If someone used your business permits, DTI or SEC documents, BIR Certificate of Registration, mayor’s permit, or other business records to create an online account, marketplace account, bank or e-wallet account, ad account, supplier account, or customer-facing profile, treat it as both a business identity misuse problem and a possible legal case. The urgent goals are to stop the account from being used, preserve evidence before it disappears, protect your business registrations, and create a clear paper trail showing that you did not authorize the account.
Why This Is Serious
Business permits are not just “ordinary papers.” They identify your business name, registered address, owner or officers, tax registration, and sometimes your line of business. When another person uploads those documents to create an account, the account may look legitimate to platforms, banks, customers, suppliers, couriers, or government agencies.
This can expose you to problems such as:
- customers complaining against your business for transactions you never made;
- unpaid platform fees, loans, chargebacks, taxes, or deliveries linked to your business name;
- fake seller accounts using your permit to scam buyers;
- unauthorized e-wallet, payment gateway, or merchant accounts;
- misuse of your BIR, DTI, SEC, or LGU records;
- reputational damage if the fake account is reported online;
- investigation notices from platforms, banks, police, or government agencies.
A common real-world example is a former employee, virtual assistant, bookkeeper, business partner, franchisee, or supplier who still has copies of your permits and uses them to open an account. Another common scenario is a scammer who got your business documents from an online application, email thread, courier packet, uploaded proposal, or public listing and used them for verification.
Is It Illegal to Use Someone Else’s Business Permits to Create an Account?
Usually, yes, especially if the person used the permits without authority and represented that they were the owner, officer, authorized representative, merchant, or account holder.
The exact legal label depends on what happened:
| Situation | Possible legal issue |
|---|---|
| They used your permit or company details online without permission | Computer-related identity theft under the Cybercrime Prevention Act |
| They edited, forged, or submitted false permits or authorization letters | Falsification of documents under the Revised Penal Code |
| They used the account to collect money, borrow funds, sell fake products, or obtain goods | Estafa or fraud |
| They used your personal information, ID, TIN, address, or officer details | Data Privacy Act violation |
| They opened or used a bank, e-wallet, payment, or financial account using another’s identity or documents | Anti-Financial Account Scamming Act issue |
| A platform, bank, or payment provider ignored obvious red flags | Possible consumer, privacy, or regulatory complaint |
Under the Cybercrime Prevention Act of 2012, Republic Act No. 10175, computer-related identity theft includes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another, whether a natural person or a juridical person, without right. This is important because a corporation, partnership, or business entity can also be the subject of identity misuse. (Lawphil)
Key Philippine Laws That May Apply
Cybercrime Prevention Act: Computer-Related Identity Theft
If your permits were uploaded or used to create an online account, the case may fall under computer-related identity theft under RA 10175. The law expressly covers identifying information belonging to another, including a juridical person, which means companies and other legal entities may be covered, not only individuals. (Lawphil)
This may apply when someone:
- used your DTI business name certificate to create a seller account;
- uploaded your SEC Certificate of Incorporation to open a merchant account;
- used your mayor’s permit to pass platform verification;
- used your BIR Certificate of Registration to appear as a legitimate business;
- created an online account in your business name but controlled it themselves;
- changed the account email, mobile number, payout account, or contact details.
Revised Penal Code: Falsification and Estafa
If the person altered your permit, forged your signature, created a fake authorization letter, submitted false board resolutions, or made it appear that you authorized them, the Revised Penal Code may apply.
Article 171 of the Revised Penal Code lists acts of falsification by a public officer, employee, notary, or similar officer, such as counterfeiting or imitating handwriting, signatures, or rubrics. Article 172 covers falsification by private individuals and the use of falsified documents. (Lawphil)
If the fake account was used to obtain money, goods, credit, loans, deposits, customer payments, or other value, the case may also involve estafa. In Philippine criminal law, estafa by deceit generally involves a false pretense or fraudulent representation made before or at the time of the fraud, reliance by the victim, and resulting damage. The Supreme Court has repeatedly discussed these elements in cases involving Article 315 of the Revised Penal Code. (Supreme Court E-Library)
Data Privacy Act: Misuse of Personal Data Behind the Business
The Data Privacy Act of 2012, Republic Act No. 10173, protects personal information of natural persons. This matters even when the business itself is a corporation, because documents often contain personal data of owners, directors, officers, authorized representatives, employees, or sole proprietors.
