If you suddenly receive a “verify your account,” “welcome,” or “password reset” email for an account you did not create, treat it as a security and identity issue—not just an annoying mistake. In the Philippines, someone using your email address may be harmless if it was a typo, but it can also be part of identity theft, online fraud, unauthorized processing of personal information, or a setup for future scams. The right response depends on what kind of account was opened, whether your name or other personal details were used, and whether money, credit, e-wallets, loans, subscriptions, or government-linked services are involved.
Why Someone Might Open an Account Using Your Email Address
There are several common scenarios:
| Situation | What it usually means | Risk level |
|---|---|---|
| A stranger accidentally typed your email | Honest mistake, especially if your email is common | Low |
| Someone used your email but not your name | Could be spam, abuse of a free trial, or account verification trick | Low to medium |
| Someone used your email plus your name, phone, ID, or address | Possible identity misuse | High |
| Someone opened a bank, e-wallet, loan, crypto, shopping, delivery, or postpaid account | Possible fraud or credit/financial exposure | High |
| You received OTPs, password resets, or login alerts | Possible attempted takeover or phishing | High |
| The account involves defamatory posts, scams, marketplace fraud, or harassment | Possible criminal, civil, and reputational consequences | High |
The first rule is simple: do not click suspicious links just because the email looks urgent. Instead, go directly to the official website or app of the company and use its official support channels.
Is Using Someone Else’s Email Address Illegal in the Philippines?
It depends on the facts.
Using another person’s email address by mistake is not automatically a crime. But intentionally using another person’s email, especially with their name or personal details, can fall under several Philippine laws.
Cybercrime Prevention Act: Computer-Related Identity Theft
Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, punishes several computer-related offenses. One especially relevant provision is computer-related identity theft, which covers the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person, whether natural or juridical, without right. The law is available through the official text of Republic Act No. 10175 on Lawphil. (Lawphil)
An email address can be part of your identifying information, especially when connected to your name, phone number, online accounts, bank accounts, e-wallets, social media accounts, or work identity. The stronger the link to your real identity, the more serious the matter becomes.
Data Privacy Act: Unauthorized Processing of Personal Information
Republic Act No. 10173, or the Data Privacy Act of 2012, protects personal information. “Processing” is broad. It can include collecting, recording, storing, using, or disclosing personal data.
If a person or company processes your email address, name, phone number, ID, selfie, address, birthdate, or other personal data without a lawful basis, the Data Privacy Act may apply. The law penalizes unauthorized processing of personal information and sensitive personal information, and it recognizes the right of data subjects to complain when their privacy rights are violated. The official text is available from the National Privacy Commission’s Data Privacy Act page. (National Privacy Commission)
For ordinary people, this matters because many online services treat an email address as a key identifier. If someone used your email to create an account, and the platform refuses to correct or delete the account after proper notice, the issue may shift from “someone misused my email” to “the company is continuing to process my personal information despite my objection.”
Civil Code: Damages for Bad Faith, Privacy Violations, or Injury
Even if a situation does not neatly fit a criminal case, the Civil Code of the Philippines may provide a civil remedy if you suffered damage.
Articles 19, 20, and 21 of the Civil Code require people to act with justice, honesty, and good faith, and to compensate others for damage caused contrary to law, morals, good customs, or public policy. The Civil Code text is available through Republic Act No. 386 on Lawphil. (Lawphil)
In practical terms, a civil claim may become relevant if the misuse caused:
- reputational harm;
- loss of money;
- denial of service;
- damage to credit or financial standing;
- harassment;
- emotional distress;
- business loss;
- legal demands sent to you because of someone else’s account.
Access Devices Regulation Act: Bank, Card, E-Wallet, and Account Fraud
If the account is connected to a credit card, debit card, bank account, e-wallet, account number, code, password, token, or other device used to obtain money, goods, services, or anything of value, Republic Act No. 8484, as amended by Republic Act No. 11449, may be relevant. RA 8484 is known as the Access Devices Regulation Act of 1998, and RA 11449 strengthened prohibitions and penalties for access device fraud. The official law text is available through RA 8484 on Lawphil and RA 11449 on Lawphil. (Lawphil)
This becomes important when someone opens or attempts to open:
- an e-wallet using your email;
- a buy-now-pay-later or lending app account;
- a credit card-related profile;
- an online banking account;
- a merchant or seller account that can receive payments;
- a crypto or remittance account;
- a subscription account that may charge you later.
