What to Do If You Entered a Credit Card OTP on a Phishing Link

If you entered a credit card OTP on a phishing link, act as if your card and online account are already compromised. The OTP may have allowed the scammer to approve an online purchase, add your card to a merchant account, change account settings, or test whether your card is active. The fastest way to reduce damage is to block the card, report the transaction as fraud, preserve evidence, and escalate properly if the bank refuses or delays action.

What an OTP Phishing Scam Usually Means

An OTP, or one-time password, is a temporary code used as part of multi-factor authentication. Banks send OTPs to confirm that a transaction or account action is being authorized by the cardholder.

In a phishing scam, the criminal tricks you into entering the OTP on a fake website or form. Common examples in the Philippines include:

  • Fake delivery fee links pretending to be from couriers
  • Fake bank “account verification” pages
  • Fake credit card rewards or points redemption pages
  • Fake government, telco, airline, or online shopping refund links
  • Fake “card blocked” or “suspicious activity” alerts
  • Sponsored social media ads that lead to spoofed login pages

The key point is this: entering the OTP does not automatically mean you intended to authorize the fraudulent transaction. It does mean the bank may initially treat the transaction as authenticated, so your evidence and complaint wording matter.

Do These Immediately

1. Lock or block the credit card

Use your bank’s official mobile app, website typed manually into your browser, or the phone number at the back of your card.

Ask the bank to:

  • Block the card immediately
  • Cancel and replace the card
  • Block online, international, and cash advance transactions
  • Remove or reset any saved card tokens, recurring payment links, or digital wallet enrollments
  • Check whether your online banking login, email, phone number, mailing address, or card delivery address was changed

Do not call any number shown on the suspicious text, email, or website.

2. Report the transaction as fraudulent

Tell the bank clearly:

“I was deceived by a phishing link into entering an OTP. I did not intend to authorize any transaction with this merchant. Please treat this as a fraudulent and unauthorized transaction, block the card, preserve all logs, and start a dispute or chargeback investigation.”

Avoid vague statements such as “I accidentally gave my OTP” without explaining the deception. The issue is not merely carelessness; it is a social engineering scheme.

3. Ask for a reference number

For every call, chat, or branch visit, get:

  • Case number or ticket number
  • Date and time of report
  • Name or ID of the bank representative, if available
  • Summary of what they promised to do
  • Expected turnaround time

Take screenshots of in-app chats and save email acknowledgments.

4. Change passwords and secure linked accounts

Change the passwords of:

  • Online banking account
  • Email address linked to the card
  • E-wallets linked to the card
  • Shopping apps where the card is saved
  • Telco account, if your SIM or phone number may have been targeted

Enable app-based authentication where available. Do not reuse passwords.

5. Preserve evidence before deleting anything

Keep the phishing SMS, email, chat, or social media message. Screenshot:

  • Sender name or number
  • Full message
  • Phishing link
  • Fake webpage
  • OTP message from the bank
  • Bank notification of the transaction
  • Transaction details: amount, merchant, date, time, currency
  • Any bank app alert, email, or statement entry

If the link is still visible, screenshot it but do not enter more information.

Philippine Legal Basis

Several Philippine laws may apply when a credit card OTP is obtained through phishing.

Anti-Financial Account Scamming Act: RA 12010 of 2024

The most directly relevant law is the Anti-Financial Account Scamming Act, Republic Act No. 12010.

RA 12010 covers financial accounts, including credit card accounts, bank accounts, e-wallets, and other payment accounts. It specifically recognizes social engineering schemes, where a person obtains another person’s sensitive identifying information through deception or fraud, resulting in unauthorized access or control over a financial account.

Under RA 12010, sensitive identifying information includes information that can be used to access financial accounts, such as:

  • Usernames
  • Passwords
  • Bank account details
  • Credit card information
  • E-wallet information
  • Electronic credentials
  • Other confidential personal information

A phishing link that tricks you into entering your credit card OTP fits the practical pattern of a social engineering scheme.

