What to Do If an Unauthorized Loan Is Opened Through Your Online Shopping Account

If someone used your online shopping account to open a loan, buy-now-pay-later account, cash advance, or credit line without your permission, treat it as both a financial dispute and a possible cybercrime or identity theft incident. Your goal is not only to stop collections, but also to preserve evidence, freeze the disputed account, prevent negative credit reporting, and create a paper trail with the platform, lender, and proper Philippine agencies.

What an “unauthorized loan through an online shopping account” usually means

In the Philippines, many online shopping apps are no longer just marketplaces. Some offer credit features such as:

  • buy-now-pay-later purchases;
  • cash loans disbursed to an e-wallet or bank account;
  • credit lines connected to a shopping profile;
  • installment purchases through a partner financing or lending company;
  • wallet-linked loans or “cash-in” credit products.

An unauthorized loan may happen when:

  • your shopping account was hacked;
  • someone got your OTP or verification code through phishing;
  • your phone, SIM, or email was compromised;
  • your personal information or ID was used without consent;
  • a family member, helper, co-worker, or former partner accessed your account;
  • the app or lender approved a loan despite weak identity verification;
  • a scammer changed your delivery address, linked number, bank account, or e-wallet.

The important point is this: do not treat it as a normal unpaid debt if you did not apply for the loan. Dispute it immediately and clearly in writing.

Your immediate priorities

Your first few hours matter. Platforms and lenders often rely on timestamps, device logs, OTP records, delivery details, and KYC verification history. If you delay, evidence may be overwritten, accounts may be changed again, and collection activity may begin.

Do these first:

  1. Secure your account. Change the password of your shopping app, email, e-wallet, and linked social login. Turn on two-factor authentication where available.
  2. Remove unknown devices and payment methods. Log out of all devices if the app allows it.
  3. Take screenshots before anything disappears. Capture the loan page, account history, delivery address, linked phone number, device history, messages, OTPs, emails, and notices.
  4. Report the transaction inside the app. Use the platform’s help center or fraud-reporting channel.
  5. Send a formal written dispute to the lender or financing company. Ask them to freeze collections, interest, penalties, and credit reporting while they investigate.
  6. Report to cybercrime authorities if there was hacking, phishing, identity theft, or account takeover.
  7. Do not pay, settle, or sign a payment plan just to stop calls unless you understand that it may later be treated as acknowledgment of the debt.

Why consent matters under Philippine contract law

Under the Civil Code of the Philippines, there is no contract unless three essential requisites exist: consent, object, and cause. Article 1318 is often the starting point in disputes where a person says, “I never agreed to this loan.” Philippine jurisprudence also repeats this basic rule when determining whether a contract exists. (Lawphil)

For an online loan, the lender may argue that consent was shown through:

  • clicking “Apply” or “Confirm”;
  • OTP verification;
  • facial verification or selfie capture;
  • acceptance of digital loan terms;
  • use of a registered mobile number;
  • disbursement to a linked wallet or bank account;
  • prior successful transactions from the same device or IP address.

Your response should focus on showing that you were not the person who performed those acts, or that the verification process was compromised. This is why evidence matters. A bare statement like “Hindi ako ’yan” is weaker than a clear chronology supported by screenshots, police or cybercrime reports, account logs, and written disputes.

The Electronic Commerce Act of 2000, Republic Act No. 8792, recognizes electronic documents and electronic transactions in commercial and non-commercial activities, so app records, emails, OTP logs, transaction histories, and digital loan terms can become important evidence. (Lawphil)

Key Philippine laws that may apply

Cybercrime Prevention Act: hacking, identity theft, and computer-related fraud

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, covers several acts that commonly appear in unauthorized online loan cases. These may include illegal access, computer-related fraud, computer-related forgery, and computer-related identity theft. The law defines computer-related identity theft as the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person without right. (Lawphil)

The Supreme Court in Disini v. Secretary of Justice reviewed RA 10175 and upheld important parts of the Cybercrime Prevention Act, including provisions relevant to identity theft and unauthorized use of identifying information. (Lawphil)

A cybercrime complaint is especially relevant if:

  • your account was accessed from an unknown device;
  • your OTP was obtained through a fake link or fake customer service agent;
  • your email or SIM was compromised;
  • your ID or selfie was reused;
  • the loan proceeds went to a wallet, bank account, or address you do not control;
  • the scammer changed account details before taking the loan.