For example, these may be personal data:
- owner’s full name;
- home or business address linked to an individual;
- mobile number and email address;
- government ID;
- TIN or other government-issued identifier;
- signature;
- passport details of a foreign incorporator or representative.
RA 10173 requires personal data processing to follow the principles of transparency, legitimate purpose, and proportionality. Unauthorized use of personal information for a purpose the data subject did not approve may trigger privacy remedies. (Lawphil)
Electronic Commerce Act: Screenshots, Emails, Logs, and Electronic Records Matter
Many victims think screenshots are “not legal evidence.” That is not correct. Under the Electronic Commerce Act of 2000, Republic Act No. 8792, electronic documents and data messages are legally recognized, and electronic documents may have the legal effect, validity, or enforceability of written documents if they meet the legal requirements for integrity, reliability, and authentication. (Lawphil)
This is why you should preserve:
- screenshots;
- emails;
- account verification messages;
- login alerts;
- platform ticket numbers;
- account URLs;
- transaction history;
- IP logs or device logs, if available;
- downloaded copies of the fake profile or listing;
- customer complaints;
- payout details shown on the platform.
Anti-Financial Account Scamming Act: If a Bank, E-Wallet, or Payment Account Was Created
If the account is a bank account, e-wallet, payment gateway, merchant acquiring account, remittance account, credit account, or similar financial account, the Anti-Financial Account Scamming Act, Republic Act No. 12010 of 2024, may be relevant.
RA 12010 covers financial accounts such as deposit accounts, credit card accounts, transaction accounts, e-wallets, and other accounts used for financial products or services. It treats opening a financial account under a fictitious name or using the identity or identification documents of another as a prohibited act or offense, depending on the circumstances. (Lawphil)
The law also gives the BSP authority to investigate financial accounts involved in prohibited acts, and it recognizes coordination with the NBI and PNP cybercrime units for cybercrime warrants and related enforcement. (Lawphil)
What to Do Immediately
1. Confirm What Account Was Created
Before filing complaints, identify the account as specifically as possible. Get the exact:
- account name;
- username or merchant name;
- account number, store ID, page ID, or profile URL;
- email address or phone number shown;
- platform, bank, payment processor, lending app, marketplace, or website;
- date you discovered it;
- how you discovered it;
- documents or permits that appear to have been used;
- transactions already made through the account.
Do not rely only on verbal reports. Ask the person who informed you to send screenshots, links, receipts, chat history, order numbers, payment references, or complaint messages.
2. Preserve Evidence Before Asking for Takedown
Many platforms remove accounts quickly once reported. That helps stop harm, but it can also destroy visible evidence. Before requesting takedown, save proof.
Preserve:
- Full-page screenshots showing the URL, date, and time.
- Screen recordings navigating from the platform homepage to the fake account.
- Copies of messages, receipts, order confirmations, payout references, and buyer complaints.
- The account’s listed business name, address, mobile number, email, bank account, and payout method.
- Any verification badge or “verified merchant” label.
- Copies of your genuine permits for comparison.
- Proof that you control the real business, such as DTI, SEC, BIR, BPLO, or board documents.
Avoid editing screenshots except for making backup copies. If you need to redact private information for sharing, keep the original unredacted file separately.
3. Send an Urgent Written Notice to the Platform or Institution
Report the account through the platform’s official fraud, legal, merchant verification, or privacy channel. Use written channels where possible so you have a record.
Your notice should clearly say:
- the account was created without authority;
- your business permits or documents were used without consent;
- you are the legitimate owner, proprietor, officer, or authorized representative;
- the platform should suspend or restrict the account while investigating;
- the platform should preserve KYC records, uploaded documents, login logs, IP logs, payout records, and transaction records;
- the platform should not release funds to the unauthorized account holder while the dispute is pending;
- you request a ticket number or written acknowledgment.
Be careful with wording. Do not say “my account” if it was never yours. Say “an unauthorized account using my business identity.”
