What to Do If Someone Impersonates You by Email to Request Supplier Payments

If someone used your name, company email style, signature block, or identity by email to ask a customer, employer, or supplier to send money to a different bank account, treat it as urgent. This is not just an “email misunderstanding.” In the Philippines, this can involve cybercrime, estafa, identity theft, falsification, data privacy violations, and bank fraud procedures. The first few hours matter because banks may still be able to trace, temporarily hold, or coordinate verification of a disputed transaction, while email providers and payment platforms may still retain useful logs.

What This Kind of Email Impersonation Usually Looks Like

This situation is often called a business email compromise or supplier payment diversion scam.

Common examples include:

  • A scammer creates an email address similar to yours, such as juan.delacruz.company@gmail.com instead of your real company domain.
  • Someone hacks or accesses your real email account and sends payment instructions from it.
  • A person copies your name, job title, signature, logo, and prior email thread to make the request look legitimate.
  • A fake “finance officer,” “supplier representative,” “CEO,” “procurement head,” or “owner” asks that payment be sent to a new bank account.
  • The fraudster tells the recipient that the request is urgent, confidential, or due to a “bank maintenance issue.”
  • The scammer attaches a fake invoice, altered statement of account, or forged authorization letter.

The key legal question is not only “Was my name used?” It is also:

  • Was money actually paid?
  • Was a bank account, e-wallet, or financial account used?
  • Was your email hacked, spoofed, or merely imitated?
  • Did the recipient reasonably verify the change in payment instructions?
  • Was any personal information, company data, or supplier data exposed?
  • Can the recipient bank, receiving bank, or e-wallet still trace or freeze the funds?

Why You Should Act Within Hours, Not Days

Supplier payment impersonation cases move quickly. Fraudsters often withdraw, transfer, or split the money through several accounts within minutes or hours.

Under the Anti-Financial Account Scamming Act, Republic Act No. 12010 of 2024, Philippine financial institutions may temporarily hold funds involved in a disputed transaction for a period prescribed by BSP rules, not exceeding 30 calendar days unless extended by a court, and a transaction may be disputed if it appears unusual, has no clear economic purpose, comes from an unlawful activity, or was facilitated through social engineering schemes. (Lawphil)

This means the most practical first step is usually not “file a case tomorrow.” It is to immediately notify the banks and payment platforms involved, ask for urgent fraud handling, and preserve all evidence before the scammer deletes traces.

Immediate Steps If Someone Impersonates You by Email

1. Warn the recipient and stop the payment if possible

Contact the supplier, customer, finance team, or person who received the fake email through a separate verified channel. Do not reply only within the suspicious email thread.

Use a direct phone call, verified mobile number, official company messaging channel, or a previously confirmed email address.

Tell them:

  • The email request was unauthorized.
  • They should not send payment to the new account.
  • If payment was already sent, they should immediately report it to their bank or e-wallet provider as a fraudulent or disputed transaction.
  • They should preserve the full email, attachments, headers, screenshots, payment proof, and chat records.

Avoid vague wording like “possible issue.” Say clearly that the email is not authorized.

2. Report immediately to the sending and receiving banks

If money was transferred, report to:

Who should report Where to report What to ask for
The person or company that sent the money Their bank or e-wallet provider Fraud case number, transaction trace, recall request, written acknowledgment
The apparent owner of the receiving account, if known Receiving bank or e-wallet provider Temporary holding, fraud investigation, account flagging
The impersonated person or company Your own bank and email administrator, if relevant Account security check and written incident record

Give the bank:

  • Date and time of transfer
  • Amount
  • Sending account
  • Receiving account name and number, if available
  • Reference number or transaction ID
  • Screenshots of the fraudulent email
  • A statement that the payment instruction was unauthorized

The BSP’s consumer assistance guidance also tells consumers to include the details of the concern, requested resolution, contact details, copy of the complaint filed with the financial institution, the institution’s reply if any, and supporting documents when escalating a complaint through BSP channels. (Bureau of the Treasury)

3. Preserve the email properly

Do not just screenshot the message and delete it. Screenshots help, but they are usually not enough.

