What to Do If Someone Opens Online Accounts Using Your Email Address

If someone is opening online accounts using your email address, treat it as more than an annoyance. It may be a simple typo, but it can also be the first sign of identity misuse, phishing, fraud, harassment, loan-app activity, or an attempt to create a digital trail under your name. In the Philippines, your response should combine practical account-security steps, evidence preservation, platform reporting, and—when the facts justify it—complaints under cybercrime, data privacy, consumer protection, or civil law.

Why someone may be using your email address

Not every unauthorized account created with your email is automatically a criminal case. The right response depends on what actually happened.

Common situations include:

Situation What it usually means Level of concern
Someone mistyped their own email Accidental signup, often for shopping, newsletters, or delivery apps Low, but still ask the platform to remove your email
A company accepted your email without verification Poor account-verification practice by the platform Possible data privacy concern
Someone used your email plus your name, phone, photo, ID, or address Possible identity misuse Higher concern
You receive loan, e-wallet, bank, delivery, or OTP notices you did not request Possible fraud or account takeover attempt Urgent
You receive password-reset or login alerts from multiple sites Possible credential stuffing, phishing, or email-bombing Urgent
The account is used to scam, threaten, defame, or harass others Possible cybercrime and civil liability exposure Urgent

The key question is not just “Did they use my email?” but what else did they use, what account was created, and what damage or risk resulted?

Is an email address personal information under Philippine law?

Yes, in many cases. Under the Data Privacy Act of 2012, Republic Act No. 10173, personal information includes information from which a person’s identity is apparent or can reasonably and directly be ascertained. An email address that identifies you, is linked to your account, or is used with your name, phone number, address, ID, or transaction history can fall within that protection. RA 10173 states the policy of protecting personal information in government and private information systems. (National Privacy Commission)

This matters because companies that collect and process your email address—online stores, apps, lenders, platforms, telecom-related services, travel sites, booking apps, and subscription services—generally have data privacy duties. They should process personal data fairly and lawfully, use reasonable security measures, and respond properly when a data subject reports misuse.

Legal basis in the Philippines

Cybercrime Prevention Act: RA 10175

The Cybercrime Prevention Act of 2012, Republic Act No. 10175, is the main Philippine law for many online identity and account-misuse situations. It penalizes several cybercrime offenses that may become relevant depending on the facts.

The most relevant provisions are:

  • Computer-related identity theft — intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another, without right. This is often the closest fit when someone intentionally uses your identifying information online. (Lawphil)
  • Illegal access — relevant if the person did not merely type your email into a signup form but actually entered your email account, app account, cloud account, or device without authority.
  • Computer-related fraud — relevant if the account was used to cause damage, obtain money, deceive a platform, or transact under false pretenses.
  • Computer-related forgery — relevant if electronic data was inputted or altered so that it appeared authentic and was intended to be used for legal purposes.

A practical example: if someone creates a shopping account using only your email because they mistyped theirs, that may not be cybercrime. But if someone creates an e-wallet, loan, marketplace, or social media account using your email, name, ID, photo, or address to transact, borrow, scam, or impersonate you, the facts become much more serious.

Data Privacy Act: RA 10173

The Data Privacy Act may apply in two ways.

First, the person who used your email may have misused personal information. Second, the company that allowed the account to be created may have failed to verify, secure, correct, block, or delete inaccurate personal data after notice.

The National Privacy Commission recognizes a data subject’s right to file a complaint when personal information has been misused, maliciously disclosed, improperly disposed of, or when data privacy rights have been violated. (National Privacy Commission)

For formal complaints, the NPC requires a specific complaint format. Its published process says the complaint form should be printed, filled out, notarized, and submitted in person, by courier, or by scanned email. (National Privacy Commission)

Civil Code rights to privacy, peace of mind, and damages

Even when the conduct does not neatly fit a criminal offense, the Civil Code may support a civil claim.

Articles 19, 20, and 21 of the Civil Code require people to act with justice, give everyone their due, observe honesty and good faith, and compensate another person for damage caused contrary to law, morals, good customs, or public policy. (Supreme Court E-Library)

Article 26 also protects dignity, personality, privacy, and peace of mind. It recognizes that certain acts may create a cause of action for damages, prevention, or other relief even if they are not criminal offenses. (Lawphil)

This can matter if repeated account creation causes harassment, reputational harm, collection calls, missed work, anxiety, or difficulty clearing your name.

