If someone pretends to be HR and contacts job applicants, treat it as both a fraud incident and a data privacy incident. The impersonator may be trying to collect résumés, IDs, bank details, passwords, “processing fees,” or personal information using the company’s name. In the Philippines, this can involve cybercrime, estafa, identity theft, illegal recruitment, SIM-related offenses, and violations of the Data Privacy Act. This guide explains what applicants and employers should do immediately, what laws may apply, where to report, what evidence to save, and how to reduce harm before more people are victimized.

What HR impersonation usually looks like

HR impersonation happens when a person falsely represents himself or herself as a recruiter, HR officer, hiring manager, agency representative, or company employee.

Common examples include:

A fake recruiter using a company logo, HR name, or LinkedIn profile.
A scammer emailing applicants from a lookalike domain, such as company-careers.com instead of the official company domain.
A person messaging applicants through Facebook, Telegram, Viber, WhatsApp, LinkedIn, or SMS.
A fake “HR officer” asking for government IDs, selfies, bank account details, e-wallet numbers, or OTPs.
A recruiter demanding “processing fees,” “training fees,” “medical fees,” “visa fees,” or “reservation fees.”
A person offering remote work but requiring applicants to open accounts, receive funds, or buy equipment from a specified seller.
A scammer telling the applicant to keep the offer confidential or act urgently.

The danger is not only reputational. In real cases, victims may lose money, expose sensitive personal information, become targets of identity theft, or be unknowingly used as money mules.

Is impersonating HR illegal in the Philippines?

There is no single crime called “HR impersonation” under Philippine law. The legal treatment depends on what the impersonator actually did.

For example, merely pretending to be from a company may be one thing. But using that false identity to obtain money, personal data, documents, passwords, bank credentials, or job-related payments can trigger several criminal and civil consequences.

Possible legal violations

Conduct	Possible Philippine legal issue
Using another person’s name, company identity, logo, or HR profile online	Cyber identity theft under RA 10175
Tricking applicants into paying fees	Estafa under Article 315 of the Revised Penal Code
Creating fake employment contracts, offer letters, IDs, receipts, or certificates	Falsification under Articles 171 and 172 of the Revised Penal Code
Using a false name to cause damage or hide a crime	Article 178 of the Revised Penal Code, as amended by RA 10951
Collecting résumés, IDs, birthdates, addresses, phone numbers, or government numbers without authority	Possible Data Privacy Act issue under RA 10173
Using SMS, spoofed calls, or fake SIM registration details	Possible SIM Registration Act issue under RA 11934
Recruiting for overseas jobs without authority or valid job orders	Illegal recruitment under RA 8042, as amended by RA 10022
Asking applicants to receive, transfer, or withdraw suspicious funds	Possible money mule or financial account scam issue under RA 12010

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, specifically punishes computer-related identity theft, which includes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person or entity without right. It also punishes computer-related fraud. (Lawphil)

The Cybercrime Prevention Act was reviewed by the Supreme Court in Disini v. Secretary of Justice, G.R. No. 203335, where the Court discussed the law’s regulation of cyber offenses involving the use of computers and the internet. (Lawphil)

First things to do if you are a job applicant

If a suspicious “HR” person contacted you, act quickly but calmly. The goal is to stop further harm, preserve evidence, and avoid giving the scammer more information.

1. Stop communicating through the suspicious channel

Do not argue with the impersonator. Do not warn them that you will report them if you still need to preserve screenshots, URLs, phone numbers, payment details, or account names.

Stop immediately if they ask for:

OTPs or verification codes.
Passwords or login links.
Bank account access.
E-wallet PINs.
Copies of IDs with selfies.
Upfront fees.
A “test transfer” of money.
Remote access to your phone or computer.
Confidentiality about the hiring process.

2. Verify the job offer through official channels

Use only the company’s official website, official careers page, verified LinkedIn page, or main office contact details. Do not rely on the phone number, email address, or link given by the suspicious recruiter.

Ask the real company:

Is this job opening legitimate?
Is this person connected with your HR or recruitment team?
Is this email domain authorized?
Do you collect applicant documents through this link or platform?
Do you require any payment from applicants?

A legitimate employer should be able to verify whether the communication came from its recruitment team.

