What to Do After a Credit Card Phishing Scam and How to Negotiate Removal of Charges in the Philippines

Introduction

Credit card phishing scams—where fraudsters trick cardholders into revealing card details, OTPs, PINs, or login credentials—are among the most common forms of consumer fraud in the Philippines. They often happen through fake bank emails, SMS “advisories,” bogus delivery notices, social media links, or calls impersonating bank staff. Once scammers get enough information, they can make unauthorized purchases, cash advances, or online transfers.

This article explains the steps to take immediately after a phishing incident, your rights under Philippine law and regulation, and practical strategies to negotiate reversal or removal of fraudulent charges.

I. First 24–72 Hours: The Emergency Response

1. Lock down the card and accounts

Do this immediately:

  • Call your bank’s hotline to block the card and report fraud.

  • If your bank has an app, freeze/lock the card there too.

  • Change passwords for:

    • online banking
    • credit card portal
    • email linked to banking
    • e-wallets if connected

  • If you shared OTPs or a PIN, assume compromise and request full account reset.

Why it matters: timing affects liability. Banks often evaluate whether you responded promptly.

2. Document everything

Create a folder (digital or physical) containing:

  • date/time you noticed the scam
  • screenshots of phishing messages, links, caller numbers
  • transaction alerts (SMS/email)
  • app screenshots showing unauthorized charges
  • your call reference numbers with the bank
  • any police/blotter reports later

Tip: Write a short timeline while details are fresh.

3. Dispute the transactions right away

Tell the bank these are unauthorized and phishing-related. Ask for:

  • a case/incident number
  • a dispute form (some banks have online versions)
  • a temporary reversal or “charge under investigation”
  • a replacement card

Even if the transactions are “pending,” dispute them now.

4. Check for related compromise

Fraudsters often reuse data:

  • Review all recent transactions for the past 60–90 days.
  • Check whether your card was added to Apple Pay/Google Pay or used on new merchants.
  • Look for cash advance attempts.
  • If the card is linked to subscriptions, monitor those.

II. Understanding Unauthorized vs. “Authorized by Negligence”

Banks in the Philippines typically classify fraud as:

A. Unauthorized transactions

Examples:

  • card used without your knowledge
  • card details stolen via phishing but used without OTP/PIN from you
  • counterfeit card or card-not-present charges you didn’t approve

These are usually eligible for reversal, unless the bank proves cardholder negligence.

B. Authorized transactions due to cardholder participation

Examples:

  • you gave an OTP, PIN, CVV, or password
  • you clicked a “verification” link and entered credentials
  • you approved a transaction thinking it was legit

Banks may argue this is not fully unauthorized because the transaction passed their authentication systems.

Important: Even if you shared details, you can still contest, especially if deception was sophisticated and the bank’s security failed to detect anomalies.

III. Your Rights Under Philippine Law and Regulation

Several legal and regulatory frameworks protect victims:

1. BSP Consumer Protection Framework

The Bangko Sentral ng Pilipinas (BSP) requires banks to:

  • have dispute-resolution systems
  • investigate fraud promptly
  • treat complainants fairly
  • provide clear billing and fraud processes

Banks must act on disputes within prescribed timelines and explain denials.

2. BSP Regulations on Electronic Banking

Banks are obligated to maintain safe digital systems. If the fraud indicates system weakness—like poor fraud detection or risky OTP handling—this supports your case.

3. Republic Act 8792 (E-Commerce Act)

Recognizes electronic transactions and penalizes hacking, identity theft, and unauthorized access. This underpins the argument that fraudulent e-transactions are void.

4. Republic Act 10175 (Cybercrime Prevention Act of 2012)

Phishing typically qualifies under:

  • illegal access
  • computer-related fraud
  • identity theft

You may cite that you are a victim of a cybercrime, not a willing participant.

5. Republic Act 7394 (Consumer Act of the Philippines)

Protects consumers from unfair business practices. If the bank refuses to investigate or imposes unfair burdens, the Act helps frame a complaint.

6. Data Privacy Act (RA 10173)

If your data leaked through a bank-side breach or lax safeguards (e.g., suspicious merchant storage, weak verification), you may cite the bank’s duty to protect personal information.

IV. The Bank Dispute Process in Practice

Step 1: File a formal dispute

Submit the bank’s dispute form. Include:

  • your narrative
  • timeline
  • list of fraudulent charges
  • supporting screenshots
  • statement that you did not benefit from the transactions

Keep a copy of everything submitted.

Step 2: Investigation phase

Banks will review:

  • authentication logs (OTP/PIN/device)
  • IP address/device fingerprints
  • merchant/acquirer responses
  • card usage history

They may ask for:

  • affidavit of fraud
  • notarized letter
  • police report (not always required but often helpful)

Step 3: Temporary credit or “charge under investigation”

Some banks issue provisional credit while investigating. If they don’t, request it.

Step 4: Final decision

Possible outcomes:

  • full reversal
  • partial reversal/settlement
  • denial (often citing “cardholder authorized OTP”)

If denied, you can escalate.