Revised Penal Code and special laws

Other laws may apply depending on the account involved:

Facts Possible legal basis
Someone used forged IDs, documents, or declarations Revised Penal Code provisions on falsification may become relevant
Someone used the account to deceive people into sending money Estafa under the Revised Penal Code may be considered
Someone used an access device, credit card, debit card, account number, or similar financial credential RA 8484, the Access Devices Regulation Act of 1998, as amended by RA 11449, may apply (Lawphil)
Someone registered or used a SIM with false identity details RA 11934, the SIM Registration Act, may be relevant if a SIM—not merely an email—was involved (Lawphil)
A bank, e-wallet, remittance, or other BSP-supervised financial institution is involved The provider’s internal consumer assistance mechanism should be used first, then unresolved complaints may be escalated through BSP consumer assistance channels (Bangko Sentral ng Pilipinas)
An unauthorized loan appears in your credit history You may need to dispute the record with the lender and through the Credit Information Corporation’s Online Dispute Resolution System (Credit Information Corporation (CIC))

What to do immediately

1. Do not ignore the first notice

A single “Welcome” email may look harmless, but it can be useful evidence. Do not automatically delete it.

Save:

  • the sender’s email address;
  • date and time received;
  • subject line;
  • full message body;
  • full headers, if available;
  • account username or partial phone number shown;
  • verification links, but do not click suspicious links;
  • any IP address, device, location, or login alert shown;
  • screenshots showing the full screen, URL, and timestamp.

If you later file with a platform, the National Privacy Commission, PNP Anti-Cybercrime Group, NBI Cybercrime Division, or a prosecutor’s office, a clean timeline is much more useful than scattered screenshots.

2. Secure your own email account first

Before dealing with the fake or unauthorized account, make sure your actual email is not compromised.

Do these immediately:

  1. Change your email password using the official website or app.
  2. Turn on two-factor authentication or passkeys.
  3. Sign out of all other devices.
  4. Review account recovery email addresses and phone numbers.
  5. Check mail-forwarding rules, filters, delegated access, connected apps, and app passwords.
  6. Review recent login activity.
  7. Change passwords for important accounts that use the same email, especially banking, e-wallets, government portals, cloud storage, social media, and shopping apps.

This step matters because if the wrongdoer has access to your email inbox, they may be able to reset passwords, intercept OTPs, delete warnings, or take over accounts.

3. Do not “take over” the account just to snoop

Many people are tempted to click “forgot password,” enter the account, and look around. Be careful.

If the account contains another person’s private information, orders, addresses, messages, medical data, loan details, or payment information, entering and browsing may create legal and privacy issues. A safer approach is:

  • use the platform’s “This wasn’t me,” “Report account,” or “I did not create this account” function;
  • ask the platform to unlink your email;
  • ask the platform to suspend or lock the account while it investigates;
  • avoid viewing more data than necessary;
  • avoid changing details unless the platform specifically instructs you through an official recovery process.

The goal is to stop misuse and preserve evidence, not to create a new dispute about unauthorized access.

4. Report it to the platform in writing

Send a written report to the company or app. Use the official help center, privacy contact, Data Protection Officer contact, or support email.

Include:

  • your email address that was used;
  • date and time you received the notice;
  • statement that you did not create, authorize, or verify the account;
  • request to unlink or remove your email from the account;
  • request to preserve relevant logs;
  • request not to disclose your personal data to the account creator;
  • request for written confirmation of action taken.

A practical message can look like this:

I received a notice that an account was created using this email address. I did not create, authorize, or verify that account. Please immediately unlink this email address, suspend or restrict the account if appropriate, preserve relevant signup and login logs, and confirm in writing what action was taken. Please do not disclose my personal information to the account creator.

For Philippine companies or companies processing data of persons in the Philippines, it is reasonable to mention RA 10173 and ask for the matter to be referred to the Data Protection Officer.

