A fake customer support account can damage your business within hours. It may copy your logo, business name, staff photos, and official posts, then message customers to collect payments, one-time passwords, account credentials, or personal information. Your priorities are to stop further harm, preserve evidence before it disappears, warn customers without creating panic, secure your real systems, and report the impersonator through the proper Philippine legal and platform channels.
First, Identify What Kind of Impersonation Happened
The correct response depends on how the impersonator is operating.
A separate fake account
The scammer created a lookalike Facebook page, Instagram account, Telegram profile, WhatsApp number, email address, website, or marketplace store.
Your legitimate account may still be secure, but customers can be deceived because the fake account copies your branding and communication style.
A hacked official account
The scammer gained access to your actual customer support account and is sending messages from it.
This is more urgent because customers may reasonably trust messages coming from your established account. Treat it as both a cybersecurity incident and a possible personal data breach.
A spoofed email or fake domain
The messages appear to come from your company, but the sender uses a deceptive address such as:
support@your-company-help.comyourcompany.support@gmail.com- A domain with one changed letter
- An email display name that hides the real sender address
Email spoofing may also make a message appear to come from your real domain even when it did not.
An employee, former employee, or contractor posing as official support
A person with inside knowledge may continue using company materials, customer lists, scripts, passwords, or contact information after authority has been withdrawn.
This situation may involve unauthorized access, breach of confidentiality, misuse of personal data, fraud, and employment or contractual violations.
Philippine Laws That May Apply
“Impersonation” is not always charged under one single offense. Investigators and prosecutors examine what information was used, how the impersonator deceived people, whether money or data was obtained, and whether your systems were accessed.
Computer-related identity theft under RA 10175
Section 4(b)(3) of the Cybercrime Prevention Act of 2012, Republic Act No. 10175, penalizes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of another person’s identifying information without right. The law expressly covers identifying information belonging to a natural person or a juridical person, such as a corporation or other registered entity.
A fake support account may fall within this provision when it uses a company’s identifying information—such as its business identity, official account details, or other credentials—without authority. Whether merely copying a publicly visible logo is enough will depend on the complete facts, particularly the information used and the offender’s purpose. (Lawphil)
Other possible offenses under RA 10175 include:
- Illegal access, when someone enters your account or computer system without authority
- Computer-related fraud, when computer data or a computer system is manipulated to cause damage through fraud
- Cyberlibel, when the fake account publishes defamatory statements
- Traditional crimes committed through information and communications technology, which may be subject to Section 6 of RA 10175
Estafa and use of a fictitious name
If the impersonator deceives customers into sending money, the conduct may constitute estafa, or swindling, under Article 315 of the Revised Penal Code. The prosecution must generally establish deceit, reliance on the deceit, and resulting damage.
Article 178 may also apply when a person publicly uses a fictitious name to conceal a crime, evade a judgment, or cause damage. The mere use of a nickname or anonymous online identity is not automatically criminal; the prohibited purpose must be shown. The penalties under Article 178 were updated by Republic Act No. 10951. (Lawphil)
Financial account scamming under RA 12010
The Anti-Financial Account Scamming Act, Republic Act No. 12010, is especially relevant when fake support personnel ask for:
- Bank or e-wallet usernames
- Passwords
- One-time passwords or OTPs
- Card details
- Account numbers
- Other information used to access a financial account
RA 12010 penalizes social engineering schemes that use deception or electronic communications to obtain sensitive identifying information and gain unauthorized control of a financial account. It also penalizes money-mule activities involving accounts used to receive or transfer criminal proceeds.
Banks, e-wallet providers, and other BSP-supervised institutions may temporarily hold funds involved in a disputed transaction for the period allowed by law and BSP rules, which cannot exceed 30 calendar days unless extended by a court. Reporting the transaction immediately is therefore critical; a temporary hold is not automatic and does not guarantee recovery. (Lawphil)
The Access Devices Regulation Act, Republic Act No. 8484, as amended by RA 11449, may also apply when credit cards, debit cards, online banking accounts, payment accounts, or related access information are fraudulently obtained or used. (Lawphil)
Trademark infringement and unfair competition
If the fake account uses your registered trademark to promote fraudulent services or collect payments, Sections 155 and 156 of the Intellectual Property Code, Republic Act No. 8293 may support an infringement claim.