3. Save evidence before blocking the sender

Before blocking or deleting anything, preserve:

Screenshots of the full conversation.
The sender’s profile page, username, phone number, email address, and URL.
The job post or advertisement.
The link to any form or website used to collect information.
Payment instructions, QR codes, bank accounts, GCash/Maya numbers, crypto wallet addresses, or receipts.
Email headers, if the contact was by email.
Call logs and SMS details.
Any documents sent to you, such as fake offer letters, contracts, IDs, or receipts.

For screenshots, include the date, time, sender identity, full URL, and message thread where possible. If you later file a complaint, investigators usually need details that connect the suspicious account, phone number, payment account, or website to the fraudulent act.

4. Do not send more IDs or personal documents

If you already sent documents, write down exactly what you sent:

Résumé or CV.
Passport.
Driver’s license.
UMID, SSS, GSIS, PhilHealth, Pag-IBIG, PRC, TIN, or national ID details.
Birth certificate.
School records.
Bank account or e-wallet information.
Selfie or video verification.
Signature specimen.

Sensitive personal information under the Data Privacy Act includes, among others, information about age, marital status, health, education, government-issued identifiers, licenses, tax returns, and similar confidential data. (National Privacy Commission)

5. If you paid money, contact the bank or e-wallet immediately

If you transferred money, call the bank, e-wallet provider, or payment platform as soon as possible. Ask whether the transaction can be held, reversed, frozen, investigated, or flagged.

Prepare:

Transaction reference number.
Date and time of transfer.
Amount.
Recipient account name and number.
Screenshots of the scam conversation.
Police or cybercrime report, if already available.

Under Republic Act No. 12010, or the Anti-Financial Account Scamming Act, financial account scamming includes money muling activities and social engineering schemes involving financial accounts. The law covers electronic communications such as calls, SMS, social media messages, email, and instant messaging. (Lawphil)

What employers should do when someone impersonates HR

For employers, HR impersonation is not just a PR issue. It may indicate that applicant data was leaked, scraped, mishandled, or accessed without authority.

1. Confirm whether there was a data breach

The company should quickly determine:

Did the impersonator get applicant names, emails, phone numbers, or résumés from the company?
Were job applicants contacted shortly after applying through the official system?
Did the scammer know private application details not publicly posted?
Was an HR email account compromised?
Was the applicant tracking system, spreadsheet, shared drive, or recruitment vendor accessed?
Did an employee, contractor, agency, or third-party recruiter mishandle the data?

If applicant data may have been accessed by an unauthorized person, the company should treat it as a potential personal data breach.

The National Privacy Commission states that breach notification is required when there is reason to believe personal data was acquired by an unauthorized person and the breach is likely to give rise to a real risk of serious harm to affected data subjects. (National Privacy Commission)

2. Activate the company’s incident response process

The company should immediately involve:

HR or Talent Acquisition.
Legal or compliance.
Data Protection Officer.
IT or cybersecurity.
Communications or corporate affairs.
The recruitment agency or platform, if any.
External counsel or forensic support, if the incident is serious.

The company should preserve system logs, email logs, access records, recruitment platform activity, and vendor communications. Do not wipe devices or delete suspicious emails until forensic preservation is considered.

3. Warn applicants clearly

A public warning should be specific enough to help applicants avoid harm, but careful enough not to expose more personal data.

A useful warning usually includes:

The official recruitment channels.
A statement that the company does not charge application or processing fees.
The official email domain used by HR.
A warning not to send OTPs, passwords, bank details, or payment.
Instructions on how applicants can verify a recruiter.
Where victims may report incidents.

Avoid vague announcements like “beware of scammers.” Applicants need practical identifiers: fake domains, fake pages, unauthorized names, or payment accounts, if disclosure is legally and operationally appropriate.

4. Notify the NPC if required

If the breach meets the mandatory notification threshold, the personal information controller must submit a Personal Data Breach Notification Form through the NPC’s Data Breach Notification Management System within 72 hours upon knowledge or reasonable belief that a personal data breach occurred. The NPC also states that affected data subjects must generally be notified within the same 72-hour period when the breach is likely to give rise to real risk to their rights and freedoms. (National Privacy Commission)

If complete information is not yet available, the company should still submit available information within the period and provide updates later. The NPC notes that the full report must be submitted within five days unless an extension is granted. (National Privacy Commission)

5. Report fake pages, domains, and accounts

The company should report impersonating accounts to the platform involved, such as Facebook, LinkedIn, Telegram, Viber, WhatsApp, Gmail, or job portals.

