If hackers used your business email to send fake invoices, treat it as both a cybersecurity emergency and a legal evidence problem. The first goal is to stop more people from paying the fake invoices. The second is to preserve proof before logs, email headers, bank traces, and forwarding rules disappear. The third is to report the incident properly, because in the Philippines this can involve cybercrime, estafa, falsification, data privacy breach duties, bank fraud, and possible civil liability.
What usually happened in a fake invoice email scam
This is commonly called business email compromise or BEC. In simple terms, someone uses or imitates a business email account to trick customers, suppliers, or employees into sending money to the wrong account.
It can happen in several ways:
- A hacker actually logged in to your company email and sent invoices from your real mailbox.
- A hacker created a look-alike email, such as
billing@yourcornpany.cominstead ofbilling@yourcompany.com. - A hacker set up hidden forwarding rules so they could monitor invoices and payment discussions.
- A hacker replied inside an existing email thread after getting access to one side of the conversation.
- A hacker changed bank details on a real invoice and sent it to the customer.
The legal response depends heavily on the facts. A real account compromise is more serious for the business because it may also mean unauthorized access to personal data, customer records, confidential contracts, tax documents, and bank details. A spoofed or look-alike email may still damage your business, but it may not always mean your own system was breached.
Immediate steps to take in the first 24 hours
1. Secure the email account without destroying evidence
Do not simply delete the fake emails and move on. Deleting emails, mailbox rules, logs, or suspicious messages can make investigation harder.
Do these immediately:
- Change the password of the affected account.
- Revoke all active sessions in Microsoft 365, Google Workspace, or your email platform.
- Turn on multi-factor authentication if it is not already required.
- Check for hidden forwarding rules, inbox rules, delegated access, app passwords, suspicious OAuth apps, and unknown recovery emails or phone numbers.
- Preserve the full email headers of the fake invoice emails.
- Download audit logs, sign-in logs, IP addresses, timestamps, sent items, deleted items, and mailbox rule changes.
- Ask your IT provider to preserve logs before retention periods expire.
For investigation purposes, the full email header is often more useful than a screenshot because it may show routing information, sending servers, authentication results, timestamps, and technical clues.
2. Stop payments and ask banks to hold or recall funds
If anyone already paid the fake invoice, act quickly. Call and email:
- the paying bank or e-wallet;
- the receiving bank or e-wallet, if known;
- the relationship manager or branch handling the account;
- the customer’s finance team;
- law enforcement, if the amount is significant or the transfer is recent.
Ask the bank to:
- flag the transaction as fraud-related;
- attempt recall or reversal;
- preserve CCTV, KYC records, withdrawal records, IP logs, device information, and transaction history;
- file or consider the necessary suspicious transaction reporting internally.
A private complainant normally cannot force a bank to freeze another person’s account just by sending an email. In serious cases, account freezing may involve the Anti-Money Laundering Council and the Court of Appeals under the Anti-Money Laundering Act, Republic Act No. 9160, as amended. The Supreme Court has explained that freeze orders may cover related accounts when there is probable cause and proper safeguards, but they are not automatic just because a victim reports a scam. See the Supreme Court’s discussion on freeze orders and related accounts in money laundering cases.
3. Warn affected customers using a different communication channel
Use a verified channel, not the compromised email account. Call the customer’s known number, message their known contact person, or send an announcement from a clean company email address.
Your notice should be factual and calm:
- state that unauthorized invoice emails may have been sent;
- identify the affected invoice numbers or dates, if known;
- tell recipients not to pay changed bank details unless verified by phone;
- give the correct payment instructions;
- ask recipients to forward suspicious emails with full headers;
- give one verified contact person and phone number.
Avoid blaming a customer, employee, or bank before the facts are clear. Also avoid saying “no data was compromised” unless your technical review actually supports that statement.