Section 155 covers unauthorized commercial use of a registered mark, reproduction, counterfeit, copy, or colorable imitation when the use is likely to cause confusion, mistake, or deception. Courts may grant damages, impound relevant records, and issue an injunction ordering the wrongful use to stop. (Lawphil)
Unfair competition under Section 168 may apply when the impersonator passes off its services, communications, or business activities as those of another. Fraud is a central element of unfair competition, as emphasized by the Supreme Court. (Lawphil)
Trademark remedies are strongest when you can produce:
- An IPOPHL certificate of trademark registration
- Evidence of actual use in the Philippines
- Archived advertisements and social media posts
- Proof that customers associate the mark with your business
- Examples showing likely or actual customer confusion
Data Privacy Act obligations
Impersonation does not automatically mean your company suffered a data breach. A scammer may have copied only information visible to the public.
However, you should investigate whether the impersonator obtained customer names, telephone numbers, email addresses, order histories, identification documents, login details, or other personal data from your company, an employee, a contractor, or a compromised support platform.
Under the Data Privacy Act of 2012, Republic Act No. 10173, businesses acting as personal information controllers must use reasonable organizational, physical, and technical security measures. Unauthorized processing, access, disclosure, or misuse of personal information may also expose the offender to liability. (Lawphil)
Notification to the National Privacy Commission and affected individuals is generally mandatory when all of these conditions are present:
- The compromised data includes sensitive personal information or information that may enable identity fraud;
- There is reason to believe that an unauthorized person acquired it; and
- The breach is likely to create a real risk of serious harm.
When mandatory notification applies, the personal information controller must submit the initial report through the NPC’s Data Breach Notification Management System within 72 hours from knowledge or reasonable belief that a breach occurred. Available information should be reported within the deadline even when the investigation is incomplete. (National Privacy Commission)
Civil liability for damage to the business and customers
Articles 19, 20, and 21 of the Civil Code provide general grounds for civil liability when a person acts unlawfully, contrary to morals or public policy, or in bad faith and causes damage.
Depending on the evidence, a business may pursue:
- Actual damages, such as refunds, investigation expenses, lost sales, and system-restoration costs
- Lost profits that can be proved with reasonable certainty
- Injunctive relief to stop continued misuse
- Attorney’s fees in situations allowed by law
- Separate civil remedies arising from fraud under Article 33 of the Civil Code
Claims for reputational or speculative losses require careful proof. Keep financial records showing unusual refunds, customer cancellations, chargebacks, advertising expenses, and revenue changes linked to the incident.
What to Do Immediately
1. Preserve the fake account before reporting it
Do not begin with repeated mass reporting. The account could disappear before you have usable evidence.
Capture:
- The full account name and username
- The account’s exact URL
- Profile image, cover image, biography, and contact details
- Creation date or account-transparency information, if displayed
- Posts, stories, advertisements, and comments
- Messages sent to customers
- Payment instructions and recipient account details
- QR codes, links, telephone numbers, and email addresses
- Dates and times, preferably with the device clock visible
- Search results showing how the fake account appears beside your real account
Take both screenshots and a continuous screen recording. Begin the recording outside the profile, open the fake account, scroll through it, and open relevant messages or posts. This helps show that the evidence came from the identified account rather than from an edited image.
For email impersonation, preserve the original email and its complete technical headers. Forwarding or copying the text may remove information that investigators need.
2. Ask affected customers to preserve their own evidence
A customer who directly received the messages is an important witness. Ask the customer to retain:
- The complete conversation
- The original device used
- Payment confirmations
- Bank or e-wallet reference numbers
- The recipient’s account name and number
- Text messages and call logs
- Links opened or files downloaded
- OTP requests or login notifications
Whenever possible, obtain a sworn affidavit from a customer who lost money or disclosed sensitive information. A screenshot submitted by the business is useful, but testimony from the person who personally received and captured the communication gives the evidence a clearer foundation.
3. Secure your legitimate accounts and systems
Even when the fake profile appears separate, confirm that the scammer did not first compromise your systems.
Immediately:
- Change passwords for social media, email, helpdesk, domain, hosting, advertising, and payment accounts.
- Terminate active sessions on unfamiliar devices.
- Enable multi-factor authentication using an authenticator app or security key where available.
- Remove former employees, agencies, and contractors who no longer need access.
- Review administrator changes, forwarding rules, API access, recovery email addresses, and login histories.
- Preserve security logs before normal retention periods erase them.
- Scan company devices for malware and credential-stealing software.
- Contact your domain registrar or hosting provider if a deceptive domain has been registered.
Do not reset, reformat, or replace a possibly compromised device before preserving relevant logs and consulting your technical investigator.
4. Publish a clear customer warning
Use every verified channel your customers already recognize:
- Your official website
- Verified social media accounts
- In-app notifications
- Email or SMS, when appropriate
- Physical branches or storefront notices
- Marketplace announcements
The warning should identify the exact fake username, number, email address, or domain. State what your legitimate support team will never request, such as an OTP, password, card PIN, remote-access installation, or payment to a personal account.