For fake domains or websites, the company may also consider:

Domain registrar abuse reports.
Hosting provider takedown requests.
Search engine phishing reports.
Trademark or brand impersonation complaints.
Cybercrime complaint with law enforcement.

Where to report HR impersonation in the Philippines

The correct office depends on what happened.

Situation	Where to report
Online impersonation, phishing, fake HR account, fake job website, cyber fraud	PNP Anti-Cybercrime Group or NBI Cybercrime Division
Personal data misuse, possible applicant data breach, unauthorized processing of personal information	National Privacy Commission
Overseas job offer, deployment, visa, placement fee, or foreign employer issue	Department of Migrant Workers
Local recruitment agency issue	DOLE / Bureau of Local Employment or appropriate DOLE Regional Office
Bank, e-wallet, or payment transfer used in scam	Bank, e-wallet provider, BSP-supervised institution, and law enforcement
Known suspect and sufficient evidence for criminal complaint	Office of the City or Provincial Prosecutor

The NBI Cybercrime Division’s citizen charter states that complainants may file by filling out the complaint form and submitting it to the division personnel, with regional cybercrime centers handling similar complaints. (National Bureau of Investigation)

The Department of Justice also maintains information on reporting cybercrime incidents through the Office of Cybercrime. (Department of Justice)

For privacy complaints, the National Privacy Commission requires a formal complaint in a specific format, using its complaint-affidavit form, which must be printed, filled out, notarized, and submitted in person, by courier, or by scanned email submission. (National Privacy Commission)

Step-by-step process for victims

Step 1: Make a written timeline

Write a simple chronology:

Date you saw the job post.
Platform where you found it.
Date and time the fake HR contacted you.
Name, number, email, or profile used.
What they offered.
What information or money they asked for.
What you sent or paid.
When you discovered it was fake.
What steps you already took.

This timeline will help the company, bank, police, NBI, NPC, or prosecutor understand the case quickly.

Step 2: Organize evidence in one folder

Create folders such as:

Screenshots
Payment Proof
Fake Documents
IDs Sent
Emails and Headers
Company Verification
Reports Filed

Keep original files when possible. Do not edit screenshots except to create separate redacted copies for public posting.

Step 3: Verify and notify the real company

Send a concise report to the real company’s official HR or legal email.

Include:

Your full name and contact details.
The job title involved.
The fake recruiter’s name, number, email, and profile link.
Screenshots.
Whether you paid money.
Whether you sent IDs or sensitive personal information.
A request for confirmation whether the person is authorized.

This helps the company warn other applicants and investigate possible internal or vendor-related leaks.

Step 4: Report to law enforcement

For cyber-related complaints, prepare:

Valid government ID.
Complaint-affidavit or written complaint.
Screenshots and digital evidence.
URLs, phone numbers, emails, usernames, and account details.
Payment receipts or bank/e-wallet records.
Company confirmation that the recruiter is fake, if available.
Device used, if relevant.
Witness details, if any.

In practice, cybercrime complaints can take time because investigators may need platform records, subscriber information, bank records, telco details, or warrants. Some information cannot simply be released to a private complainant because of privacy and due process rules.

Step 5: File an NPC complaint if personal data was misused

If your personal information was misused, maliciously disclosed, improperly obtained, or used without authority, you may consider an NPC complaint.

The NPC’s complaint process generally requires:

Complaint-affidavit in the required format.
Notarization.
Supporting evidence.
Submission by the accepted channels.

If you are abroad, documents signed outside the Philippines may need proper notarization and, depending on where they are executed, apostille or consular authentication before they are used in Philippine proceedings.

Step 6: Protect your identity

If you sent IDs or sensitive data, consider these practical steps:

Change passwords on email, job portals, and social media accounts.
Enable two-factor authentication.
Watch for loan, e-wallet, SIM, or account-opening attempts.
Notify your bank or e-wallet provider if financial details were exposed.
Be alert for follow-up scams pretending to “recover” your money.
Keep a record of suspicious calls or messages after the incident.
Consider replacing compromised cards or credentials where feasible.

Special issue: overseas job offers and illegal recruitment

If the fake HR offer involves work abroad, be extra careful. Philippine law strictly regulates overseas recruitment.