RA 12010 also requires BSP-supervised institutions to maintain adequate risk management systems and controls, such as:

  • Multi-factor authentication
  • Fraud management systems
  • Account owner enrollment and verification processes
  • Real-time monitoring and blocking of suspicious transactions

Importantly, the law says institutions may be liable for restitution if they fail to employ adequate risk controls or fail to exercise the highest degree of diligence in preventing loss or damage. A criminal conviction of the scammer is not required before restitution may be considered.

Temporary holding of disputed funds

RA 12010 allows financial institutions to temporarily hold funds subject of a disputed transaction under BSP rules, generally not beyond 30 calendar days, unless extended by a court.

This matters when the scam involves fast-moving transfers through bank accounts or e-wallets. For a credit card purchase, the bank may instead use card-network dispute, chargeback, merchant reversal, or fraud investigation processes. Still, you should report quickly because funds and settlement trails move fast.

Financial Products and Services Consumer Protection Act: RA 11765 of 2022

The Financial Products and Services Consumer Protection Act, Republic Act No. 11765, protects consumers of financial products and services, including digital financial services.

It recognizes key financial consumer rights, including:

  • Right to equitable and fair treatment
  • Right to protection of consumer assets against fraud and misuse
  • Right to data privacy and protection
  • Right to timely handling and redress of complaints

This is the law behind much of the BSP’s consumer protection framework. If your credit card issuer mishandles your complaint, ignores evidence, delays unreasonably, or gives only a generic denial, RA 11765 is one of your strongest regulatory bases for escalation.

Philippine Credit Card Industry Regulation Law: RA 10870 of 2016

The Philippine Credit Card Industry Regulation Law, Republic Act No. 10870, governs credit card issuers, acquirers, and credit card transactions.

Useful provisions include:

  • Credit card issuers and acquirers are supervised by the BSP.
  • Credit card issuers must maintain appropriate risk management systems.
  • Credit card issuers must establish a customer assistance unit.
  • A cardholder has up to 30 calendar days from statement date to report a billing error or discrepancy.
  • The issuer must act within 10 business days from receipt of the notice.

Do not wait for the billing statement if you already see the fraudulent transaction. Report immediately. But if the transaction appears on your statement later, raise a written dispute within the 30-day period.

Cybercrime Prevention Act: RA 10175 of 2012

The Cybercrime Prevention Act, Republic Act No. 10175, may apply because phishing involves computers, mobile phones, websites, data, and online deception.

Possible cybercrime offenses include:

  • Computer-related fraud
  • Computer-related identity theft
  • Illegal access, if the scammer accessed an account without right
  • Misuse of devices, if tools or access codes were used to commit cybercrime
  • Other offenses committed through information and communications technology

The Supreme Court case Disini v. Secretary of Justice, G.R. No. 203335, February 11, 2014, is the leading case on the Cybercrime Prevention Act. It upheld many provisions of RA 10175 while striking down or limiting others on constitutional grounds. For ordinary victims, the practical point is that cyber-fraud and identity-related online offenses remain prosecutable.

Access Devices Regulation Act: RA 8484, as amended by RA 11449

The Access Devices Regulation Act, Republic Act No. 8484, as amended by Republic Act No. 11449, penalizes fraudulent acts involving access devices.

An access device can include cards, account numbers, codes, or other means of account access. In credit card fraud cases, this law may be relevant where a person obtains or uses card details, codes, or account credentials without authority.

Revised Penal Code: estafa under Article 315

Depending on the facts, phishing may also involve estafa under Article 315 of the Revised Penal Code, especially where deceit caused another person to suffer damage.

In simple terms, estafa is fraud. The scammer deceives the victim, and because of that deception, money, property, credit, or financial value is lost.

Civil Code: damages under Articles 19, 20, and 21

The Civil Code may also support civil claims for damages. Articles 19, 20, and 21 of the Civil Code require persons to act with justice, honesty, and good faith, and provide liability for willful or negligent acts that cause damage contrary to law, morals, good customs, or public policy.