Avoid naming a suspected individual unless the evidence is reliable and publication is legally justified. Public accusations made without adequate proof may create defamation or cyberlibel exposure.
5. Report the account to the platform
Use the platform’s impersonation, trademark, fraud, hacked-account, or phishing reporting process. A business account’s normal “report profile” button may not be enough.
Prepare:
- SEC certificate, DTI business registration, or other proof of legal existence
- Government-issued ID of the authorized representative
- Secretary’s certificate or board resolution for a corporation
- Trademark registration, if applicable
- Proof of control over the official account
- Links to the real and fake accounts
- A concise comparison showing copied elements
- Police, NBI, or incident-report reference number, if already available
Submit separate reports for impersonation, fraud, trademark misuse, phishing, and compromised accounts when the platform provides different channels. Save every confirmation email, ticket number, and automated response.
A platform takedown may remove the public account, but it does not identify the offender or recover customer funds. Continue the legal and financial reports even after removal.
6. Notify banks, e-wallets, and payment providers immediately
When money has been sent:
- The customer should contact the sending bank or e-wallet through its official fraud channel.
- Provide the amount, date, time, reference number, and recipient account.
- Ask that the transaction be formally marked as disputed or fraudulent.
- Request coordination with the receiving institution.
- Obtain a complaint or case reference number.
- Report the matter to law enforcement without waiting for the bank’s final investigation.
The receiving account may be a money-mule account belonging to someone who lent, rented, or sold it. The name displayed on an e-wallet receipt is therefore not necessarily the mastermind’s identity.
7. Conduct a formal data-breach assessment
Your data protection officer or incident-response team should determine:
- Whether the fake account used nonpublic customer information
- How the information may have been obtained
- Which systems, vendors, and employees had access
- The number and categories of affected individuals
- Whether passwords, IDs, financial information, or account credentials were involved
- The realistic harm customers may face
- Whether NPC and individual notification is mandatory
Document the assessment even when you conclude that mandatory breach notification is not required. The NPC expects non-notifiable incidents to be documented and, where applicable, included in the company’s annual security incident reporting. (National Privacy Commission)
8. File a cybercrime complaint with the NBI or PNP
You may report the matter to:
- The NBI Cybercrime Division
- The PNP Anti-Cybercrime Group or the appropriate regional anti-cybercrime unit
- The nearest NBI regional or district office with investigative jurisdiction
- The Department of Justice Office of Cybercrime for appropriate coordination, particularly in cross-border matters
The NBI Citizen’s Charter describes an initial process involving a complaint sheet, preliminary interview, sworn statements, submission of supporting documents, and possible examination of a relevant device. It lists no government fee and an estimated intake-processing time of about one hour and ten minutes. That estimate covers intake steps, not the full investigation, identification of the offender, warrant applications, or prosecution. (National Bureau of Investigation)
Bring originals and organized copies of:
- Government-issued ID
- Complaint-affidavit or detailed incident narrative
- Proof that you are authorized to represent the business
- SEC, DTI, CDA, or other registration documents
- Trademark certificate, if applicable
- Evidence of the legitimate account
- Screenshots, recordings, URLs, and exported chats
- Email headers and security logs
- Customer affidavits
- Payment and bank records
- Platform report confirmations
- An incident chronology
- A list of suspected offenses, without insisting on a final legal classification
A complaint against an unidentified offender may still be investigated. Subscriber identity, login records, IP information, and related computer data usually require lawful preservation and disclosure procedures.
RA 10175 provides for preservation of specified computer data. Disclosure of subscriber information, traffic data, or content generally requires the proper legal process, including a cybercrime warrant where required. This is why early law-enforcement involvement matters: platforms may delete data under their ordinary retention policies, and they will not usually disclose confidential subscriber records merely because a business sends a private demand letter. (Lawphil)
9. Consider DTI, NPC, IPOPHL, and court remedies
The correct forum depends on what happened.