Under RA 8042, as amended by RA 10022, illegal recruitment includes recruitment and placement activities undertaken without the required license or authority. The Supreme Court has repeatedly recognized that illegal recruitment may be prosecuted together with estafa when victims are deceived into paying money for supposed employment. (Lawphil)

The DMW’s anti-illegal recruitment guidance advises applicants not to apply with agencies not licensed by POEA/DMW, not to deal with licensed agencies without job orders, not to transact with unauthorized representatives, not to transact outside the agency’s registered address, not to pay placement fees without a valid employment contract and official receipt, not to accept tourist visas, and not to deal with fixers. (Department of Migrant Workers)

For overseas job offers, verify:

Whether the recruitment agency is licensed.
Whether there is an approved job order.
Whether the person contacting you is an authorized representative.
Whether the transaction is at the registered office or authorized venue.
Whether the visa category matches the work promised.
Whether fees are lawful, receipted, and charged at the proper time.

A common red flag is a “foreign HR manager” or “immigration consultant” asking a Filipino applicant to travel on a tourist visa first and “convert later.” That can expose the applicant to immigration problems, labor exploitation, trafficking risks, and loss of legal protection.

Special issue: fake HR asking for bank accounts or money transfers

Some fake job offers are designed to recruit money mules. The applicant is told that the “job” involves receiving payments, processing payroll, testing remittance systems, converting crypto, or forwarding funds.

This is dangerous. Even if the applicant believes it is legitimate work, receiving and moving suspicious funds can place the applicant under investigation.

Under RA 12010, money muling includes using, borrowing, or allowing the use of a financial account to obtain, receive, deposit, transfer, or withdraw proceeds known to be derived from crimes, offenses, or social engineering schemes. (Lawphil)

Red flags include:

“We will send money to your account for verification.”
“You only need to receive funds and forward them.”
“Use your GCash/Maya/bank account for company transactions.”
“Open a new account using your ID.”
“You will earn commission per transfer.”
“Do not tell the bank this is for work.”

A legitimate employer should not ask a job applicant to move third-party funds through a personal bank or e-wallet account.

Special issue: fake HR using SMS or spoofed numbers

If the impersonator contacted you through text message, RA 11934, or the SIM Registration Act, may become relevant. The law requires SIM registration and penalizes acts such as using fictitious identity or fraudulent identification documents to register a SIM, and spoofing or transmitting misleading information about the source of a call or text with intent to defraud, cause harm, or wrongfully obtain value. (Lawphil)

However, SIM registration does not automatically identify the scammer for the victim. Law enforcement and authorized agencies may still need proper process to obtain subscriber information from telcos.

Common mistakes that hurt HR impersonation cases

Deleting the conversation too early

Many victims block and delete immediately out of fear or embarrassment. That can destroy useful evidence. Screenshot first, save links, then block.

Posting unredacted IDs online

It is understandable to warn others, but do not upload your passport, national ID, bank receipt, address, phone number, or full email thread publicly without redaction. You may accidentally expose yourself further.

Paying a “recovery fee”

Scammers often return under another identity and claim they can recover your payment for a fee. This is usually another scam.

Assuming a company is automatically liable

A company may be responsible if the incident resulted from its own data breach, negligent vendor handling, unauthorized disclosure, weak recruitment controls, or failure to protect applicant data. But if the scammer merely copied a public logo and randomly messaged people, liability may focus on the impersonator. The facts matter.

Treating a cybercrime report as instant recovery

Police or NBI reporting is important, but it does not guarantee immediate refund or account freezing. Banks, platforms, telcos, and prosecutors may have separate processes.

Ignoring privacy duties because “no money was lost”

Even if no applicant paid money, unauthorized access to résumés, IDs, contact details, or interview records may still create serious privacy and identity theft risks.

Practical checklist for applicants

Action	Why it matters
Stop responding to the suspicious recruiter	Prevents further manipulation
Screenshot messages, profiles, URLs, payment details	Preserves evidence
Verify with official company channels	Confirms whether the offer is fake
Do not send OTPs, passwords, IDs, or payment	Reduces harm
Report payment quickly to bank/e-wallet	May help freeze or trace funds
Report cybercrime to PNP ACG or NBI	Starts law enforcement documentation
Report data misuse to NPC when appropriate	Addresses privacy violations
Monitor accounts and identity misuse	Helps catch follow-up fraud

Practical checklist for employers

Action	Why it matters
Confirm if applicant data was exposed	Determines whether breach notification is needed
Preserve logs and recruitment records	Supports investigation
Warn applicants using official channels	Prevents more victims
Notify NPC within 72 hours if mandatory	Required for qualifying personal data breaches
Report fake accounts and domains	Helps takedown and containment
Coordinate with PNP ACG or NBI	Supports criminal investigation
Review vendors and recruitment access	Prevents recurrence
Publish safe hiring practices	Builds applicant trust

Frequently Asked Questions

Can someone go to jail for pretending to be HR in the Philippines?