For victims, these provisions are usually secondary to the bank dispute, BSP complaint, and criminal complaint process. They become more relevant if a civil action is later considered.

Step-by-Step Guide to Protect Yourself and Build Your Case

Step 1: Make an emergency report to the bank

Use official channels only:

  • Hotline on the back of the card
  • Official mobile app
  • Official website typed manually
  • Branch visit
  • Official verified email channel

Ask for immediate blocking and replacement of the card.

If the transaction is still pending, ask the bank whether it can:

  • Decline settlement
  • Reverse authorization
  • Notify the merchant/acquirer
  • Freeze or flag the transaction
  • Start a chargeback or fraud dispute

Banks may use different internal terms, but your request should be clear: stop the transaction if possible and investigate it as fraud.

Step 2: File a written dispute

A phone call is useful for emergency blocking, but a written complaint is stronger.

Send a written dispute through the bank’s official email, in-app message center, or branch. Include:

  • Your full name
  • Last four digits of the card only
  • Date and time you discovered the scam
  • Date and time you reported it
  • Transaction amount and merchant name
  • Statement that you did not intend to authorize the transaction
  • Explanation that the OTP was entered because of a phishing link
  • Request for reversal, chargeback, waiver of finance charges, and investigation
  • Request for preservation of logs and records

Do not send your full card number, CVV, password, or full OTP by unsecured email unless the bank specifically provides a secure method.

Step 3: Ask the bank to confirm the basis if it denies your claim

Some banks deny phishing-related disputes by saying the transaction was “OTP-authenticated.”

If that happens, ask for a written explanation addressing:

  • What transaction the OTP supposedly approved
  • Whether the OTP message clearly identified the merchant, amount, and purpose
  • Whether the transaction was unusual compared with your normal card use
  • Whether the bank’s fraud system flagged or should have flagged the transaction
  • Whether the merchant was high-risk, foreign, newly used, or suspicious
  • Whether the card was newly tokenized or added to a wallet or merchant account
  • Whether the bank complied with its duties under RA 12010, RA 11765, RA 10870, and BSP rules

A bare statement that “OTP was used” should not be treated as the end of the discussion. It is relevant evidence, but the legal and factual issue is whether there was genuine consent or a transaction produced by deception and unauthorized access.

Step 4: Escalate to the BSP if the bank does not resolve it properly

For banks, credit card issuers, e-money issuers, and other BSP-supervised financial institutions, the usual sequence is:

  1. File first with the bank’s Financial Consumer Protection Assistance Mechanism or customer assistance unit.
  2. Wait for the bank’s action or response.
  3. If unresolved or unsatisfactory, escalate to the Bangko Sentral ng Pilipinas Consumer Assistance Mechanism.

You can use the BSP Consumer Assistance Channels and BSP Online Buddy. BSP also allows complaints through its official consumer assistance channels listed on the BSP Consumer Corner.

For a BSP complaint, attach:

  • Copy of your complaint to the bank
  • Bank’s reply, if any
  • Case or reference number
  • Screenshots and documents
  • Your requested resolution

The BSP generally wants proof that you first reported the matter to the financial institution. If you skip the bank and go directly to BSP, BSP may direct you to exhaust the bank’s first-level complaint process first.

Step 5: File a cybercrime report when there is actual loss or clear identity theft

For criminal investigation, you may report to:

  • NBI Cybercrime Division
  • PNP Anti-Cybercrime Group
  • CICC / Inter-Agency Response Center hotline 1326, where available for cyber fraud triage
  • Local police station, especially if you need a blotter or initial incident report

The NBI Citizens’ Charter page for investigative assistance for victims of computer crimes states that complainants may file a complaint or request for investigation, undergo preliminary interview, execute sworn statements or submit affidavits, and present devices or supporting documents relevant to the probe.

Bring or prepare:

  • Valid government ID
  • Screenshots of phishing link and messages
  • Bank transaction details
  • Bank case number
  • Credit card statement or transaction notification
  • Phone used to receive the SMS or email
  • Sworn statement or affidavit, if required
  • Timeline of events

The initial intake may be quick, but actual investigation can take much longer, especially if the scammer used foreign merchants, mule accounts, virtual numbers, VPNs, or overseas infrastructure.