| Situation | Possible office or remedy |
|---|---|
| Customers were deceived in an online sale | DTI Consumer Care, the DTI E-Commerce Bureau, the platform, and law enforcement |
| The incident involves an online merchant or marketplace listing | Remedies under RA 11967, including appropriate DTI proceedings and possible takedown measures |
| Personal data was improperly obtained or exposed | National Privacy Commission complaint or breach notification |
| A registered mark or trade name is being commercially misused | IPOPHL administrative remedies, civil action, or criminal complaint |
| Immediate continued harm requires a court order | Application for temporary restraining order or injunction in the proper court |
| Money was obtained through deception | Criminal complaint for estafa, cybercrime, AFASA, or related offenses |
| A hacked company account is being used | Cybercrime investigation, platform account recovery, breach assessment, and possible injunction |
The DTI Consumer Care System accepts online consumer complaints. Republic Act No. 11967, or the Internet Transactions Act of 2023, protects online consumers and merchants and authorizes enforcement measures involving online transactions, including takedown orders in circumstances covered by the law. Pure account impersonation unconnected with an online sale may still be better handled primarily through the platform, NBI or PNP, IPOPHL, and the courts. (DTI Consumer Care System)
NPC complaints must use the Commission’s current complaint-affidavit form and procedures. The NPC announced that a revised complaint-affidavit template took effect on July 1, 2025. Check the National Privacy Commission’s official website before filing because forms and electronic filing procedures may change. (National Privacy Commission)
10. Maintain one complete incident file
Keep a secure master folder containing:
- A dated chronology
- Evidence index
- Original files
- Copies submitted to each agency
- Platform ticket numbers
- Bank or e-wallet case numbers
- Customer reports
- Internal investigation notes
- Data-breach assessment
- Expenses and financial losses
- Updates showing whether the account reappeared
Preserve original files separately from working copies. Avoid cropping, annotating, or compressing the only copy of a screenshot or video.
Documents, Fees, and Realistic Timelines
| Action | Important documents | Government fee | Practical timing |
|---|---|---|---|
| Platform impersonation report | ID, business registration, account URLs, trademark proof | Usually none | Hours to several weeks |
| Bank or e-wallet fraud report | Transaction record, ID, recipient details, affidavit if requested | Usually none | Report immediately; investigation varies |
| NBI cybercrime intake | ID, sworn statement, evidence, authority to represent business | None listed in the NBI Citizen’s Charter | Intake may be completed the same day; investigation may take months |
| PNP Anti-Cybercrime complaint | ID, affidavit, digital evidence, payment records | Generally none | Initial report may be immediate; case build-up varies |
| NPC breach notification | Incident facts, affected data, risk assessment, mitigation measures | No ordinary filing fee for breach notification | Initial notification within 72 hours when mandatory |
| NPC complaint | Current complaint-affidavit form and supporting evidence | Check current NPC schedule | Evaluation and investigation may take months |
| Trademark or unfair-competition proceeding | Trademark record, proof of use, confusion and damage evidence | Filing fees vary | Several months or longer |
| Prosecutor’s preliminary investigation | Complaint-affidavit, witness affidavits, authenticated evidence | No ordinary prosecution fee, but notarization and copying costs apply | Commonly several months, depending on service and submissions |
| Civil injunction or damages case | Verified pleading, affidavits, business and damage records | Court filing fees apply | Emergency relief may be sought promptly; the main case may take years |
Takedown speed depends heavily on the platform, completeness of documents, and whether the account is actively causing financial harm. Criminal investigations often slow down when the account uses foreign platforms, prepaid SIM cards, virtual private networks, cryptocurrency, foreign hosting, or layers of money-mule accounts.
Special Considerations for Foreign Companies and Overseas Owners
A foreign business can report impersonation affecting Philippine customers or occurring through infrastructure, accounts, or transactions connected with the Philippines.
Prepare proof that the person filing locally is authorized to represent the foreign company. A corporate authorization, power of attorney, certificate of incorporation, or similar document executed abroad may need:
- An apostille from the country of origin, when both countries use the Apostille Convention process
- Philippine embassy or consular authentication when the apostille process is unavailable
- A certified English translation if the document is in another language
- A Philippine address for service or local representative in proceedings that require one
Foreign trademark registration does not automatically provide the same remedies as a Philippine registration. Protection may still exist for internationally well-known marks or under treaty principles, but enforcement is more fact-sensitive. A nonresident trademark applicant must designate a Philippine resident for service under Section 125 of the Intellectual Property Code. (Lawphil)
Cross-border investigations usually take longer because Philippine authorities may need voluntary platform cooperation, preservation requests, mutual legal assistance, or other international procedures.
Common Mistakes That Make the Situation Worse
Reporting before preserving evidence
Once the platform removes the account, public posts, usernames, messages, and account-transparency details may no longer be accessible.
Publicly identifying the alleged scammer too early
The bank-account holder, SIM registrant, employee, or person shown in a profile photo may be another victim or a money mule. Publish warnings about the fake account and its methods, not unverified accusations.