Data Privacy Act: misuse of personal information

Republic Act No. 10173, or the Data Privacy Act of 2012, protects personal information and gives individuals rights when their data is misused, improperly disclosed, or processed without authority. The National Privacy Commission states that a person may file a complaint when personal information has been misused, maliciously disclosed, improperly disposed of, or when data privacy rights have been violated. (National Privacy Commission)

This matters because unauthorized online loans often involve personal data such as:

  • full name;
  • mobile number;
  • address;
  • email;
  • government ID;
  • selfie or biometric verification;
  • shopping history;
  • wallet or bank details;
  • emergency contact information.

If the platform or lender failed to protect your account, ignored your correction request, or continued processing your data as a “borrower” despite a documented identity theft dispute, a privacy complaint may be appropriate.

The NPC’s complaint process generally requires a formal complaint form, notarization, and submission through the options stated by the Commission. (National Privacy Commission)

Financial Products and Services Consumer Protection Act

Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act, applies to financial products and services offered or marketed by financial service providers. (Supreme Court E-Library)

This law is very useful in unauthorized loan disputes because it requires financial service providers to maintain a consumer assistance mechanism. For alleged disputed amounts or unauthorized transactions, the law states that the provider, pending its final investigation report, must suspend the imposition of interest, fees, and charges, or provide similar reasonable accommodations to the financial consumer. (Bureau of Soils and Water Management)

In practical terms, your dispute letter should specifically ask for:

  • suspension of interest, penalties, late fees, and collection fees;
  • temporary hold on collection calls and demand letters;
  • no negative reporting to credit bureaus while the case is under investigation;
  • written confirmation of the investigation result;
  • copies of the loan application records, device logs, disbursement details, and KYC records.

SEC rules on lending and unfair debt collection

If the lender is a lending company or financing company, the Securities and Exchange Commission may be the relevant regulator. The SEC lists Memorandum Circular No. 18, Series of 2019 as the rule on the prohibition of unfair debt collection practices of financing companies and lending companies. (SEC Appointment System)

Unfair collection issues may arise if collectors:

  • threaten you or your family;
  • use insults, profanity, or humiliation;
  • contact your employer or relatives to shame you;
  • disclose the alleged loan to third parties;
  • pretend to be police, prosecutors, court staff, or government officers;
  • call at unreasonable hours;
  • keep collecting despite being informed that the loan is disputed as unauthorized.

The SEC’s iMessage system accepts complaints, including complaints involving financing and lending companies. (Securities and Exchange Commission)

BSP rules if the provider is BSP-supervised

If the unauthorized loan or transaction involves a bank, e-wallet, electronic money issuer, payment operator, pawnshop, money service business, or other BSP-supervised institution, the Bangko Sentral ng Pilipinas Consumer Assistance Mechanism may apply.

The BSP describes its Consumer Assistance Mechanism as a second-level recourse for financial consumers who already raised their concern with the BSP-supervised financial institution but remain unresolved. (Bureau of Soils and Water Management) The BSP also provides channels such as BSP Online Buddy, email, mail, phone, and walk-in assistance for consumer complaints. (Bureau of Soils and Water Management)

Step-by-step guide: what to do if an unauthorized loan was opened

1. Secure all connected accounts

Do not limit yourself to the shopping app. Many account takeovers begin somewhere else.

Secure:

  • shopping account;
  • email address used for login;
  • mobile number or SIM;
  • e-wallet;
  • online banking app;
  • linked debit or credit cards;
  • social media account used as login;
  • cloud storage where IDs may be saved.

Change passwords using a different device if you suspect your phone is compromised. Remove unknown devices. Check whether the account email, phone number, delivery address, or payout wallet was changed.

2. Preserve evidence properly

Make an evidence folder. Save files in a way that shows dates and sequence.

Useful evidence includes:

Evidence Why it helps
Screenshot of the loan page Shows amount, date, reference number, and status
Account login alerts Shows possible unauthorized access
OTP messages or emails Shows timing and possible phishing
App notifications Shows when the loan was approved or disbursed
Device or session history May show unknown device, location, or IP
Delivery or payout details Shows where the benefit went
Customer service chat Proves you reported promptly
Demand letters or collection texts Proves collection despite dispute
Police, NBI, PNP, NPC, SEC, or BSP filings Shows formal action and timeline

Do not delete the suspicious messages, emails, or app notifications. For email phishing, keep the original email because headers may help trace the source.