V. How to Negotiate Removal of Charges: A Practical Strategy

1. Frame your dispute correctly

Your goal is to show:

  • lack of intent
  • deception
  • prompt reporting
  • no benefit gained
  • bank’s security gap

Avoid wording that sounds like you “approved knowingly.” Instead say:

  • “OTP was obtained through deception and social engineering.”
  • “I did not intend to authorize these purchases.”
  • “Transactions are void due to fraud.”

2. Highlight red flags the bank should have caught

These support bank liability or shared liability:

  • unusually large amounts vs. your normal spend
  • multiple rapid transactions
  • foreign or high-risk merchants
  • first-time merchants
  • midnight/odd-hour activity
  • cash advances not typical for you

Argue failure of fraud detection and duty of care.

3. Request specific remedies

Use direct, concrete requests:

  • “I request full reversal of the unauthorized charges.”
  • “Kindly issue provisional credit pending investigation.”
  • “Please provide the basis and logs if denying.”
  • “Escalate this to your fraud and consumer protection unit.”

4. Escalate internally before external complaints

Ask politely but firmly for:

  • supervisor review
  • fraud committee review
  • reconsideration channel

Banks sometimes reverse decisions at higher levels when documentation is strong.

5. Offer settlement only as last resort

If the bank insists on partial liability:

  • propose a goodwill reversal
  • request waiver of interest and penalties
  • ask for installment conversion at 0% or minimal rate
  • negotiate a reduced principal based on hardship and fraud circumstances

Make it clear settlement is without admission of fault.

6. Use leverage: BSP escalation

Let them know you will elevate if unresolved:

  • “If not resolved within your dispute timeline, I will seek assistance from the BSP Consumer Assistance Mechanism.”

This often triggers better review.

VI. If the Bank Refuses: Escalation Options

1. BSP Consumer Assistance Mechanism

You can file a complaint with BSP after exhausting bank processes. Provide:

  • case number
  • copies of dispute materials
  • denial letter (if any)
  • your narrative

BSP does not always decide liability itself but compels banks to respond fairly and within regulations.

2. PNP Anti-Cybercrime Group / NBI Cybercrime Division

File a report if:

  • amounts are large
  • identity theft is involved
  • you have usable leads (phone numbers, accounts, links)

A police report strengthens credibility with banks.

3. DTI / Small Claims / Civil Action

Less common but possible if:

  • bank acted in bad faith
  • ignored due process
  • caused damage through unfair denial

This is usually for high-value disputes.

VII. Writing an Effective Affidavit / Notarized Fraud Letter

Banks often want a sworn statement. Include:

  1. Your full name, address, card last 4 digits

  2. Clear statement you are the cardholder

  3. Short timeline of events

  4. How phishing occurred (SMS, call, bogus link)

  5. Transactions disputed (date, amount, merchant)

  6. Statement:

    • you did not intend to authorize
    • you did not receive goods/benefits
    • you reported promptly

  7. Request for reversal and waiver of charges

  8. Signature and notarial acknowledgment

Keep it factual, not emotional.

VIII. Special Issues in Philippine Cases

1. OTP-based denials are common

Many Philippine banks treat OTP entry as “authorization.” Counter this by emphasizing:

  • deception invalidates consent
  • OTP was obtained through cybercrime
  • bank must show you intended authorization

2. Families and shared phones

If a relative got tricked using your phone or account, banks may still charge you. Your best argument:

  • you never consented
  • the fraudster induced the act

Avoid admitting “I let someone do it for me.”

3. Delivery/merchant disputes

If items were delivered elsewhere, ask the bank to retrieve:

  • delivery records
  • IP address
  • merchant confirmation This helps prove fraud.

IX. Preventing Re-victimization

After resolution:

  • enable transaction alerts
  • lower card limits if possible
  • avoid links in SMS/email
  • never share OTP, CVV, PIN
  • verify bank calls by ending the call and dialing official hotlines
  • consider a dedicated email for banking

Phishers often reattempt once they know a target responds.

X. Sample Dispute Letter (Short Form)

Subject: Formal Dispute of Fraudulent Credit Card Charges

I am the cardholder of Credit Card ending in _____. On (date/time), I discovered unauthorized transactions on my account amounting to PHP ____ involving the following merchants: (list).

These transactions were initiated through a phishing incident wherein fraudsters deceived me into disclosing information. I did not intend to authorize any of these purchases and did not receive or benefit from any goods, services, or cash proceeds.

I reported the incident immediately on (date/time) via your hotline and was issued reference number _____. I respectfully request:

  1. full reversal of the disputed charges,
  2. waiver of all related interest/fees, and
  3. provisional credit while investigation is ongoing.

Attached are screenshots, my timeline, and supporting documents. Kindly confirm receipt and advise on your investigation timeline.

Respectfully, (Name / Contact / Signature)

Key Takeaways

  1. Speed matters. Report and dispute within hours, not days.
  2. Even with OTP involvement, you can contest by emphasizing deception and lack of intent.
  3. Document everything and submit a crisp timeline.
  4. Negotiate using bank duty and fraud red flags, not guilt.
  5. Escalate to BSP if the bank delays, ignores, or unfairly denies.

If you want, tell me what happened (roughly, no sensitive numbers), what the bank replied so far, and the kind of transactions involved, and I’ll draft a tailored dispute narrative and escalation plan you can use.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login