What to Do Immediately
1. Do not verify the account
If the email asks you to click “verify,” “confirm,” or “activate,” do not do it unless you are sure the account is yours.
Clicking a verification link can accidentally help the other person complete the account registration. It may also expose you to phishing if the email is fake.
Instead:
- open a new browser tab;
- manually type the company’s official website;
- look for “Help,” “Support,” “Report fraud,” “Privacy,” or “Data Protection Officer”;
- report that an account was created using your email without your consent.
2. Secure your email account first
Before dealing with the platform, protect your email account itself.
Do the following:
- Change your email password.
- Turn on two-factor authentication or passkeys.
- Check recovery email and recovery phone settings.
- Review recent login activity.
- Sign out of unknown devices.
- Check forwarding rules and filters.
- Look for deleted or archived security emails.
- Review connected apps and remove anything you do not recognize.
This matters because some fraudsters first test whether an email address is active, then try to take it over later through password reset attacks.
3. Preserve evidence before deleting anything
Evidence disappears quickly online. Do not rely only on memory.
Save:
- the full email message;
- screenshots showing the sender, subject, date, and time;
- the account name or username created;
- the platform or app involved;
- verification codes or OTPs received;
- password reset emails;
- receipts, invoices, loan notices, or collection messages;
- customer support replies;
- IP address or login location shown in alerts, if available;
- transaction IDs or reference numbers.
For emails, keep the original message if possible. Screenshots are helpful, but the original email header may contain technical details that investigators or the company can review.
4. Contact the platform and ask for account closure or correction
Send a clear report through the platform’s official support channel.
Use direct language:
- “I did not create this account.”
- “My email address was used without my consent.”
- “Please disable or remove my email address from the account.”
- “Please preserve logs and registration data because this may involve identity misuse.”
- “Please confirm in writing that my email address has been removed or the account has been closed.”
Ask for a case number or ticket number. If the platform is in the Philippines or processes personal information of people in the Philippines, you may also ask for its Data Protection Officer or privacy contact.
5. Do not reset the password just to enter the account unless necessary
Many people are tempted to click “forgot password” and take over the account. That may be understandable, but it can create complications.
If you enter the account, the platform may later treat the account as yours. It can also affect evidence because login records may now show your access.
A safer approach is usually:
- report the account as unauthorized;
- ask the company to lock or close it;
- ask them to preserve records;
- avoid interacting with the account except through formal support channels.
If the account is actively harming you, such as posting scams under your identity or making purchases, document the situation carefully before taking protective action.
When to Report to Authorities in the Philippines
Not every mistaken email registration needs a police report. But you should consider formal reporting if any of these are present:
- your full name, photo, ID, address, phone number, or birthday was used;
- the account involves money, loans, e-wallets, banking, remittances, cards, or credit;
- you received collection notices;
- someone is using the account to scam others;
- you are being harassed or blackmailed;
- the platform refuses to act;
- you suspect your government ID, SIM, email, or phone number has been compromised;
- there are repeated attempts across several platforms.
Where to Report
| Situation | Office or agency to consider | Practical notes |
|---|---|---|
| Online identity theft, phishing, scam accounts, cyber fraud | NBI Cybercrime Division or PNP Anti-Cybercrime Group | Bring evidence and valid ID; online forms may still require follow-up |
| Unauthorized use or processing of personal data | National Privacy Commission | Complaint-affidavit generally needs proper form and notarization |
| Bank, e-wallet, lending, remittance, or other BSP-supervised financial account | Financial institution first, then BSP Consumer Assistance Mechanism | BSP normally expects you to report first to the institution |
| Fraud involving a company, online lending app, investment platform, or securities | SEC, BSP, NPC, NBI/PNP depending on facts | More than one agency may be relevant |
| Identity misuse abroad affecting a Philippine account | Platform, Philippine authorities, and possibly foreign law enforcement | Documents from abroad may need apostille or consular authentication |
The NBI website lists its Cybercrime Division among its divisions and services, and its Citizens’ Charter page for computer crime victims describes complaint filing through the division or regional cybercrime centers. (National Bureau of Investigation)
The DOJ Office of Cybercrime coordinates cybercrime-related matters and identifies the NBI and PNP cybercrime units as key law enforcement authorities under the Cybercrime Prevention Act’s framework. (Department of Justice)
How to File a Cybercrime or Identity Misuse Complaint
Step 1: Prepare your evidence folder
Organize everything before going to NBI, PNP, or the company.