Preserve:

  • The original email in the mailbox
  • Full email headers
  • Sender address and reply-to address
  • SPF/DKIM/DMARC authentication results, if visible
  • Attachments in original format
  • Payment instructions
  • Prior legitimate email thread copied by the scammer
  • IP logs if available through your IT administrator
  • Login alerts from Gmail, Microsoft 365, Yahoo, company email, or hosting provider
  • Any forwarding rules, mailbox filters, or unknown recovery email addresses

Under the Electronic Commerce Act, Republic Act No. 8792 of 2000, electronic documents and data messages are not denied legal effect merely because they are electronic, and electronic documents may serve as the functional equivalent of written documents if integrity, reliability, and authentication requirements are met. (Lawphil)

4. Secure your email and related accounts

Change passwords immediately for:

  • Email account
  • Accounting system
  • Cloud storage
  • Banking portals
  • E-wallets
  • Domain registrar
  • Website hosting
  • Social media accounts used for business
  • Password manager master password, if compromised

Then:

  • Turn on multi-factor authentication.
  • Remove unknown devices and sessions.
  • Check email forwarding rules.
  • Check automatic filters that hide bank or supplier emails.
  • Review recovery email and phone number.
  • Check whether your email signature or old invoices were accessed.
  • Ask your IT provider to review logs, especially for Microsoft 365 or Google Workspace accounts.

This matters because the scam may not be limited to one fake email. Many supplier payment scams begin with quiet mailbox access, where the fraudster watches real supplier conversations before sending payment instructions at the right time.

5. Send a written fraud notice to affected suppliers or customers

If your identity or company name was used, send a short written notice to affected contacts.

Include:

  • The fraudulent email address or sender name
  • The date and subject line of the fake email
  • A statement that the payment instruction was unauthorized
  • Your official payment channels
  • A warning not to rely on payment changes unless verified by phone or signed written approval
  • A request to preserve all evidence

Do not accuse a specific person unless you have proof. Say “an unauthorized person” or “an unknown sender” unless the identity is confirmed.

Legal Basis in the Philippines

Cybercrime Prevention Act: identity theft, fraud, and forgery

Republic Act No. 10175, the Cybercrime Prevention Act of 2012, is the main Philippine law for cyber-enabled offenses.

For email impersonation involving supplier payments, the most relevant offenses may include:

  • Computer-related identity theft — using or misusing identifying information belonging to another person or juridical entity without right.
  • Computer-related fraud — using a computer system to cause damage or obtain economic benefit through fraudulent input, alteration, or interference.
  • Computer-related forgery — creating or altering electronic data so it appears authentic when it is not.
  • Illegal access — if the scammer accessed your real email, company account, server, or device without authority.

RA 10175 expressly penalizes computer-related identity theft involving the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another, whether a natural or juridical person, without right. (Lawphil)

The Supreme Court discussed RA 10175 in Disini v. Secretary of Justice, G.R. No. 203335, February 11, 2014, a leading case on the Cybercrime Prevention Act and constitutional limits on cybercrime enforcement. (Lawphil)

Revised Penal Code: estafa and falsification

Even if the fraud was done by email, traditional crimes under the Revised Penal Code may still apply.

The most common is estafa under Article 315. In simple terms, estafa is swindling: a person deceives another and causes damage, usually by inducing payment, delivery of money, or transfer of property.

Possible estafa theory:

  • The scammer pretended to be you or your company.
  • The recipient relied on the false representation.
  • The recipient paid money to the wrong account.
  • The recipient, supplier, or company suffered damage.

Falsification may also arise if the scammer forged an invoice, statement of account, purchase order, authorization letter, company letterhead, signature, or commercial document. Philippine cases recognize falsification under Article 172 of the Revised Penal Code for private individuals who falsify private or commercial documents. (Lawphil)

Anti-Financial Account Scamming Act: bank accounts, e-wallets, and money mules

RA 12010, the Anti-Financial Account Scamming Act, is especially important where the fake email led to a bank or e-wallet transfer.

The law covers financial accounts such as bank deposit accounts, transaction accounts, credit card accounts, e-wallets, and other accounts used for financial products or services. It also defines sensitive identifying information to include usernames, passwords, bank account details, credit card and e-wallet information, electronic credentials, and confidential personal information. (Lawphil)

The law penalizes:

  • Money muling — using, lending, selling, renting, or allowing the use of financial accounts to receive criminal proceeds.
  • Social engineering schemes — deceptive electronic communications used to obtain sensitive identifying information and gain unauthorized access or control over financial accounts.
  • Opening financial accounts under a fictitious name or using another person’s identity documents.
  • Buying or selling financial accounts.