Assuming a barangay blotter is enough
A barangay record may help document when the incident was reported, but the barangay cannot compel a global platform to disclose subscriber data or issue a cybercrime warrant. Cases involving an unknown online offender, parties from different localities, or serious offenses should be brought promptly to the NBI, PNP Anti-Cybercrime Group, or prosecutor.
Treating every impersonation incident as a data breach
Copying a logo and public posts is different from obtaining customer records from your system. Investigate before making either conclusion.
Waiting for a platform response before contacting the bank
Funds can be transferred through several accounts or withdrawn quickly. Financial reporting and platform reporting should happen at the same time.
Using only cropped screenshots
A cropped image may omit the URL, username, timestamp, surrounding conversation, and other details needed to establish authenticity and context.
Creating a replacement account without explaining it
Customers may become even more confused when several accounts claim to be official. Publish an updated list of verified channels on your website and pin it on every legitimate account.
Paying the impersonator to stop
Payment rarely ensures removal and may encourage further extortion. Preserve the demand and report it.
Frequently Asked Questions
Is pretending to be a company online a crime in the Philippines?
It can be. Depending on the conduct, possible offenses include computer-related identity theft, illegal access, computer-related fraud, estafa, use of a fictitious name, financial account scamming, access-device fraud, trademark infringement, unfair competition, and data privacy violations. The applicable charge depends on the elements supported by evidence.
Can I file a complaint even if no customer lost money?
Yes. Computer-related identity theft under RA 10175 may still be punishable even when no damage has yet occurred, although the law provides a lower penalty in that situation. Attempted fraud, trademark misuse, unauthorized access, or other offenses may also apply.
Should I report the fake account to the barangay first?
Usually, no. A barangay report can serve as an additional record, but cybercrime evidence preservation, subscriber identification, account tracing, and warrant applications require law-enforcement and judicial processes.
Can the police force Facebook, Google, or another platform to reveal the account owner?
Not through an informal request alone. Disclosure generally requires the legal process applicable to the requested data. Law enforcement may seek preservation and the appropriate cybercrime warrant or court order. Foreign platform records may require additional cross-border procedures.
What should I do when customers already sent money?
Tell each customer to contact the sending bank or e-wallet immediately, mark the transaction as fraudulent, request coordinated tracing or a temporary hold, retain the reference number, and file a law-enforcement complaint. Your business should separately preserve evidence and provide proof that the recipient was not an authorized company account.
Am I legally required to refund customers fooled by the fake account?
Not automatically. Liability depends on factors such as whether the customer dealt with your real or fake account, whether your systems were compromised, whether the company contributed to the loss through negligence or misleading practices, and the terms of the transaction. Businesses should assess claims consistently and avoid making premature admissions before the facts are established.
Do I have to notify the National Privacy Commission?
Only when the legal conditions for mandatory breach notification are met. If the scammer merely copied public branding, there may be no personal data breach. If customer credentials, identification records, financial information, or other identity-fraud-enabling data were acquired from your systems, the 72-hour notification rule may apply.
Are screenshots accepted as evidence?
Screenshots can be used, but they should be authenticated by someone with personal knowledge of how they were obtained. Preserve full URLs, dates, account details, original devices, screen recordings, exported chats, email headers, and witness affidavits. A screenshot’s evidentiary value is stronger when its source and integrity can be explained.
Can I sue if my trademark is not registered?
Registration gives important statutory rights and clearer proof of ownership. Even without registration, trade-name protection, unfair competition, passing off, Civil Code remedies, and fraud-related claims may still be available. The strength of the case will depend heavily on proof of prior use, public association, deception, and damage.
What if the impersonator is outside the Philippines?
A Philippine investigation may still be possible when relevant acts, victims, accounts, systems, or damage are connected with the Philippines. Identification and prosecution may take longer because authorities may need international cooperation or records from foreign service providers.
Key Takeaways
- Preserve the fake account, messages, URLs, payment details, and technical records before requesting removal.
- Secure every legitimate account and determine whether the incident involves a separate fake profile or a hacked official account.
- Warn customers through verified channels and clearly state what your support team will never request.
- Report fraudulent transfers to banks and e-wallets immediately; do not wait for the platform to act.
- Investigate whether customer data was taken from your systems and comply with the NPC’s 72-hour notification rule when the legal conditions are present.
- File with the NBI Cybercrime Division or PNP Anti-Cybercrime Group early so electronic records can be preserved and lawful disclosure procedures can begin.
- Consider trademark, unfair-competition, DTI, NPC, civil, and injunctive remedies according to the facts.
- Avoid unverified public accusations, altered evidence, and reliance on platform reporting alone.