Include:
- government-issued ID;
- screenshots;
- original emails, if available;
- printed copies of emails and support tickets;
- URLs of the account or profile;
- usernames, phone numbers, account numbers, or reference numbers;
- timeline of events;
- proof that the email address belongs to you;
- proof of financial loss, if any;
- proof of reputational harm, if any;
- written response from the platform, bank, or e-wallet.
A timeline is very useful. Use this format:
| Date and time | What happened | Evidence |
|---|---|---|
| June 1, 2026, 8:15 PM | Received account verification email from app | Screenshot, original email |
| June 1, 2026, 8:20 PM | Checked app website manually; did not verify account | Browser screenshot |
| June 2, 2026, 10:00 AM | Sent support request asking for account removal | Ticket number |
| June 4, 2026, 3:30 PM | Received another OTP | Screenshot |
| June 5, 2026 | Filed report with bank/platform/NBI/PNP | Acknowledgment receipt |
Step 2: Request preservation of logs
Online evidence can disappear. Under RA 10175, service providers may be required to preserve computer data, and the law includes rules on preservation of traffic data, subscriber information, and content data. The Supreme Court’s Rule on Cybercrime Warrants also governs procedures involving preservation, disclosure, search, seizure, and examination of computer data; it took effect on August 15, 2018. (Lawphil)
As an ordinary complainant, you usually cannot force a platform to disclose another user’s registration details directly to you. But you can ask the platform to preserve logs and provide them to law enforcement or upon lawful order.
Step 3: File with the proper law enforcement unit
For cybercrime matters, reports are commonly brought to:
- NBI Cybercrime Division;
- NBI regional or district offices with cybercrime capability;
- PNP Anti-Cybercrime Group or regional anti-cybercrime units;
- local police station for blotter or initial documentation, especially if urgent.
A police blotter is not the same as a full cybercrime investigation, but it can help document that you reported the issue on a certain date.
Step 4: Execute a complaint-affidavit if required
For formal criminal complaints, you may need a complaint-affidavit. This is a sworn written statement explaining what happened, what law may have been violated, and what evidence supports your complaint.
Typical contents include:
- your full name, address, and contact details;
- statement that you own or control the email address;
- explanation that you did not create or authorize the account;
- identity of the suspect, if known;
- platform or account involved;
- timeline of events;
- financial or reputational harm;
- list of attached evidence;
- verification under oath.
A complaint-affidavit is usually notarized if filed with an agency or prosecutor’s office. Bring original IDs and copies of attachments.
If the Account Is a Bank, E-Wallet, Loan, or Payment Account
This is more urgent because it can affect money, credit, collections, and future fraud checks.
Report first to the financial institution
For BSP-supervised institutions such as banks, e-money issuers, remittance companies, and many payment service providers, report the matter first to the company’s official consumer assistance channel. The Bangko Sentral ng Pilipinas explains that new complaints should first be reported to the institution’s Financial Consumer Protection Assistance Mechanism before escalation to BSP’s Consumer Assistance Mechanism. (Bangko Sentral ng Pilipinas)
Ask the institution to:
- freeze or close the unauthorized account;
- confirm whether your name, ID, phone number, address, or selfie was used;
- preserve KYC documents and login logs;
- prevent further transactions;
- investigate possible identity theft;
- issue a written confirmation that the account was not opened by you.
