immediately, block the card, preserve evidence.
2. Dispute as unauthorized fraud, even if OTP was shared under deception.
3. Frame the case around lack of real consent and bank duty of care.
4. Negotiate clearly and in writing; ask for full reversal and fee waivers.
5. Escalate to BSP if denied.
6. Document everything—it wins disputes.

---

If you want, paste a sanitized version of your timeline (no OTPs or full card numbers) and I can help you rewrite it into a stronger dispute narrative and letter tailored to Philippine banking practice.