Yes, depending on the acts committed. If the person used another identity online, collected personal information, falsified documents, or tricked applicants into paying money, possible charges may include cyber identity theft, computer-related fraud, estafa, falsification, illegal recruitment, or other offenses.

What if I did not lose money but I sent my résumé and ID?

You should still treat it seriously. Your personal information may be used for identity theft, fake accounts, loan applications, SIM registration, or follow-up scams. Save evidence, notify the real company, secure your accounts, and consider reporting to the NPC if your personal data was misused or improperly obtained.

Is the company liable if scammers used its name?

Not automatically. If the scammer merely copied a public company name or logo, the company may also be a victim. But if applicant data came from the company’s systems, HR team, recruitment vendor, or mishandled records, the company may have obligations under the Data Privacy Act, including investigation, containment, and possible breach notification.

Should I report to the barangay first?

For online fraud or cyber impersonation, the more relevant offices are usually the PNP Anti-Cybercrime Group, NBI Cybercrime Division, NPC, DMW, DOLE, or the prosecutor’s office, depending on the facts. A barangay blotter may help document harassment or local incidents, but barangays do not investigate cybercrime in the same way specialized law enforcement units do.

Can I file a complaint if I am outside the Philippines?

Yes, but practical requirements may differ. If you need to sign affidavits or authorize someone in the Philippines, you may need a Special Power of Attorney. Documents executed abroad may need notarization and, in many cases, apostille or consular authentication before being used in Philippine proceedings.

What if the fake HR used Telegram, WhatsApp, or Facebook only?

Save the profile link, username, phone number, group link, conversation screenshots, and any payment details. Report the account to the platform and to Philippine cybercrime authorities if the victim, company, suspect, payment account, or harmful effect is connected to the Philippines.

Can a fake job offer be illegal recruitment?

Yes, especially if it involves overseas employment and the person or agency has no required license, authority, or approved job order. Illegal recruitment may exist even when the offer is made online. It becomes more serious when committed against multiple persons or by a group.

Is it legal for employers to ask applicants for IDs?

Employers may request applicant information for legitimate hiring purposes, but the Data Privacy Act requires transparency, legitimate purpose, and proportionality. That means the employer should collect only what is necessary, explain why it is collected, secure it properly, and avoid excessive or premature collection of sensitive documents. (Lawphil)

What should a legitimate job offer not require?

A legitimate job offer should not require OTPs, personal bank transfers, payment to personal accounts, tourist visa deployment for work abroad, password sharing, remote access to your device, or use of your personal bank/e-wallet account to move company funds.

How long do these cases take?

Timelines vary widely. A bank or e-wallet report may be acted on quickly if filed immediately, but cybercrime investigation can take weeks or months because investigators may need records from platforms, telcos, banks, and hosting providers. NPC complaints, prosecutor proceedings, and court cases can take longer, especially if evidence must be authenticated or obtained from foreign platforms.

Key Takeaways

HR impersonation in the Philippines can involve cybercrime, estafa, identity theft, falsification, illegal recruitment, financial account scams, and data privacy violations.
Applicants should stop communicating, preserve evidence, verify through official company channels, and avoid sending IDs, OTPs, passwords, or payment.
Employers should investigate whether applicant data was exposed, warn applicants, preserve logs, report fake accounts, and notify the NPC within 72 hours if a mandatory personal data breach notification is triggered.
Overseas job offers should be verified with DMW rules on licensed agencies, valid job orders, authorized representatives, lawful placement fees, and proper work visas.
Fake HR requests involving bank accounts, e-wallets, fund transfers, or “payment processing” may expose applicants to money mule risks.
The most useful evidence includes screenshots, URLs, email headers, phone numbers, payment records, fake documents, and written confirmation from the real company.