Step 6: Report scam SMS or numbers to NTC or your telco

If the phishing link came by text message, also report the number or sender to your telco and the National Telecommunications Commission.

The purpose is not mainly to recover your money. It is to help block scam numbers, sender IDs, or related infrastructure.

Include:

  • Screenshot of the SMS
  • Sender number or sender ID
  • Date and time received
  • Link shown in the message
  • Your contact details, if required by the form

Step 7: Monitor your card, email, and credit profile

For at least 60 to 90 days, watch for:

  • Small test charges
  • Foreign currency charges
  • Cash advances
  • New saved merchants
  • Unexpected OTPs
  • Password reset emails
  • Calls pretending to be from the bank’s fraud team
  • Collection notices for charges under dispute

If the disputed charge appears in your statement, pay attention to the due date. Ask the bank in writing whether the disputed amount, interest, late fees, and minimum amount due will be suspended or reversed while under investigation. Policies vary, and you do not want a fraud dispute to become a delinquency issue.

How to Word Your Bank Complaint

Use clear, factual language.

Sample written dispute

I am disputing the transaction described below as fraudulent and unauthorized. I was deceived by a phishing link that impersonated a legitimate service and caused me to enter an OTP. I did not intend to authorize any transaction with the merchant, did not receive any goods or services, and did not knowingly approve the charge.

Please block and replace my card, investigate this as a social engineering and phishing incident, preserve all relevant logs, initiate the appropriate chargeback or reversal process, and temporarily hold or prevent settlement where possible. I also request reversal of the disputed amount and any related finance charges, interest, foreign transaction fees, penalties, and other charges.

Transaction details:

  • Date and time:
  • Amount:
  • Merchant:
  • Currency:
  • Last four digits of card:
  • Date and time reported:
  • Reference number:

Attach evidence in organized files, not scattered screenshots without explanation.

Evidence Checklist

Evidence Why it matters
Screenshot of phishing SMS, email, or chat Shows deception and source
Screenshot of fake webpage Shows impersonation and phishing method
Full URL of phishing site Helps cybercrime investigators trace infrastructure
OTP message screenshot Shows date, time, and wording of bank authentication
Transaction alert Shows amount, merchant, and timing
Bank statement Confirms posted or billed charge
Call logs or chat transcripts with bank Proves timely reporting
Bank reference number Needed for follow-up and BSP escalation
Affidavit or sworn statement Often needed for NBI/PNP or bank investigation
Device used May contain browser history, messages, or forensic evidence

Do not edit screenshots except to redact sensitive information for public sharing. For official complaints, submit clean copies and keep originals.

Important Timelines

Action Practical timeline
Block card Immediately, ideally within minutes
Report fraud to bank Same day, as soon as discovered
Written dispute to bank Same day or within 24 hours
Billing error or discrepancy under RA 10870 Up to 30 calendar days from statement date
Bank action under RA 10870 for billing notice Within 10 business days from receipt of notice
BSP escalation After filing with the bank and receiving no satisfactory action or response
AFASA temporary hold of disputed funds Period prescribed by BSP rules, generally not beyond 30 calendar days unless court-extended
Cybercrime complaint As soon as you have evidence of scam, loss, or attempted account takeover

The shorter the delay, the better. Fraud investigations often turn on timestamps.

What the Bank May Say — and How to Respond

“The OTP was entered, so the transaction is valid.”

Respond that the OTP was obtained through deception and the transaction was the result of a phishing or social engineering scheme. Ask the bank to evaluate the full circumstances, not merely the OTP.

Relevant questions include:

  • Was the merchant new or unusual for your account?
  • Was the amount unusual?
  • Was it foreign or high-risk?
  • Did the OTP message clearly describe the actual transaction?
  • Did the bank’s fraud monitoring system detect risk?
  • Was the transaction consistent with your past behavior?
  • Did the bank act promptly after you reported it?