5. Preserve evidence properly

Electronic evidence is allowed in Philippine proceedings, but it must be presented and authenticated properly. The Rules on Electronic Evidence provide that electronic documents are admissible if they comply with the Rules of Court and related laws. (Lawphil)

Practical preservation tips:

  • Keep original emails in your inbox or archive.
  • Download copies as .eml or PDF when possible.
  • Take screenshots showing the full URL and timestamp.
  • Do not crop out sender details, dates, or headers.
  • Save links but avoid clicking suspicious ones.
  • Record a short timeline in a document.
  • Keep proof that the email account belongs to you.
  • Keep all platform replies.
  • If money was lost, save receipts, transaction IDs, bank/e-wallet references, and chat logs.

For serious cybercrime investigations, law enforcement may need subscriber data, traffic data, or platform records. The Supreme Court’s Rule on Cybercrime Warrants provides procedures for warrants involving preservation, disclosure, interception, search, seizure, examination, custody, and destruction of computer data. (Office of the Court Administrator)

This is why early reporting matters. Some platforms keep logs only for limited periods.

Where to report in the Philippines

For simple mistaken signup

Start with the platform. Ask it to remove your email and block further account activity unless the email is verified.

No government complaint is usually needed when:

  • there is no use of your name, ID, address, phone, photo, or financial details;
  • there is no fraud, harassment, or transaction;
  • the platform removes your email promptly;
  • the event appears accidental.

For data privacy concerns

Consider the National Privacy Commission when:

  • a company refuses to remove your email from an account you did not create;
  • your personal data is visible to another person;
  • the platform keeps sending account, transaction, loan, delivery, or private information to your email;
  • your request for correction, deletion, blocking, or restriction is ignored;
  • the company mishandles your report.

A formal NPC complaint must follow the NPC format and be notarized. The NPC’s published filing process allows submission in person, by courier, or by scanned email. (National Privacy Commission)

The NPC fee schedule under NPC Circular No. 2023-01 lists a filing fee for complaints of PHP 500, with additional fees for claims of damages depending on the amount claimed. (National Privacy Commission)

For cybercrime or fraud

Report to law enforcement when there is evidence of:

  • identity theft;
  • account takeover;
  • hacking or unauthorized access;
  • phishing;
  • scams;
  • fake loan or e-wallet accounts;
  • threats, extortion, or harassment;
  • use of your name, ID, photo, signature, address, or phone number;
  • financial loss;
  • other victims contacting you because they were scammed.

The main offices commonly involved are:

Office When it may help Notes
PNP Anti-Cybercrime Group Cybercrime complaints, online scams, account misuse, digital evidence concerns Reports may be filed through official ACG channels or the nearest appropriate unit
NBI Cybercrime Division Cybercrime investigation, identity misuse, fraud, more complex digital cases The NBI lists a Cybercrime Division on its official divisions page (National Bureau of Investigation)
DOJ Office of Cybercrime Policy, coordination, cybercrime-related functions, and contact point for cybercrime concerns DOJ’s Office of Cybercrime page and contact page identify its Manila office and official contact details (Cybercrime Office)
CICC / I-ARC 1326 Quick reporting channel for online scams and cyber fraud guidance DICT/PIA materials describe 1326 as a government hotline for online scams and related cybercrime reports (Philippine Information Agency)
City or Provincial Prosecutor’s Office Formal criminal complaint after evidence gathering A sworn complaint-affidavit and supporting documents are usually required

For many victims, the practical route is: secure accounts → preserve evidence → report to platform → report to PNP ACG or NBI if fraud/identity theft is involved → file a prosecutor-level complaint when evidence is sufficient.

Documents to prepare

For a serious complaint, prepare a clean file folder, both digital and printed.

Document or evidence Why it matters
Government ID Establishes your identity
Proof you own the email address Shows the email used belongs to you
Screenshots of unauthorized signup notices Shows when and where the account was created
Full email headers or original email files Helps trace sender and platform details
Platform replies Shows you reported and what action was taken
Timeline of events Helps investigators understand the sequence
Affidavit-complaint Required for many formal complaints
Proof of damage Needed if money, reputation, credit record, or work was affected
Bank/e-wallet/loan records Important for financial fraud
Credit report or disputed account record Useful if a loan or credit facility was opened
Special Power of Attorney Useful if someone files or follows up for you

Affidavits filed with agencies or prosecutors are usually notarized. If you are outside the Philippines, documents may need to be executed before a Philippine Embassy or Consulate, or notarized abroad and apostilled if the country is part of the Apostille Convention. If the country is not an Apostille country, consular authentication may still be needed depending on the document and office involved.