3. Report the unauthorized loan to the shopping platform

Use the official in-app help center or verified website. Avoid replying to random “customer service” numbers on Facebook, Viber, Telegram, or SMS.

Your report should include:

  • account name and registered mobile/email;
  • loan or transaction reference number;
  • date you discovered the loan;
  • statement that you did not apply for or authorize it;
  • request to freeze the credit account;
  • request to preserve account logs and KYC records;
  • request to stop further transactions;
  • request for written acknowledgment.

Use direct language: “I am disputing this as an unauthorized loan and possible account takeover. Please freeze the loan account and preserve all logs, device records, KYC records, disbursement records, and communications related to this transaction.”

4. Send a separate dispute to the lender or financing company

The shopping platform may not be the actual lender. Many platforms use partner lending companies, financing companies, banks, or e-wallet providers.

Ask for the legal name of the creditor. Then send a written dispute to the creditor’s official email or complaint channel.

Include:

  1. Your full name and contact details.
  2. Loan reference number.
  3. Amount and date of the unauthorized loan.
  4. A short statement that you did not apply for, authorize, receive, or benefit from the loan.
  5. A request to suspend interest, fees, penalties, collection, and credit reporting pending investigation.
  6. A request for copies of the loan application trail, acceptance record, KYC verification, device logs, OTP logs, disbursement destination, and changes to account details.
  7. Copies of screenshots and prior reports.

Keep proof of sending. If using email, save the sent email and delivery confirmation. If using courier, keep the waybill.

5. If the money went to your own wallet, do not use it

Sometimes the loan proceeds are disbursed to the account owner’s wallet before the scammer tries to transfer them out. If you receive money from a loan you did not apply for, do not spend it. Notify the lender in writing and ask for official reversal instructions.

Using the proceeds can make the dispute harder. It may allow the lender to argue that you benefited from the loan even if you did not initiate it.

6. Report cybercrime or online scam indicators

For urgent scam reporting, the Cybercrime Investigation and Coordinating Center has promoted Hotline 1326 through the Inter-Agency Response Center for online harms and cyber fraud reports. (Facebook)

For formal investigation, you may go to the NBI Cybercrime Division or the PNP Anti-Cybercrime Group. The NBI Citizen’s Charter page for computer crime victims describes a process involving a preliminary interview, initial investigation, and assistance in filling out a sworn complaint sheet. (National Bureau of Investigation)

Prepare:

  • valid government ID or passport;
  • screenshots and printed copies;
  • phone containing original messages;
  • email headers if phishing was involved;
  • loan reference number;
  • platform and lender details;
  • affidavit-complaint or sworn statement;
  • proof that you reported to the platform/lender;
  • proof of financial loss or collection harassment.

7. File with the proper regulator if the company does not act

Use the regulator that matches the entity involved:

Situation Possible office
Lending company, financing company, online lending app SEC
Bank, e-wallet, EMI, money service business, payment operator BSP
Misuse of personal data, ignored correction/deletion request, data breach National Privacy Commission
Online marketplace consumer handling issue DTI or Electronic Commerce Bureau framework
Hacking, phishing, identity theft, cyber fraud NBI Cybercrime Division, PNP Anti-Cybercrime Group, CICC/I-ARC

Republic Act No. 11967, the Internet Transactions Act of 2023, was enacted to protect online consumers and merchants engaged in internet transactions and created the Electronic Commerce Bureau. (Supreme Court E-Library) For pure loan disputes, financial regulators are usually more relevant; for marketplace account handling and online consumer issues, the DTI framework may also matter.

8. Monitor your credit report

Unauthorized loans can later appear in credit records. The Credit Information Corporation provides an Online Dispute Resolution System for disputes involving erroneous, incomplete, or outdated credit information. (Credit Information Corporation)

If the disputed loan appears in your credit report, file a correction dispute and attach:

  • the lender dispute letter;
  • platform acknowledgment;
  • cybercrime report;
  • NPC/SEC/BSP complaint acknowledgment, if any;
  • proof that the loan was unauthorized;
  • request for deletion, correction, or tagging as disputed.