“You shared confidential information, so you are liable.”

The bank can investigate your conduct, but it should also investigate the scam, merchant, transaction pattern, and its own controls. RA 12010 and RA 11765 recognize that financial institutions have duties to protect accounts against fraud and misuse.

A consumer’s mistake does not automatically erase the bank’s obligations.

“Wait for the charge to post.”

Some card issuers cannot file a formal chargeback until a transaction is posted. Even so, they should still block the card, create a fraud report, flag the account, and advise you on next steps.

Ask for written confirmation that you reported the fraud while the transaction was pending.

“Contact the merchant yourself.”

If the merchant is legitimate and identifiable, contacting it may help. But in fraud cases, the bank should still process your cardholder dispute. Do not communicate with a suspicious “merchant” using contact details from the phishing page.

Use official merchant channels only.

Common Scenarios

You entered the OTP but no charge appeared yet

Block the card anyway. Scammers sometimes test information first, then transact later. Also ask the bank to check if your card was added to any online merchant, subscription, or digital wallet.

The charge is still pending

Report immediately and ask whether authorization can be reversed or settlement prevented. Pending transactions can still post later, so follow up until the bank confirms the final status.

The transaction already posted

File a formal dispute and request chargeback or reversal. Ask the bank to waive related interest, foreign transaction fees, and late charges while the dispute is pending.

The bank denied your claim because the OTP was correct

Request the denial in writing and escalate through the bank’s formal complaint channel. If still unresolved, file with BSP Consumer Assistance and attach the denial, evidence, and your timeline.

You are an OFW or foreigner outside the Philippines

Report through the bank’s international hotline, app, secure email, or official chat. Save proof of the report.

If an affidavit, special power of attorney, or representative is needed in the Philippines, the document may need to be notarized abroad and, depending on the country, apostilled or acknowledged before a Philippine Embassy or Consulate. Banks and investigators differ in their document requirements, so confirm the exact format before sending originals.

The scammer also got your ID, birthdate, or address

Treat it as possible identity theft. Aside from blocking the credit card, monitor other bank accounts, e-wallets, loans, telco accounts, and email. Consider changing passwords and security questions, and notify institutions where the same information may be used for verification.

The bank keeps calling to collect the disputed amount

Put the dispute in writing and ask the bank to note the account as under fraud investigation. Under RA 10870, credit card issuers and collection agents must observe good faith, reasonable conduct, and proper decorum in collection.

If a collection agency contacts you, ask for:

  • Name of collection agency
  • Written authority or endorsement from the card issuer
  • Exact amount being collected
  • Breakdown of disputed principal, interest, fees, and charges

Do not ignore statements, but do not admit liability for a fraudulent transaction just to stop calls.

Where to Report

Office or institution Use this when What to prepare
Credit card issuer or bank First and urgent report; card blocking; dispute; reversal Card last 4 digits, transaction details, screenshots, timeline
BSP Consumer Assistance Bank does not act, delays, or denies without proper explanation Proof of bank complaint, bank response, reference number, evidence
NBI Cybercrime Division Actual loss, phishing, identity theft, cyber-fraud investigation ID, sworn statement, screenshots, transaction records, device
PNP Anti-Cybercrime Group Cybercrime complaint or police investigation Same as NBI; include bank and telco records if available
CICC / 1326 Cyber fraud triage and reporting, where available Incident details, scam messages, phone number, links
NTC or telco Scam SMS, spoofed sender, suspicious number Screenshot of SMS, sender number or ID, link, date and time
National Privacy Commission Suspected personal data breach or mishandling of personal data Proof of breach, personal data involved, institution’s response

Practical Tips That Often Make a Difference

  • Report by phone for speed, then follow up in writing for proof.
  • Use the word phishing or social engineering in your complaint.
  • State that you did not intend to authorize the merchant transaction.
  • Keep a timeline in Philippine time, especially if you are abroad.
  • Do not delete the SMS or email until screenshots and backups are made.
  • Do not send full card details, CVV, passwords, or OTPs by ordinary email.
  • Ask the bank to preserve logs, IP addresses, device fingerprints, merchant data, and authentication records.
  • If the bank says “OTP means valid,” ask for a written denial and escalate.
  • Watch for follow-up scams. Scammers may call pretending to be the bank, BSP, NBI, or “recovery agents.”