Practical timelines and bottlenecks

There is no single timeline because platform response, law enforcement investigation, prosecutor review, and court processes move differently.

Stage Typical practical timing Common bottleneck
Securing your email Same day User delays, reused passwords, missing recovery access
Platform report Same day to a few weeks Automated replies, no local support, weak escalation path
DPO or privacy request A few days to several weeks Company asks for identity verification
NPC complaint preparation Several days Notarization, organizing evidence, fees
PNP/NBI intake Same day to a few weeks Need for clearer evidence or in-person appearance
Cybercrime investigation Weeks to months Platform records, foreign service providers, technical logs
Prosecutor preliminary investigation Months, depending on docket and complexity Respondent identity, subpoenas, affidavits, counter-affidavits
Court case Often lengthy Trial schedule, evidence authentication, witnesses

The most common mistake is waiting too long. By the time a victim files, the platform may have already deleted logs, the account may be closed, or the wrongdoer may have moved to another email or device.

Special situations

Someone used my email for a loan app

This is urgent. Save all notices, demand letters, texts, emails, call logs, and app messages. Report the issue to the lender’s official support or Data Protection Officer and demand written confirmation that you did not create the account.

If a bank, e-wallet, financing company, or other regulated financial institution is involved, complain first through that institution’s official consumer assistance channel. BSP guidance for financial consumers generally requires reporting first to the institution’s Financial Consumer Protection Assistance Mechanism before escalation to BSP consumer assistance channels. (Bangko Sentral ng Pilipinas)

If the loan appears in your credit report, use the Credit Information Corporation dispute process. The CIC describes its Online Dispute Resolution System as an online process for resolving disputes with minimum contact. (Credit Information Corporation (CIC))

Someone used my email for an e-wallet or bank account

Immediately report it through the official fraud channel of the bank or e-wallet. Ask them to:

  • freeze or restrict the account if appropriate;
  • confirm that you are not the account holder;
  • preserve KYC documents, device logs, mobile number, and transaction records;
  • correct or delete your email from the account;
  • issue a written reference number.

Do not rely only on chat support. Use email or ticket systems where you can keep a dated written record.

Someone used my email for social media or dating apps

Report impersonation through the platform. If your name, photos, or personal details were used, collect screenshots of the profile, URL, username, visible posts, messages, and dates.

If the account is used to threaten, extort, spread intimate images, scam people, or damage your reputation, the matter can become more serious than a privacy complaint. Cybercrime, violence-related laws, anti-photo/video voyeurism rules, or civil damages may become relevant depending on the content and conduct.

Someone used my email but not my name

This may still be a problem, but it is usually weaker as an identity-theft complaint unless there is intent, damage, or other identifying information used. Start with platform removal and documentation. If the platform keeps processing your email after notice, the data privacy angle becomes stronger.

I am overseas but the account or company is in the Philippines

You can still collect evidence, contact the platform, and submit reports remotely where accepted. For formal Philippine proceedings, expect practical requirements such as:

  • notarized affidavits;
  • apostilled or consularized documents if executed abroad;
  • copies of passport or government ID;
  • Special Power of Attorney if a representative in the Philippines will file or follow up;
  • possible online or in-person coordination with investigators.

Overseas Filipinos should check the nearest Philippine Embassy or Consulate for notarization or acknowledgment options. Foreigners dealing with Philippine platforms should keep proof of their identity, residence, and connection to the Philippine transaction or company.

Common mistakes to avoid

Deleting the emails

Those emails may be your best evidence. Archive them instead.

Clicking every link in the message

Some “account created” notices are phishing emails. Go to the platform’s official website or app directly instead of clicking links from suspicious emails.

Assuming it is harmless because no money was lost yet

RA 10175’s computer-related identity theft provision can still matter even when damage has not yet occurred, although the penalty may differ if no damage has been caused. (Lawphil)

Posting the person’s details online

Publicly posting suspected names, phone numbers, addresses, IDs, or screenshots may expose you to defamation, privacy, or harassment issues—especially if you are wrong or cannot prove the link.