Escalate to BSP if unresolved
If the bank, e-wallet, or financial institution does not respond properly, you may escalate through BSP consumer assistance channels. BSP lists consumer assistance channels including email and other escalation methods for concerns involving supervised financial institutions. (Bangko Sentral ng Pilipinas)
Keep copies of:
- your complaint to the institution;
- its reply or lack of reply;
- ticket numbers;
- account numbers or masked account identifiers;
- evidence of unauthorized use;
- any collection message or debit notice.
Do not pay a debt you do not recognize just to “make it go away”
If a lending app, postpaid provider, or collector contacts you about an account opened using your email, ask for verification in writing. Paying without written clarification can be interpreted as acknowledgment of the account or debt.
Instead, dispute it clearly:
- “I deny opening this account.”
- “I deny authorizing use of my email or personal information.”
- “Please provide the application record, KYC details, device logs, IP logs, and basis for linking this account to me.”
- “Please mark this account as disputed while your investigation is pending.”
Filing a Data Privacy Complaint with the National Privacy Commission
If your concern is mainly unauthorized use of your personal data, refusal to delete or correct your email, or continued processing after notice, the National Privacy Commission may be relevant.
The NPC states that a formal complaint must follow a specific format, including downloading and filling out the complaint form, notarizing it, and submitting it in person, by courier, or by scanned email. The NPC also implemented a new Complaint-Affidavit template effective July 1, 2025. (National Privacy Commission)
When an NPC complaint may make sense
Consider the NPC route when:
- the company refuses to remove your email from an account you did not create;
- your personal information was collected without consent or other lawful basis;
- your ID, selfie, phone number, or address was used;
- the platform continues sending personal account information to your email;
- the company ignores your data privacy request;
- your data was maliciously disclosed or misused.
What to prepare for an NPC complaint
| Requirement | Practical tip |
|---|---|
| Complaint-affidavit | Use the current NPC template; have it notarized |
| Valid ID | Bring government-issued ID and copies |
| Evidence | Emails, screenshots, tickets, account notices |
| Prior communication | Show that you contacted the company or Data Protection Officer |
| Explanation of harm | Describe privacy risk, harassment, fraud, financial exposure, or distress |
| Relief requested | Deletion, correction, blocking, investigation, or other appropriate action |
Special Issues for OFWs, Foreigners, and People Outside the Philippines
If you are outside the Philippines, the problem can be harder because Philippine agencies may require sworn documents, IDs, and sometimes personal appearance.
If you are an OFW or Filipino abroad
You can usually start by:
- reporting to the platform online;
- preserving evidence;
- contacting your bank or e-wallet through official overseas channels;
- preparing a sworn statement before a Philippine embassy/consulate or a local notary, depending on the receiving agency’s requirements;
- authorizing a trusted representative in the Philippines through a Special Power of Attorney, if personal filing is difficult.
Documents executed abroad may need an apostille if the country is part of the Apostille Convention, or consular authentication if not. Agencies and banks may have their own requirements, so confirm before sending originals.
If you are a foreigner
Foreigners can report cybercrime or data privacy concerns in the Philippines when the act, platform, victim, evidence, or effect has a Philippine connection.
Prepare:
- passport bio page;
- proof that you own the email address;
- visa or Philippine address, if relevant;
- screenshots and original emails;
- platform support records;
- notarized or apostilled statement if filing from abroad;
- Special Power of Attorney if someone will file or follow up for you in the Philippines.
A foreign complainant may face practical delays if documents are not properly authenticated or if the platform is overseas and records must be requested through cross-border legal channels.
Common Mistakes to Avoid
Clicking “verify” to see what happens
This may activate the account and make the problem worse.
Deleting the emails immediately
You may destroy useful evidence. Archive the emails instead.
Replying angrily to suspicious senders
If the email is phishing, replying confirms your email is active.
Using the account as if it were yours
Logging in, changing details, or using credits may blur the issue. Keep your actions defensive and well-documented.
Posting accusations online without proof
If you name a suspect publicly and you are wrong, you may expose yourself to defamation issues, including cyber libel risk under Philippine law.
Ignoring small “welcome” emails
One email may be harmless. Several emails from banks, e-wallets, loan apps, OTP systems, or password resets are warning signs.