Frequently Asked Questions

Can I still dispute a credit card transaction if I entered the OTP?

Yes. You can still dispute it if the OTP was obtained through phishing, deception, or social engineering. The bank may treat OTP use as evidence of authentication, but it should still investigate the fraud circumstances, transaction pattern, merchant, timing, and its own risk controls.

Am I automatically liable because I gave the OTP?

Not automatically. Your conduct matters, but Philippine law also imposes duties on financial institutions to protect consumer assets, maintain fraud controls, and handle complaints properly. The outcome depends on the facts, evidence, timing of your report, bank systems, and applicable card dispute rules.

What should I tell the bank first?

Say: “I entered an OTP on a phishing link. I did not authorize the transaction. Please block my card, replace it, investigate the charge as fraud, and start the dispute or chargeback process.”

Ask for a reference number immediately.

How fast should I report the phishing incident?

Immediately. Minutes matter. If you wait, the transaction may post, funds may move through other accounts, or the scammer may attempt more charges. Even if RA 10870 gives cardholders up to 30 calendar days from statement date to report billing errors or discrepancies, fraud should be reported as soon as discovered.

Should I pay the disputed amount while the investigation is ongoing?

Ask the bank in writing how it will treat the disputed amount, minimum payment, interest, and late fees while the dispute is pending. Some issuers temporarily suspend or reverse disputed amounts; others may require payment to avoid delinquency while investigating. Get the answer in writing.

Can BSP order the bank to refund me?

Under RA 11765, the BSP has consumer redress and adjudication powers for covered financial transactions that are purely civil in nature and involve payment or reimbursement claims within the statutory threshold. In practice, you usually start with the bank’s complaint mechanism, then escalate to BSP if unresolved.

Should I file with NBI or PNP even if the bank is already investigating?

Yes, especially if there is actual loss, identity theft, repeated attempts, or a large amount involved. The bank investigation focuses on your account and possible reversal. NBI or PNP investigation focuses on the criminal act and the people or infrastructure behind it.

What if the phishing link came from a registered-looking sender name?

Scammers can spoof names, use compromised sender IDs, or send messages that appear inside legitimate-looking SMS threads. Preserve the message and report it to your bank, telco, NTC, and cybercrime authorities. Do not assume it is legitimate just because it appeared in the same thread as previous messages.

Can foreigners report credit card OTP phishing in the Philippines?

Yes. Foreigners dealing with Philippine banks, Philippine-issued cards, Philippine merchants, or cybercrime elements connected to the Philippines may report to the bank and relevant Philippine agencies. If documents are signed abroad, the bank or investigator may require notarization, apostille, consular acknowledgment, or a properly executed special power of attorney.

What if I only clicked the link but did not enter the OTP?

Still secure your accounts. Clicking may expose you to malware, fake login pages, or tracking. Change passwords if you entered any information, block the card if card details were typed, and monitor for unauthorized OTPs or transactions.

Key Takeaways

  • Block the card immediately using only official bank channels.
  • Report the transaction as phishing, social engineering, and unauthorized, not merely as “I gave my OTP.”
  • Put the dispute in writing and ask for a reference number.
  • Preserve screenshots, links, OTP messages, transaction alerts, and bank communications.
  • RA 12010, RA 11765, RA 10870, RA 10175, RA 8484, and related laws may apply.
  • OTP use is important evidence, but it is not always the end of the case.
  • Escalate to BSP if the bank mishandles, delays, or gives an unsupported denial.
  • File with NBI, PNP, CICC, NTC, or NPC when the facts call for criminal, telco, cybercrime, or data privacy action.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login