Filing a vague complaint

A complaint saying “someone used my email” is often too thin. A stronger complaint explains:

  • when you found out;
  • what account was created;
  • what personal information was used;
  • why you did not authorize it;
  • what harm or risk resulted;
  • what the platform did or failed to do;
  • what evidence supports each point.

Waiting for the platform before securing your own email

Always secure your email first. Platform response can take time.

Frequently Asked Questions

Is it illegal to create an account using someone else’s email in the Philippines?

It depends on the facts. A mistaken email entry may not be criminal. But intentionally using another person’s email together with identifying information, or using it for fraud, impersonation, harassment, or unauthorized transactions, may trigger RA 10175, RA 10173, civil liability, or other laws.

Can I file a cybercrime complaint if there was no money lost?

Yes, if the facts show possible cybercrime such as computer-related identity theft, unauthorized access, fraud attempt, or misuse of identifying information. Lack of financial loss may affect the strength, urgency, or penalty, but it does not automatically mean there is no case.

Should I click “forgot password” and delete the account myself?

Usually, avoid entering and browsing the account unless the platform’s official process instructs you to do so. Use the platform’s report or privacy channel and ask them to unlink your email, suspend the account if appropriate, and preserve logs.

What if the platform refuses to remove my email?

Send a written follow-up to its support team and Data Protection Officer. Ask for correction, blocking, deletion, or restriction of the email address from an account you did not create. If the company still refuses or ignores the request, a formal complaint with the National Privacy Commission may be appropriate.

Can I report this to the barangay?

A barangay blotter can help document harassment or local disputes, especially if you know the person and both parties are in the same city or municipality. But barangays generally cannot investigate cyber logs, compel platforms to disclose data, or handle cybercrime evidence the way PNP ACG, NBI, prosecutors, or courts can.

What office should I go to first: PNP, NBI, NPC, or the platform?

For simple unauthorized signup, start with the platform. For personal data mishandling by a company, consider the NPC route. For fraud, identity theft, hacking, threats, or scams, report to PNP ACG or NBI. For bank, e-wallet, or credit issues, report to the financial institution first and escalate through BSP or CIC channels when appropriate.

What evidence is most important?

The strongest evidence usually includes the original email notice, full headers, screenshots with URLs and timestamps, proof that you own the email, platform responses, transaction records, and a clear timeline. For fraud or loan cases, include bank, e-wallet, loan, credit report, and collection records.

Can foreigners file complaints in the Philippines?

Yes, if the incident has a Philippine connection, such as a Philippine company, Philippine account, Philippine transaction, Philippine victim, or Philippine-based offender. Foreign documents may need apostille or consular authentication, and a local representative may need a Special Power of Attorney.

Can I sue for damages?

Possibly, if you can prove wrongful conduct, damage, and causation. Civil Code provisions on good faith, unlawful or wrongful injury, and privacy may apply. In practice, damages claims require organized evidence of actual harm, such as financial loss, reputational injury, work disruption, collection harassment, or expenses incurred to fix the problem.

How fast should I act?

Act the same day you discover it. Secure your email immediately, preserve the evidence, report to the platform, and escalate quickly if money, loans, e-wallets, IDs, threats, or scams are involved. Digital logs can disappear, and delayed reporting makes investigation harder.

Key Takeaways

  • An online account opened using your email may be a typo, but it can also be identity misuse, fraud, or a data privacy issue.
  • Secure your own email first: change passwords, enable two-factor authentication, check recovery details, and review login activity.
  • Do not delete evidence. Save original emails, headers, screenshots, URLs, timestamps, platform replies, and transaction records.
  • Ask the platform in writing to unlink your email, suspend or restrict the account if appropriate, and preserve logs.
  • RA 10175 may apply to intentional online identity misuse, unauthorized access, fraud, or forgery.
  • RA 10173 may apply when personal information is misused or a company mishandles your correction, deletion, or blocking request.
  • For serious cases, prepare a notarized affidavit-complaint and report to the appropriate office, such as PNP ACG, NBI Cybercrime Division, NPC, BSP channels, CIC, or the prosecutor’s office.
  • If you are abroad, expect notarization, apostille or consular authentication, and possibly a Special Power of Attorney for a Philippine representative.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.