4. Create an incident file
Open a single folder for the incident and keep:
| Evidence | Why it matters |
|---|---|
| Fake invoices | Shows the fraudulent demand for payment |
| Original legitimate invoices | Helps compare altered details |
| Email headers | Helps trace routing and authentication |
| Screenshots | Useful for quick reference, but not enough alone |
| Audit logs and sign-in logs | Shows unauthorized access, IP addresses, dates, and times |
| Bank transfer slips | Shows amount, account number, date, and recipient |
| Customer complaints | Shows damage and affected parties |
| Timeline of events | Helps police, NBI, prosecutors, insurers, and courts |
| Internal access list | Shows who had authority over billing and email accounts |
| IT report | Helps prove compromise, containment, and corrective action |
Maintain a simple chronology: when the first suspicious email was sent, when the company discovered it, who was notified, when passwords were changed, when banks were contacted, and when reports were filed.
Philippine laws that may apply
Cybercrime under Republic Act No. 10175
The main cybercrime law is the Cybercrime Prevention Act of 2012, Republic Act No. 10175. It covers several acts that may appear in a fake invoice email incident.
Possible offenses include:
- Illegal access — accessing a computer system without right.
- Data interference — intentionally or recklessly altering, deleting, damaging, or deteriorating computer data or electronic documents without right.
- System interference — interfering with the functioning of a computer or network.
- Misuse of devices — using or making available passwords, access codes, or similar data to access a computer system for cybercrime.
- Computer-related forgery — inputting, altering, or deleting computer data so it appears authentic for legal purposes.
- Computer-related fraud — unauthorized input, alteration, deletion, or system interference causing damage with fraudulent intent.
- Computer-related identity theft — acquiring, using, misusing, transferring, possessing, altering, or deleting identifying information belonging to another person or juridical entity without right.
These are specifically listed under Republic Act No. 10175, including illegal access, data interference, computer-related forgery, fraud, and identity theft.
A fake invoice sent from your business email can fit several of these provisions at the same time. For example, the login to your mailbox may be illegal access, the altered invoice may be computer-related forgery, and the use of your company identity to collect money may be computer-related identity theft or computer-related fraud.
Estafa and falsification under the Revised Penal Code
The scam may also involve estafa, which is swindling or fraud under Article 315 of the Revised Penal Code. Estafa commonly applies when a person defrauds another through false pretenses, fraudulent acts, or deceit, causing damage. Republic Act No. 10951 updated the value thresholds and fines for many Revised Penal Code offenses, including Article 315. See the amended text of Article 315 on estafa under RA 10951.
A fake invoice may also involve falsification. Under Article 172 of the Revised Penal Code, a private individual may be liable for falsifying a public, official, or commercial document, or for using falsified documents. RA 10951 also updated the fine under Article 172. See Article 172 on falsification by private individuals.
In practice, prosecutors look at the actual evidence. A case may be framed as cybercrime, estafa, falsification, access device fraud, or a combination, depending on how the scam was carried out.
Access device fraud under RA 8484, as amended
The Access Devices Regulation Act of 1998, Republic Act No. 8484, may become relevant if the scam involves bank account numbers, payment credentials, cards, codes, PINs, or other means of account access used to obtain money or initiate transfers. RA 8484 defines an access device broadly to include account numbers, codes, electronic serial numbers, personal identification numbers, and other means of account access that can be used to obtain money or initiate a transfer of funds. See RA 8484 on access device fraud.
RA 11449 later amended RA 8484 by adding prohibitions and increasing penalties. This may matter where the fake invoice scheme used mule accounts, unauthorized access credentials, or fraudulently obtained account access.
Electronic documents and email evidence under RA 8792
The Electronic Commerce Act of 2000, Republic Act No. 8792, recognizes electronic documents and electronic data messages. It provides that, for evidentiary purposes, an electronic document may be the functional equivalent of a written document, subject to authentication and evidentiary rules. See RA 8792 on electronic documents and electronic signatures.
This is why email headers, server logs, payment confirmations, digital invoices, and electronic communications should be preserved carefully. They may later be used before investigators, prosecutors, courts, insurers, banks, or regulators.
Data Privacy Act obligations
If the compromised email account contained personal data, the incident may also trigger duties under the Data Privacy Act of 2012, Republic Act No. 10173.
This is especially important if the mailbox contained:
- customer names, addresses, phone numbers, emails, IDs, or signatures;
- passport, visa, TIN, SSS, PhilHealth, Pag-IBIG, bank, credit card, or payroll information;
- employee records;
- medical, legal, financial, or sensitive personal information;
- documents that can be used for identity fraud.