For victims, the practical value of RA 12010 is that it gives banks, e-wallets, and the BSP clearer legal tools for disputed transactions, coordinated verification, temporary holding of funds, and investigation of suspicious financial accounts. (Lawphil)

Data Privacy Act: when personal or company data was exposed

The Data Privacy Act of 2012, Republic Act No. 10173, may become relevant if the impersonation involved unauthorized access to personal information, employee records, customer records, supplier contact lists, IDs, bank details, invoices, or confidential documents.

If a company email account was compromised and personal data was exposed, the organization may need to assess whether there was a personal data breach. The National Privacy Commission’s breach rules require notification to the Commission and affected data subjects within 72 hours in covered situations, especially where there is a real risk to the rights and freedoms of data subjects. (National Privacy Commission)

For example, a simple fake email from an outside Gmail account may not automatically be a reportable data breach. But if the scammer entered the company mailbox and accessed customer IDs, payroll records, supplier bank details, or employee files, data privacy obligations may be triggered.

Civil Code: damages and recovery of losses

Apart from criminal liability, civil liability may arise under the Civil Code.

Important provisions include:

  • Article 19 — everyone must act with justice, give everyone his due, and observe honesty and good faith.
  • Article 20 — a person who, contrary to law, willfully or negligently causes damage to another must indemnify the injured party.
  • Article 21 — a person who willfully causes loss or injury in a manner contrary to morals, good customs, or public policy must compensate the injured party.
  • Article 1170 — those guilty of fraud, negligence, delay, or breach in the performance of obligations are liable for damages.
  • Article 2176 — negligence causing damage may create liability for quasi-delict.

The Civil Code’s Articles 19, 20, and 21 are often used as general legal bases for wrongful conduct causing damage. (Lawphil)

Where to Report Email Impersonation and Supplier Payment Fraud

NBI Cybercrime Division

The National Bureau of Investigation Cybercrime Division handles cybercrime complaints and requests for investigation. The NBI Citizen’s Charter states that the general public may proceed to the Cybercrime Division to file a complaint or request investigation; the initial complaint sheet assistance is listed as free, with preliminary steps such as interview, sworn statements, and supporting documents. (National Bureau of Investigation)

In practice, bring printed and digital copies of your evidence. If you are a company officer, bring proof of authority such as a secretary’s certificate, board authorization, special power of attorney, or company ID.

PNP Anti-Cybercrime Group

The Philippine National Police Anti-Cybercrime Group also receives cybercrime complaints. Reports may be filed through official PNP-ACG channels, and cybercrime complaints often require the complainant to submit evidence, execute a complaint-affidavit, and coordinate with investigators for preservation or tracing requests. Government FOI responses have also referred cybercrime complainants to the PNP-ACG eComplaint channel and official email. (www.foi.gov.ph)

BSP and the banks involved

If a bank, e-wallet, or supervised financial institution is involved, report first to the financial institution’s fraud unit. If unresolved, you may escalate through the BSP Consumer Assistance Mechanism. BSP’s consumer assistance page explains that complaints may be filed through BSP Online Buddy, email, postal mail, phone, or walk-in channels, and that complaints should include the complaint details, requested resolution, prior complaint filed with the bank, the bank’s reply if any, and supporting documents. (Bureau of the Treasury)

CICC hotline for urgent cybercrime reporting

The Cybercrime Investigation and Coordinating Center under the DICT operates government cybercrime coordination functions. CICC public materials identify Hotline 1326 as a cybercrime reporting channel. (Facebook)

For urgent supplier payment fraud, CICC reporting may help with referral and coordination, but it should not replace direct reports to the banks and law enforcement agencies handling the evidence.

Documents and Evidence to Prepare

Document or evidence Why it matters
Complaint-affidavit Main sworn narrative for NBI, PNP, or prosecutor
Government ID of complainant Identity verification
Authority to represent company Needed if filing for a corporation, partnership, or business
Original fraudulent email Shows sender, content, date, time, and attachments
Full email headers Helps trace routing, spoofing, and authentication results
Screenshots Useful for quick review, but should not replace original files
Proof of payment Shows actual loss and transaction details
Bank reference number Helps trace the transfer
Invoices or statements of account Shows what was altered or imitated
Legitimate payment instructions Helps prove the fake instruction was unauthorized
Supplier/customer correspondence Shows reliance and timeline
IT incident report Useful if your email account was accessed
Data breach assessment Needed if personal data may have been exposed
Demand or notice letters Shows prompt denial of the fake instruction

For electronic evidence, preserve both human-readable copies and technical originals. A printed screenshot may be challenged later if the other side questions authenticity.