What to Say When Reporting the Unauthorized Account
You can use this concise wording when contacting a platform, bank, e-wallet, or app:
I am the owner of the email address used in this account. I did not create, authorize, verify, or consent to the creation of this account. Please immediately disable or remove my email address from the account, preserve registration logs and related records, and confirm in writing what personal information was used. If any financial product, transaction, loan, wallet, card, or paid service is connected to this account, please mark it as disputed and investigate possible identity misuse.
For a privacy request, add:
I object to the continued processing of my personal information for this unauthorized account and request appropriate correction, blocking, deletion, or other action under the Data Privacy Act of 2012.
Frequently Asked Questions
Can someone legally use my email address to create an account?
Not if they intentionally use your email to impersonate you, hide their identity, commit fraud, process your personal information without authority, or expose you to harm. A simple typo may not be illegal, but deliberate misuse can involve cybercrime, data privacy violations, civil liability, or fraud-related laws.
Should I click the verification link to close the account?
Usually, no. Clicking the verification link may activate the account. Go directly to the company’s official website or app and report the unauthorized use through official support channels.
Can I ask the company to delete my email from the account?
Yes. You can ask the company to remove, correct, block, or delete your email address if it is being processed without authority. If the company ignores a valid privacy concern, you may consider filing with the National Privacy Commission.
What if the account was opened with an e-wallet or online lending app?
Report it immediately to the e-wallet, bank, or lender through official channels. Ask them to freeze or close the unauthorized account, preserve KYC records, and mark any loan or transaction as disputed. If unresolved, consider escalation to BSP, NPC, NBI, or PNP depending on the facts.
Can I file a police report even if I lost no money?
Yes, especially if your identity, email, phone number, ID, or personal data was used. Lack of financial loss does not automatically mean there is no violation. However, investigators will usually prioritize cases with clear identity misuse, fraud, threats, harassment, or financial risk.
Is an email address considered personal information under Philippine law?
It can be. An email address is personal information when it can identify you directly or when combined with other information such as your name, phone number, account records, employer, address, or government ID.
What if the company says it cannot tell me who created the account?
That is common. Due to privacy and security rules, companies may refuse to disclose another user’s registration details directly to you. However, they can still remove your email, lock the account, investigate internally, preserve logs, and provide information to law enforcement under proper legal process.
Should I file with NBI or PNP Anti-Cybercrime Group?
Either may be appropriate for cybercrime-related identity misuse. In practice, choose the office that is accessible to you and has cybercrime handling capability. Bring organized evidence, valid ID, and a clear timeline.
Can I sue for damages if my reputation or finances were affected?
Possibly. Civil Code provisions on good faith, unlawful injury, and damages may apply if you can prove wrongful conduct, damage, and a causal link. If the misuse also involved criminal fraud or cybercrime, civil liability may be pursued in connection with the criminal case or through a separate civil action, depending on strategy and procedure.
What if this happened because of a typo?
Ask the platform to remove your email from the account. If there is no use of your name, no fraud, no personal data beyond the email address, and no repeated misuse, it may be resolved as a customer support and privacy correction issue rather than a criminal complaint.
Key Takeaways
- Treat an unauthorized account using your email as a potential identity and data privacy issue, especially if money, loans, e-wallets, IDs, or OTPs are involved.
- Do not click verification links unless you are sure the account is yours.
- Secure your email account immediately by changing your password, enabling two-factor authentication, and checking recovery settings.
- Preserve evidence before deleting emails or contacting the platform.
- Report the unauthorized account to the platform and ask for removal, account closure, and preservation of logs.
- For cybercrime or identity misuse, consider reporting to NBI Cybercrime Division or PNP Anti-Cybercrime Group.
- For unauthorized processing of personal information, the National Privacy Commission may be the proper agency.
- For bank, e-wallet, loan, remittance, or payment-related accounts, report first to the financial institution and escalate to BSP if unresolved.
- OFWs and foreigners should prepare properly authenticated documents if filing from abroad.
- A simple typo may be harmless, but repeated or intentional use of your email can become a serious legal and practical problem.