Under the Data Privacy Act, a personal information controller must promptly notify the National Privacy Commission and affected data subjects when sensitive personal information or other information that may enable identity fraud is reasonably believed to have been acquired by an unauthorized person and is likely to create a real risk of serious harm. See the National Privacy Commission’s text of Republic Act No. 10173.
NPC Circular No. 16-03 gives the practical breach-management rules. It generally requires notification to the NPC and affected data subjects within 72 hours from knowledge of, or reasonable belief that, a personal data breach occurred. It also requires documentation of security incidents and, in certain cases, a full report within five days, unless the NPC grants more time. See NPC Circular No. 16-03 on Personal Data Breach Management.
Not every email compromise automatically requires NPC notification. The business must assess whether personal data was involved, whether it was likely acquired by an unauthorized person, and whether there is a real risk of serious harm. But the assessment itself should be documented.
Civil liability between the business and the customer
A fake invoice scam can also create a civil dispute: who bears the loss if a customer paid the wrong account?
There is no one-size-fits-all answer. It depends on facts such as:
- whether the email came from the business’s real account;
- whether the business had weak or unreasonable security;
- whether the customer ignored a clear payment-verification procedure;
- whether the invoice changed bank accounts suddenly;
- whether either side delayed reporting the fraud;
- what the contract says about payment instructions and authorized bank accounts;
- whether the customer had reason to suspect the email was fake.
The Civil Code may become relevant. Article 1170 provides liability for damages when a party performing an obligation is guilty of fraud, negligence, delay, or contravenes the obligation. Articles 19, 20, and 21 require persons to act with justice, honesty, good faith, and to compensate others for damage caused contrary to law, morals, good customs, or public policy. Article 2176 covers quasi-delict, meaning damage caused by fault or negligence where there is no pre-existing contractual relation. See the Civil Code provisions on human relations, obligations, and quasi-delicts.
Article 33 of the Civil Code may also allow an independent civil action for damages in cases involving fraud, separate from the criminal case. This is useful to understand because criminal investigation and civil recovery do not always move at the same speed.
Where to report in the Philippines
| Office or entity | What it can do | Practical notes |
|---|---|---|
| Bank or e-wallet provider | Trace, hold, recall, or flag funds where possible | Report immediately; include transaction reference numbers |
| PNP Anti-Cybercrime Group | Investigates cybercrime complaints | Useful for local reporting, preservation, and coordination |
| NBI Cybercrime Division | Investigates computer-related crimes | NBI’s citizen charter refers to preliminary interview, complaint sheet, sworn statements, and examination of relevant devices |
| DOJ Office of Cybercrime | Policy, coordination, and cybercrime-related functions | May be relevant for complex or cross-border matters |
| CICC / Inter-Agency Response Center | Cybercrime coordination and hotline mechanisms | The national anti-scam hotline 1326 is commonly used for scam reporting |
| National Privacy Commission | Handles personal data breach and privacy complaints | Required if the breach meets mandatory notification standards |
| Prosecutor’s Office | Conducts preliminary investigation | A criminal complaint may proceed here after evidence is gathered |
The NBI’s public citizen charter for computer crime complaints mentions preliminary interview, filling out a complaint sheet, sworn statements or affidavits, supporting documents, and examination of relevant devices. See the NBI page on investigative assistance for victims of computer crimes.
What to prepare before filing a complaint
Bring or prepare:
- Valid government ID of the complainant.
- Proof of authority if filing for a company, such as Secretary’s Certificate, board resolution, authorization letter, or SPA.
- Business registration documents, such as SEC, DTI, CDA, Mayor’s Permit, or BIR Certificate of Registration, if relevant.
- Complaint-affidavit or sworn statement.
- Screenshots and PDF copies of the fake emails.
- Full email headers.
- Original invoices and altered invoices.
- Bank transfer slips, deposit confirmations, or proof of payment.
- Customer or supplier statements.
- IT incident report.
- Audit logs, sign-in logs, IP logs, mailbox rules, and forwarding records.
- List of affected customers or recipients.