Step-by-Step Process After the Incident

Step 1: Freeze the situation internally

Within the company or household, stop all related payments until verified. Tell accounting, procurement, treasury, and management not to act on any payment change request without independent confirmation.

Step 2: Confirm whether the email was spoofed or hacked

Ask your IT administrator or email provider to determine:

  • Was there an unauthorized login?
  • Were emails sent from your actual mailbox?
  • Were forwarding rules added?
  • Were old threads accessed?
  • Did the scammer use a lookalike domain?
  • Were attachments downloaded?
  • Were supplier bank details exposed?

This distinction matters. If your real mailbox was compromised, your obligations and evidence needs are heavier than if an outside person merely created a fake address.

Step 3: Notify banks and ask for coordinated verification

Use the words fraudulent transaction, unauthorized payment instruction, social engineering, and request for urgent hold/recall/verification.

Ask the bank to confirm in writing:

  • Case reference number
  • Time of report
  • Whether the funds are still in the receiving account
  • Whether a hold, recall, or coordinated verification has been initiated
  • What documents they need
  • Whether the matter has been referred to their fraud, AML, or compliance unit

Step 4: File with NBI or PNP-ACG

Prepare a clean timeline:

  1. When the legitimate transaction began
  2. Who was supposed to be paid
  3. What email address sent the fake instruction
  4. What bank account received the money
  5. Who discovered the fraud
  6. What immediate reports were made
  7. What loss was suffered
  8. What evidence is attached

Bring digital files in a USB drive or cloud folder, but also keep original data in the mailbox and system logs.

Step 5: Execute sworn statements

Usually, the complainant and key witnesses execute affidavits, such as:

  • The impersonated person
  • The person who received the fake email
  • The accounting staff who processed payment
  • The IT administrator who reviewed logs
  • The bank representative, if later required through official process

For overseas Filipinos or foreigners, affidavits may need Philippine consular notarization or local notarization with apostille, depending on where the document is executed. Philippine embassies and consulates commonly provide notarization for documents to be used in the Philippines, such as affidavits and powers of attorney. (Philippine Embassy)

Step 6: Coordinate with the prosecutor or cybercrime court process

Law enforcement may refer the matter for inquest or preliminary investigation, depending on whether a suspect was arrested. In most supplier payment email scams, there is no immediate arrest, so the usual route is a complaint for preliminary investigation before the prosecutor.

Cybercrime investigations may also require warrants or court orders for disclosure of subscriber data, logs, account information, or preserved computer data. The Supreme Court’s Rule on Cybercrime Warrants, A.M. No. 17-11-03-SC, covers procedures for preservation, disclosure, interception, search, seizure, examination, custody, and destruction of computer data in relation to RA 10175. (Office of the Court Administrator)

Who May Be Liable?

Depending on the facts, liability may fall on different persons or entities.

Possible responsible party Possible issue
Unknown scammer Cybercrime, estafa, identity theft, falsification
Money mule account holder Receiving, transferring, or allowing use of account for fraudulent proceeds
Insider employee Participation, negligence, breach of duty, data leak
Supplier or customer staff Failure to verify payment change, depending on agreement and negligence
Bank or e-wallet provider Possible regulatory or restitution issues if it failed required controls under applicable law
Company whose email was hacked Possible data privacy, contractual, or negligence issues, depending on security controls and notice

Not every loss automatically becomes the bank’s liability. RA 12010 recognizes restitution where an institution fails to employ adequate risk management systems and controls or fails to exercise the highest degree of diligence, but it also provides that compliant institutions may not be liable for losses arising from covered offenses. (Lawphil)

Common Pitfalls That Hurt Victims’ Cases

Waiting too long before reporting to banks

A report made after several days may still be useful for investigation, but it is much harder to recover funds after withdrawals or layered transfers.

Deleting the fake email

Do not delete the original email. If you are worried others may click links, isolate it, label it, or export it properly.

Relying only on screenshots

Screenshots are easy to understand but weak by themselves. Keep full headers, original files, logs, and payment records.

Accusing the wrong person too early

Many receiving account holders are money mules, fake identity account holders, or people whose accounts were rented or misused. State facts carefully until law enforcement confirms identity.

Not checking email forwarding rules

In many cases, the attacker quietly creates a rule that forwards all emails containing words like “invoice,” “payment,” “bank,” “remittance,” or “SOA” to an outside account.