4. Secure Your Business Registrations
Check whether the misuse is limited to one platform or whether your business identity has been used elsewhere.
| Office or system | What to check |
|---|---|
| DTI BNRS | Whether your sole proprietorship business name is still under your control; whether certificates were requested or cancelled |
| SEC | Whether your corporation or partnership details were copied, amended, or used in a complaint or filing |
| BIR RDO | Whether your registration, address, line of business, or tax filings show suspicious activity |
| LGU BPLO | Whether another person requested certifications, duplicate permits, or used your permit for related applications |
| Banks/e-wallets/payment processors | Whether merchant or payout accounts were opened using your documents |
| Marketplaces/social platforms | Whether duplicate seller pages or ad accounts exist |
The DTI’s BNRS portal provides business name services such as search, new registration, renewal, certification request, transaction inquiry, and cancellation. (BNRS) For corporations and partnerships, the SEC’s iMessage portal is an official channel for submitting tickets or complaints to the Securities and Exchange Commission. (Securities and Exchange Commission)
5. Prepare an Affidavit of Unauthorized Use
An affidavit is a sworn written statement. It is often required by platforms, banks, NBI, police, prosecutors, NPC, and sometimes LGUs.
Your affidavit should usually include:
- your full name, address, nationality, and role in the business;
- business name and registration details;
- copies or details of the permits misused;
- how and when you discovered the unauthorized account;
- why the account was not authorized;
- who had access to the documents, if known;
- actual damage or risk, such as customer complaints, collections, frozen funds, or reputational harm;
- a list of attached evidence;
- a request for investigation, account restriction, data preservation, or prosecution.
For a corporation, the complainant should normally be an authorized officer or representative. Prepare a secretary’s certificate, board resolution, or special power of attorney if the person signing is not clearly authorized in the company records.
Where to Report in the Philippines
NBI Cybercrime Division or Regional Cybercrime Center
The NBI Cybercrime Division handles investigative assistance for victims of computer crimes. Its Citizen’s Charter describes the process as involving complaint filing, preliminary interview and initial investigation, sworn statements or prepared affidavits, and collection of supporting documents; it also lists no fee for this listed service and gives a frontline processing estimate for the intake process. (National Bureau of Investigation)
Bring:
- valid ID;
- affidavit or sworn statement;
- genuine business permits;
- screenshots and links;
- proof of account misuse;
- communications with the platform or bank;
- customer complaints or transaction records;
- company authorization documents, if applicable.
PNP Anti-Cybercrime Group or Local Police Cybercrime Desk
You may also report to the PNP Anti-Cybercrime Group or the nearest police office with cybercrime capability. This is especially practical if you are outside Metro Manila or if the suspect is in your area.
For urgent fraud involving ongoing transactions, bring printed evidence and digital copies. Police investigators may ask for the device used to capture evidence, the original files, and the account links.
Office of the City or Provincial Prosecutor
For criminal prosecution, complaints are usually filed with the prosecutor’s office for preliminary investigation. The DOJ’s procedure for preliminary investigation requires documents such as the investigation data form and complaint-affidavit or sworn statement with supporting evidence. (Department of Justice)
In practice, the prosecutor’s office will look for a complete, organized file. A weak complaint often gets delayed because the investigating prosecutor needs clearer proof of:
- who the complainant is;
- what business identity was misused;
- what documents were used;
- how the account was created or used;
- what law was violated;
- what damage or risk resulted;
- why the respondent is connected to the act.
National Privacy Commission
If personal data was misused, especially IDs, signatures, addresses, officer information, or sole proprietor details, you may file with the National Privacy Commission.
The NPC’s filing procedure requires the formal complaint to be in a specific format, printed and filled out, notarized, and submitted to the NPC through available channels such as in person, courier, or scanned email submission. (National Privacy Commission)
A privacy complaint is especially relevant when:
- your ID or signature was uploaded;
- the platform processed your personal data without proper verification;
- a former employee or service provider misused documents obtained from your business;
- the platform refuses to correct or restrict obviously unauthorized data;
- your personal information is publicly exposed through the fake account.
BSP Consumer Assistance Mechanism
If the unauthorized account involves a BSP-supervised financial institution, bank, e-wallet, payment provider, or financial account, report first to the institution’s fraud or customer protection channel. If unresolved, the BSP says complaints may be escalated through the BSP Online Buddy or by submitting the appropriate Complaints, Inquiries and Requests form by email. (Bangko Sentral ng Pilipinas)
This matters when the account was used for:
- receiving customer payments;
- e-wallet cash-ins or cash-outs;
- merchant acquiring;
- QR payment acceptance;
- online lending;
- credit card processing;
- bank transfers;
- money mule activity.