- Timeline of discovery, containment, notices, and reports.
- Copies of contracts or payment terms showing the correct account details.
If the complainant or witness is abroad, affidavits signed outside the Philippines may need consular notarization or an apostille, depending on the country and the intended use. A Philippine embassy or consulate may also be involved if the document must be executed abroad for use in Philippine proceedings.
How cybercrime investigation usually proceeds
A typical path looks like this:
- The business discovers the fake invoice emails.
- The business secures systems and preserves evidence.
- The business reports to banks and affected customers.
- A complaint is filed with PNP-ACG, NBI Cybercrime Division, or another appropriate office.
- Investigators review emails, logs, transaction records, and devices.
- Law enforcement may seek preservation or disclosure of computer data.
- The complaint may be referred for preliminary investigation before the prosecutor.
- If the prosecutor finds probable cause, an Information may be filed in court.
- The criminal case proceeds in the proper court, often a cybercrime-designated court for RA 10175 offenses.
Under RA 10175, the NBI and PNP are responsible for law enforcement of cybercrime provisions and must organize cybercrime units. The law also requires preservation of certain traffic data and subscriber information by service providers for at least six months, while content data may be preserved upon order from law enforcement authorities. Disclosure of computer data generally requires a court warrant and must be tied to a valid complaint officially docketed and assigned for investigation.
The Supreme Court’s Rule on Cybercrime Warrants, A.M. No. 17-11-03-SC, provides procedures for warrants involving preservation, disclosure, interception, search, seizure, examination, custody, and destruction of computer data. It also identifies venue rules and designated cybercrime courts. See the judiciary’s copy of the Rule on Cybercrime Warrants.
What to tell affected customers
A good notice is specific enough to protect customers but careful enough not to make unsupported admissions.
It should include:
- the date range of suspicious emails;
- affected invoice numbers, if known;
- a warning not to pay unverified bank details;
- the company’s correct bank account or instruction to verify by phone;
- a request to report any payment already made;
- a request to preserve the suspicious email and full headers;
- a named contact person and verified number.
Do not send a vague “we were hacked” message if you have not confirmed the scope. Say what you know and what recipients should do.
Example wording:
We are investigating unauthorized invoice emails that may have used or imitated our business email address. Please do not pay any invoice or bank-account change request received from our email until you verify it through our official phone number. If you already made payment to a new or unfamiliar account, please contact your bank immediately and send us the transaction details so we can coordinate reporting and preservation steps.
Common pitfalls that make recovery harder
Deleting the fake emails
Deletion destroys context. Preserve the message, header, attachments, and mailbox logs.
Waiting several days before calling banks
Fraud proceeds move quickly. Money may pass through several accounts within hours.
Using the compromised email account to warn customers
If the hacker still has access, they may delete your warning, send a counter-message, or monitor your response.
Assuming screenshots are enough
Screenshots help, but investigators usually need headers, logs, transaction records, devices, and sworn statements.
Blaming an employee without due process
If an employee clicked a phishing link or failed to follow procedure, the company may investigate. But disciplinary action must still follow labor due process. Article 297 of the Labor Code allows termination for just causes such as serious misconduct, gross and habitual neglect of duties, fraud, willful breach of trust, or analogous causes, but the employer must prove the cause and follow proper procedure. A single honest mistake is different from willful misconduct or gross and habitual neglect.
Promising customers that money will be recovered
Banks can sometimes hold or recall funds, but recovery is never guaranteed. Be honest: the company is coordinating with banks and authorities, but the result depends on timing, account status, withdrawal, transfer chain, and legal process.
Special issues for foreigners, OFWs, and cross-border scams
Foreigners and Filipinos abroad can be affected by Philippine business email compromise, especially when:
- the business is Philippine-registered;
- the victim paid to a Philippine bank or e-wallet;
- the compromised account belongs to a Philippine company;
- the suspect, mule account, or damage is connected to the Philippines;
- the email account or server activity has Philippine links.
Practical points:
- A foreign victim may need a local representative to file documents or coordinate with investigators.
- An affidavit signed abroad may need apostille or consular notarization.
- A Special Power of Attorney may be needed if someone in the Philippines will sign or file documents.