Assuming the barangay can resolve it

Barangay blotters may document a local dispute, but cybercrime payment fraud involving unknown offenders, banks, and electronic evidence usually needs NBI, PNP-ACG, banks, and possibly prosecutor action. Barangay conciliation is not designed to trace email headers, freeze bank accounts, or obtain cybercrime warrants.

Special Issues for Foreigners and Overseas Filipinos

Foreigners and OFWs are often involved in supplier payment fraud when they own Philippine businesses, buy property, pay contractors, or transact with Philippine suppliers from abroad.

Practical points:

  • If you are abroad, preserve evidence in your own email account before time zones and system retention policies cause delays.
  • A Philippine representative may need a Special Power of Attorney to file, follow up, or receive documents.
  • If the SPA or affidavit is signed abroad, check whether it should be notarized before a Philippine consulate or notarized locally and apostilled.
  • DFA apostille services are handled through the DFA Authentication Division and online appointment systems for covered documents. (Apostille.gov.ph)
  • Foreign bank transfers may require cooperation between Philippine banks, foreign banks, and law enforcement. Timelines are usually longer.
  • If the receiving account is in the Philippines, local reporting to the Philippine bank and Philippine cybercrime authorities remains important.

Frequently Asked Questions

Is email impersonation a crime in the Philippines?

Yes, it can be. Depending on the facts, it may involve computer-related identity theft, computer-related fraud, computer-related forgery, estafa, falsification, or offenses under the Anti-Financial Account Scamming Act.

What if the scammer only used a fake email but did not hack my real account?

It may still be actionable. Computer-related identity theft under RA 10175 can involve unauthorized use or misuse of identifying information. If the fake email caused payment, estafa or computer-related fraud may also be considered.

What if no money was paid yet?

You should still preserve evidence and warn affected parties. RA 10175 provides that computer-related identity theft may be punishable even if no damage has yet been caused, although the penalty may be lower in that situation. (Lawphil)

Can the bank reverse the supplier payment?

Sometimes, but not always. It depends on how fast the fraud was reported, whether the funds remain in the receiving account, the payment channel used, and whether a temporary hold, recall, or coordinated verification is available. Report immediately and ask for a written case number.

Should I file with NBI or PNP first?

Either may be appropriate. For cyber-enabled email impersonation, victims commonly approach the NBI Cybercrime Division or PNP Anti-Cybercrime Group. If funds were transferred, report to the bank first or at the same time because fund tracing is time-sensitive.

Do I need a notarized affidavit?

For a formal criminal complaint, a notarized complaint-affidavit is commonly required. NBI or PNP may first assist with a complaint sheet and preliminary interview, but prosecution usually relies on sworn statements and supporting documents.

Can I sue the supplier or customer who followed the fake payment instruction?

Possibly, depending on the contract, verification procedures, prior course of dealings, and negligence. If the contract required written confirmation, dual approval, or payment only to a nominated account, failure to verify a sudden bank change may matter. But liability depends heavily on the facts.

What if an employee clicked a phishing link?

Secure accounts immediately, investigate what data was accessed, and assess whether a personal data breach occurred. If personal data was exposed and risk thresholds are met, notification obligations under NPC rules may apply within 72 hours.

Can foreigners file a cybercrime complaint in the Philippines?

Yes, if the offense, damage, account, system, transaction, or relevant party has a Philippine connection. Foreign complainants should prepare identification, proof of authority if representing a company, and properly notarized or apostilled documents if signing abroad.

How long does a cybercrime payment fraud case take?

Bank fraud handling may begin immediately, but law enforcement investigation and prosecutor review can take weeks or months, especially if subscriber data, bank records, cybercrime warrants, or multiple institutions are involved. Recovery of funds is fastest when the report is made within hours.

Key Takeaways

  • Email impersonation requesting supplier payments should be treated as a serious cyber-fraud incident, not a simple communication error.
  • Report immediately to the sending bank, receiving bank, and e-wallet provider, and ask for urgent fraud handling, recall, hold, or coordinated verification.
  • Preserve the original email, full headers, attachments, payment proof, system logs, and screenshots.
  • Relevant Philippine laws may include RA 10175, RA 12010, RA 10173, RA 8792, the Revised Penal Code, and the Civil Code.
  • File with the NBI Cybercrime Division or PNP Anti-Cybercrime Group when there is identity theft, hacking, fake payment instructions, or financial loss.
  • If personal data was exposed, assess whether NPC breach notification rules apply.
  • For OFWs and foreigners, affidavits, SPAs, and supporting documents signed abroad may need consular notarization or apostille before use in the Philippines.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.