Documents to Prepare
| Document | Why it matters |
|---|---|
| Valid government ID of complainant | Confirms identity |
| DTI Certificate, SEC documents, CDA documents, or business name registration | Proves legitimate business identity |
| BIR Certificate of Registration | Proves tax registration and official business details |
| Mayor’s permit or business permit | Proves LGU-recognized business operation |
| Barangay business clearance, if available | Supports business location |
| Affidavit of unauthorized use | Sworn narration of facts |
| Board resolution, secretary’s certificate, or SPA | Proves authority to act for a corporation or another person |
| Screenshots, URLs, account IDs, store IDs | Identifies the fake account |
| Emails or platform tickets | Shows notice and response |
| Customer complaints, invoices, receipts, payment references | Shows damage or transactions |
| Police blotter, NBI complaint sheet, or prosecutor filing receipt | Helps prove timely reporting |
| List of persons who had access to the documents | Helps investigators identify possible suspects |
For digital evidence, save both PDF printouts and original files. A screenshot printed on paper is useful, but investigators often want the original digital file because metadata, file creation dates, and source devices may matter later.
Practical Timeline
| Stage | Typical timing in practice |
|---|---|
| Evidence gathering | Same day to 3 days, depending on available screenshots and records |
| Platform fraud report | Same day; response may take 24 hours to several weeks |
| Bank/e-wallet fraud restriction | Often urgent, but depends on provider review |
| NBI or police intake | Often same day if documents are ready; investigation takes longer |
| NPC complaint preparation | Several days if affidavit, evidence, and notarization are needed |
| Prosecutor filing | Same day filing if complete; preliminary investigation may take months |
| Court case | Longer, depending on docket, evidence, respondent location, and complexity |
The biggest bottlenecks are usually incomplete screenshots, unclear authority to represent the business, missing notarized affidavits, and lack of information connecting the fake account to a specific person.
What If You Know Who Did It?
If the person is a former employee, contractor, bookkeeper, partner, co-founder, franchisee, relative, or supplier, preserve employment records, access logs, handover records, NDAs, email threads, and proof that they had copies of the permits.
Do not threaten them online. Do not post their name as a “scammer” unless you are prepared for a possible libel or cyberlibel dispute. Keep communications factual:
- “You are not authorized to use our business documents.”
- “Cease using the account immediately.”
- “Preserve all records, uploaded documents, payout information, messages, and transactions.”
- “Confirm in writing who created and controlled the account.”
If money was collected, ask for a written accounting. Do not sign any settlement, waiver, or acknowledgment that makes it appear you owned or approved the unauthorized account unless the wording is accurate.
What If the Platform Says the Account Passed Verification?
That does not automatically make the account lawful. A platform’s verification process only means the platform accepted the documents at that time. It does not prove that the person who uploaded them had authority.
Reply with proof of non-authorization, such as:
- notarized affidavit;
- current DTI, SEC, BIR, and BPLO documents;
- board resolution identifying the true authorized representative;
- official company email domain;
- police/NBI report or complaint receipt;
- screenshots showing wrong email, mobile number, address, payout account, or contact person;
- revocation letter if the person was formerly authorized.
Ask the platform to preserve its KYC records because the uploaded documents, timestamps, device data, phone number, email, bank account, and login records may identify the person who created the account.
What If You Are a Foreigner or Overseas Filipino Business Owner?
If you are outside the Philippines, you can still prepare a complaint file. The practical issue is document execution.
For affidavits, special powers of attorney, and sworn statements to be used in the Philippines, Philippine embassies and consulates commonly provide consular notarization for private documents such as affidavits and powers of attorney. (Philippine Embassy)
If you are using foreign public documents in the Philippines, check whether the document should be apostilled by the issuing country or otherwise authenticated. The DFA’s Apostille FAQs explain that Philippine apostille is for Philippine public documents for use abroad and that foreign documents cannot be apostillized by the DFA in the same way. (Apostille Philippines)
For foreign shareholders, directors, or officers, prepare:
- passport copy;
- proof of role in the Philippine entity;
- consularized or apostilled SPA, if appointing a Philippine representative;
- SEC documents showing corporate authority;
- notarized affidavit of non-authorization;
- evidence of overseas residence or travel if useful to show you could not have personally opened the account.
Common Mistakes to Avoid
Deleting messages or screenshots
Do not delete chats, emails, SMS messages, or platform notifications, even if they are embarrassing or incomplete. Investigators need the full timeline.