- Bank secrecy, data privacy, and cybercrime warrant rules can limit what banks or service providers can disclose directly to private parties.
- Cross-border data requests may take time, especially if email providers, hosting providers, or banks are outside the Philippines.
Frequently Asked Questions
Is sending fake invoices from my business email a crime in the Philippines?
Yes, it can be. Depending on the facts, it may involve illegal access, computer-related forgery, computer-related fraud, computer-related identity theft under RA 10175, estafa under Article 315 of the Revised Penal Code, falsification under Article 172, access device fraud under RA 8484, or related offenses.
What should I do first if a customer paid a fake invoice?
Contact the paying bank and receiving bank immediately. Ask for fraud flagging, recall, preservation of records, and escalation to the bank’s fraud unit. Then file a cybercrime report and preserve all emails, headers, invoices, and transaction records.
Am I required to report the incident to the National Privacy Commission?
Only if the incident meets the Data Privacy Act and NPC breach-notification standards. If the compromised mailbox contained sensitive personal information or information that may enable identity fraud, and unauthorized acquisition is likely to create a real risk of serious harm, notification may be required. The usual deadline under NPC Circular No. 16-03 is 72 hours from knowledge or reasonable belief of the breach.
Who is liable if the customer paid the hacker?
It depends on the contract, payment procedures, security failures, warning signs, and conduct of both parties. If the company’s real email was compromised and the company failed to use reasonable safeguards or delayed warning customers, the company may face civil exposure. If the customer ignored suspicious changes or failed to verify payment instructions required by the contract, the customer may also bear responsibility.
Can the police or NBI trace the hacker?
They can investigate, but tracing depends on the evidence available. Useful evidence includes full email headers, sign-in logs, IP addresses, bank account details, device records, CCTV, KYC documents, and transaction trails. Quick reporting improves the chance that data and funds can be preserved.
Should I file with PNP or NBI?
Either may be appropriate. The PNP Anti-Cybercrime Group and the NBI Cybercrime Division both handle cybercrime matters. Businesses often choose based on location, urgency, agency access, and the nature of the evidence. For serious losses, it is common to coordinate with banks and file a formal complaint with one investigating agency to avoid confusion.
Can I ask the bank to reveal the scammer’s account owner?
Banks are restricted by bank secrecy, data privacy, and internal compliance rules. They may not disclose full account information directly to a private complainant. However, they can preserve records, receive fraud reports, coordinate with law enforcement, and comply with lawful orders, subpoenas, warrants, or AMLC-related processes.
What if the hacker only spoofed my email and did not actually access my mailbox?
Still act quickly. Warn customers, preserve the spoofed emails with full headers, check whether your domain has SPF, DKIM, and DMARC protections, and confirm that your real mailbox was not accessed. The legal case may focus more on identity misuse, fraud, falsification, or estafa rather than illegal access to your own system.
Can I discipline an employee who clicked the phishing email?
You may investigate and impose appropriate discipline if company rules were violated, but Philippine labor law requires both substantive and procedural due process. Termination requires a valid just cause under the Labor Code and proper notices and opportunity to be heard. A single mistake should be treated differently from intentional participation, fraud, or repeated gross negligence.
How long does recovery or prosecution take?
Bank recovery can be urgent and may succeed or fail within days depending on whether funds remain. Cybercrime investigation can take weeks or months. Prosecutor proceedings and court cases can take much longer, especially if the suspect used mule accounts, foreign platforms, cryptocurrency, or overseas infrastructure.
Key Takeaways
- A fake invoice sent through your business email is not just an IT problem; it may involve cybercrime, estafa, falsification, data privacy, bank fraud, and civil liability.
- Secure the account, but do not destroy evidence.
- Contact banks immediately if money was transferred.
- Warn customers through a clean and verified channel.
- Preserve full email headers, audit logs, invoices, payment records, and a detailed timeline.
- Assess whether the incident is a notifiable personal data breach under the Data Privacy Act and NPC Circular No. 16-03.
- File with the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or appropriate law-enforcement office with complete documents.
- Liability for the lost payment depends on the facts, contract terms, security measures, and conduct of both the business and the payer.