Sample wording for your dispute message

Use a calm, factual tone. Avoid long emotional explanations. The goal is to trigger investigation and preserve your rights.

I am formally disputing Loan Reference No. ______ as an unauthorized transaction. I did not apply for, authorize, receive, or benefit from this loan. I discovered it on ______ and immediately reported it through ______.

Please freeze the loan account, suspend interest, penalties, late fees, collection activity, and any negative credit reporting while this dispute is under investigation. Please also preserve and provide the relevant records, including application logs, device/session logs, OTP or authentication records, KYC records, disbursement destination, changes to account details, and communications connected with this loan.

I reserve my rights under Philippine law, including the Civil Code, Republic Act No. 10175, Republic Act No. 10173, Republic Act No. 11765, and applicable SEC/BSP consumer protection rules.

Common problems and what to do

The lender says, “The OTP was sent to your number, so you are liable.”

An OTP is evidence, but it is not always conclusive. OTPs can be obtained through phishing, SIM compromise, malware, fake customer service calls, or social engineering. Ask for the full authentication trail: device, IP, timestamp, location indicators, account changes, selfie verification, and disbursement details.

The platform says, “We are only the marketplace.”

Ask for the legal name and contact details of the actual lender, financing company, or payment provider. Continue your complaint against the platform for account security and data issues, but send a separate dispute to the creditor because that entity may control collections and credit reporting.

Collectors keep calling your contacts

Document every call, message, and screenshot. If the collector disclosed the alleged debt to your relatives, employer, or contacts, include this in your SEC and/or NPC complaint. Debt collection is not a license to shame people or disclose personal data.

A family member used your account

This is more complicated. The lender may still pursue the registered account holder if the account credentials, device, or OTP were voluntarily shared. But if the family member acted without authority, you may still dispute the loan and submit evidence. Be prepared for the practical consequence that the platform may ask whether you allowed that person to access your phone, account, or OTP.

You are abroad and cannot appear personally

Filipinos and foreigners abroad can still act, but documents may need more preparation. You may need:

  • a notarized affidavit executed before a Philippine Embassy or Consulate;
  • a Special Power of Attorney authorizing someone in the Philippines to file or follow up;
  • apostilled documents if notarized before a foreign notary in a country that uses apostille;
  • passport copy and proof of current overseas address;
  • screenshots and original digital evidence.

The DFA’s apostille system provides authentication services for documents that need to be used across borders. (Apostille Authority)

Documents to prepare

Document Needed for
Valid ID or passport Platform, lender, police, NBI, PNP, NPC, SEC, BSP
Screenshots of unauthorized loan Main proof of disputed transaction
Account history and login alerts Proves possible account takeover
Customer service reports Shows prompt reporting
Written dispute letter Freezing collections and preserving rights
Affidavit-complaint Cybercrime or formal agency filing
Proof of disbursement destination Shows who received benefit
Collection messages SEC/NPC complaint for harassment or improper disclosure
Credit report CIC dispute if negative record appears
SPA or consularized/apostilled affidavit If abroad or represented by another person

Typical timelines in practice

Timelines vary, but ordinary consumers should expect several layers:

Step Practical timeline
In-app acknowledgment Same day to a few days
Lender investigation Often 7–30 days, sometimes longer
Regulator complaint acknowledgment A few days to several weeks depending on channel and completeness
Cybercrime intake Same day for walk-in intake, longer for follow-up investigation
NPC formal complaint processing Longer if notarization, completeness review, or conference is required
Credit report correction Depends on CIC/credit bureau process and lender response

The common bottleneck is incomplete evidence. Another bottleneck is filing with the wrong entity: for example, complaining only to the shopping app when a separate financing company is the actual creditor.

Mistakes to avoid

  • Do not ignore collection notices. Silence can make the record look like ordinary delinquency.
  • Do not rely only on phone calls. Always create a written trail.
  • Do not uninstall the app before saving evidence.
  • Do not pay “temporarily” without written reservation of rights.
  • Do not sign a restructuring, installment, or settlement agreement if you deny the loan.
  • Do not post your full ID, phone number, or loan reference publicly on social media.
  • Do not send IDs to unofficial “agents” or Facebook pages.
  • Do not delay reporting if there was phishing or hacking.