Reporting only by phone
Phone calls help in emergencies, but written reports create proof. Always ask for a ticket number, complaint number, email acknowledgment, or receiving copy.
Sending original permits to unknown people
Send watermarked copies when possible. Mark them “For verification of unauthorized account only” unless the government office or platform requires clean copies.
Admitting ownership of the fake account
When filling out platform forms, avoid wording that says “my account was hacked” if you never created the account. Use “unauthorized account using my business documents.”
Ignoring collection letters or customer complaints
If a bank, platform, courier, or customer sends a demand letter, respond in writing. Silence may make the dispute harder to explain later.
Filing a vague complaint
A complaint that says only “someone used my permit” may not be enough. Identify the account, platform, documents used, dates, harm, suspected person, and evidence.
Frequently Asked Questions
Can someone legally use my business permit if it was publicly posted?
No. Public visibility does not mean permission to impersonate your business, open accounts, claim authority, receive payments, or upload your documents for verification. Some permits may be displayed or submitted for compliance, but using them for a separate unauthorized account is a different matter.
Is using my business permit considered identity theft in the Philippines?
It can be. RA 10175 covers computer-related identity theft involving identifying information belonging to another, including juridical persons. If your business information was used online without authority, especially to create or control an account, cybercrime identity theft may be relevant. (Lawphil)
What if they used real documents, not fake ones?
Even using genuine documents can still be illegal if they were used without authority. Falsification may require proof of false making, alteration, forged signatures, or use of falsified documents, but cybercrime identity theft, estafa, privacy violations, or civil liability may still apply depending on the facts.
Should I file with NBI or PNP first?
Either may be appropriate for cybercrime. The NBI Cybercrime Division is often used for online fraud and computer crime complaints, while the PNP Anti-Cybercrime Group or local cybercrime units may be more accessible depending on location. What matters most is that your evidence is complete and the complaint is clearly organized.
Can I ask the platform to give me the name of the person who opened the account?
You can ask, but platforms and banks may refuse to disclose private KYC information directly because of privacy and banking rules. A better request is to ask them to preserve KYC records, uploaded documents, login data, payout details, and transaction records for law enforcement or regulatory investigation.
What if the fake account received payments from customers?
Document every payment reference, receipt, buyer complaint, payout account, and delivery record. This may support estafa, cybercrime, money mule, or financial account scamming issues. If a bank, e-wallet, or payment provider is involved, report immediately to the provider and escalate through BSP channels if unresolved.
Can I recover damages?
Possibly. Under the Civil Code, a person who causes damage contrary to law, morals, good customs, public policy, or through fault or negligence may be required to compensate the injured party. Articles 19, 20, and 21 are often used as bases for damages when conduct violates honesty, good faith, or legal duties. (Lawphil)
Do I need a notarized affidavit?
For government complaints, prosecutor filings, NPC complaints, and many platform or bank investigations, a notarized affidavit is often expected. If you are abroad, you may need consular notarization or a properly authenticated foreign notarization, depending on the document and where it will be used.
What if the account was created by an employee?
An employee may have had access to documents for work, but that does not automatically authorize personal use, unauthorized account creation, or diversion of payments. Preserve employment contracts, access permissions, email instructions, HR records, device logs, and any written policy on document handling.
Should I close my business registration after this happens?
Not automatically. Closing or cancelling your DTI, SEC, BIR, or LGU registration may create tax and compliance consequences and may not stop the fake account. Usually, the first step is to secure your records, report the misuse, and ask platforms or institutions to restrict the unauthorized account. Business closure is a separate process with the BIR, DTI, SEC, and LGU if the business has truly stopped operating.
Key Takeaways
- Unauthorized use of your business permits to create an account may involve cybercrime identity theft, falsification, estafa, data privacy violations, civil liability, or financial account scamming.
- Preserve evidence before requesting account takedown.
- Notify the platform, bank, e-wallet, marketplace, or payment provider in writing and ask them to preserve KYC, login, payout, and transaction records.
- Secure your DTI, SEC, BIR, and LGU records to check if the misuse is wider than one account.
- Prepare a notarized affidavit with organized attachments.
- Report cyber-related misuse to the NBI Cybercrime Division, PNP cybercrime unit, or prosecutor’s office.
- File with the NPC if personal data was misused, and use BSP complaint channels if a bank, e-wallet, or payment account is involved.
- Do not admit ownership of an account you never created; consistently describe it as an unauthorized account using your business identity.