Frequently Asked Questions

Am I automatically liable if the loan was opened in my shopping account?

Not automatically. The lender may rely on app records, OTPs, device logs, and KYC records, but you can dispute the loan if you did not authorize it. Under the Civil Code, consent is essential to a contract. Your strongest position comes from prompt reporting and evidence showing account takeover, identity theft, or lack of benefit.

Should I pay the unauthorized loan to stop the calls?

Be careful. Payment may later be treated as acknowledgment of the debt. If you decide to pay only to stop immediate harm, state in writing that the payment is made under protest and without admitting liability. But in most cases, the better first step is to file a written dispute and ask for suspension of interest, fees, collection, and credit reporting.

Can the lender keep adding interest while investigating?

For financial consumer disputes involving alleged unauthorized transactions, RA 11765 supports asking the provider to suspend interest, fees, and charges or provide similar reasonable accommodations while the final investigation is pending. (Bureau of Soils and Water Management) Put this request in writing.

Where should I complain: barangay, police, NBI, SEC, BSP, or NPC?

For hacking, phishing, and identity theft, go to NBI Cybercrime Division, PNP Anti-Cybercrime Group, or CICC/I-ARC. For lending or financing company issues, go to the SEC. For banks, e-wallets, or BSP-supervised entities, go to BSP after first raising it with the provider. For misuse of personal data, go to the NPC. Barangay proceedings are usually not the main remedy for cybercrime or regulated financial disputes.

Can collectors contact my family or employer?

Collectors may use lawful and reasonable means to collect legitimate debts, but harassment, threats, shaming, false representation, and improper disclosure to third parties can create separate regulatory and privacy issues. Save screenshots and call logs, then include them in your SEC or NPC complaint.

What if the loan proceeds were sent to my own e-wallet?

Do not use the money. Notify the lender immediately and ask for official reversal instructions. If the money was transferred out by a scammer, gather wallet transaction records and report the unauthorized transfer as part of the cybercrime and financial dispute.

What if the platform refuses to give me device logs or KYC records?

Ask again in writing and explain that the records are needed to resolve an unauthorized loan and identity theft dispute. You may also raise data access, correction, and processing issues with the NPC if personal data is involved. Expect that companies may redact security-sensitive details, but they should still address the substance of your dispute.

Will this affect my credit score?

It can, if the lender reports the account as delinquent. This is why your dispute letter should specifically demand that the account not be negatively reported while under investigation. If it already appears in your credit report, use the CIC dispute process for erroneous, incomplete, or outdated credit information. (Credit Information Corporation)

Can foreigners file complaints in the Philippines?

Yes, if the account, lender, platform, transaction, or harm is connected to the Philippines. A foreigner abroad may need notarized, consularized, or apostilled documents, and may authorize a Philippine representative through a Special Power of Attorney.

Is an unauthorized online loan a criminal case or a civil dispute?

It can be both. The civil side concerns whether you owe the debt. The regulatory side concerns whether the lender, platform, or wallet handled your complaint and data properly. The criminal side concerns the person who hacked, impersonated, phished, or used your identity.

Key Takeaways

  • An unauthorized loan through an online shopping account should be disputed immediately in writing.
  • Secure your shopping account, email, phone number, wallet, and bank accounts before the damage spreads.
  • Preserve screenshots, logs, OTPs, emails, loan references, disbursement records, and collection messages.
  • Under Philippine contract law, consent is essential; if you did not authorize the loan, focus on proving lack of consent and lack of benefit.
  • RA 10175 may apply if there was hacking, identity theft, computer-related fraud, or phishing.
  • RA 10173 may apply if your personal data or ID was misused.
  • RA 11765 supports asking the financial provider to suspend interest, fees, charges, and similar consequences while an unauthorized transaction is under investigation.
  • File with the correct office: SEC for lending/financing companies, BSP for BSP-supervised institutions, NPC for privacy violations, and NBI/PNP/CICC for cybercrime.
  • Do not sign a settlement or payment plan if you deny the debt unless you fully understand the consequences.
  • Monitor your credit report and dispute any negative entry connected to the unauthorized loan.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login