Finding out that your bank account has been hacked and your savings have been drained is terrifying. In the Philippines, the first few hours matter because the bank may still be able to block the account, trace the transfer path, ask the receiving bank or e-wallet to temporarily hold funds, and preserve electronic records. Your goals are simple: stop further losses, create a written dispute, preserve evidence, trigger the bank’s fraud process, escalate properly to the BSP if needed, and report the cybercrime when the facts justify it.
What Counts as a Hacked or Unauthorized Bank Transaction?
A hacked bank account usually means someone accessed or used your bank account without your genuine authority. This may happen through:
- Phishing links that steal your username, password, card details, or one-time password
- Fake bank calls or texts pretending to be “fraud verification”
- SIM swap or lost-phone attacks
- Malware or remote-access apps installed on your phone
- Stolen debit card or ATM card details
- Unauthorized online fund transfers
- Account takeover after your email or mobile banking login was compromised
- A bank or payment system weakness that allowed access without proper verification
Philippine law now specifically recognizes social engineering in financial account scams. Under Republic Act No. 12010, or the Anti-Financial Account Scamming Act (AFASA), social engineering includes obtaining sensitive identifying information through deception or fraud, resulting in unauthorized access to or control over a financial account. Sensitive identifying information includes things like usernames, passwords, bank account details, credit card or debit card information, e-wallet information, and similar credentials. (Lawphil)
A practical distinction matters:
| Situation | Why it matters |
|---|---|
| Someone logged in and transferred money without your consent | This is usually treated as an unauthorized or disputed transaction. |
| You were tricked into giving an OTP or approving a transfer | The bank may argue you “authorized” it, but AFASA still treats many deceptive credential-harvesting schemes as social engineering. |
| You personally sent money to a scammer’s account | This may still involve fraud, money muling, or cybercrime, but recovery may be harder because the transfer was initiated from your side. |
| Bank systems failed to flag abnormal activity | This may support a claim that the bank failed to exercise the required degree of diligence. |
Your First 24 Hours: What to Do Immediately
1. Contact the bank’s fraud hotline and block the account
Report the incident through the bank’s official hotline, in-app support, branch, or fraud reporting channel. Do not rely only on a social media comment or a casual chat message.
Use clear words:
“I am disputing these transactions as unauthorized. My account appears to have been compromised. Please block online access, freeze or restrict the account, disable linked cards and transfers, and initiate fraud investigation and fund tracing immediately.”
Ask for:
- A case or reference number
- The name or ID of the bank representative, if available
- The exact date and time of your report
- Written confirmation by email, SMS, in-app message, or complaint ticket
This matters because AFASA and BSP rules recognize the importance of timely reporting and bank-coordinated action. Current BSP rules require account owners to immediately report disputed transactions, cooperate with the financial institution, and provide requested documents while also protecting credentials such as OTPs, PINs, passwords, and authentication details.
2. Ask the bank to initiate temporary holding and coordinated verification
If your money was transferred to another bank, e-wallet, or account, ask your bank to coordinate with the receiving institution.
Under BSP Circular No. 1215, banks and other BSP-supervised institutions may temporarily hold funds subject to disputed transactions. The initial holding period is generally up to 5 calendar days, and the total temporary holding period may reach up to 30 calendar days, including any extended holding period, unless a court orders otherwise.
The bank should act fast because the funds may be withdrawn, split into smaller transfers, or moved through several accounts. BSP rules require coordinated verification among financial institutions and procedures for handling source accounts, recipient accounts, and subsequent recipient accounts.
3. Preserve evidence before deleting anything
Do not delete suspicious texts, emails, call logs, apps, browser history, or transaction alerts. Take screenshots and save files showing:
- The unauthorized transactions
- Transaction reference numbers
- Dates, times, amounts, and recipient details
- SMS and email alerts from the bank
- Phishing links, fake websites, phone numbers, or Viber/WhatsApp/Telegram accounts used by the scammer
- Login alerts, device enrollment notices, password reset messages, or OTP messages
- Bank chat transcripts and complaint reference numbers
Export or download bank statements if you still have access. If you no longer have access, ask the bank to provide a certified or official transaction history for the disputed period.
4. Secure your phone, email, and SIM
A bank hack often starts outside the bank app. Change passwords from a safe device, not from the compromised phone.
Do these as soon as possible:
- Change your online banking password
- Change your email password
- Log out of all active email sessions
- Enable multi-factor authentication on email and banking apps
- Remove unknown devices from your bank, email, and e-wallet accounts
- Call your telco if you suspect SIM swap, lost SIM, or unauthorized SIM replacement
- Scan your phone for malware or consider using a clean device for banking
- Disable remote-access apps you do not recognize
5. Make a short written timeline
Write a timeline while your memory is fresh. Include:
- When you last used the account normally
- When you noticed the missing funds
- When suspicious messages, calls, or links appeared
- When you reported to the bank
- What the bank said
- What transactions you dispute
This timeline will help when filing with the bank, the Bangko Sentral ng Pilipinas (BSP), the National Bureau of Investigation (NBI), the Philippine National Police Anti-Cybercrime Group (PNP ACG), or the National Privacy Commission (NPC).
Your Legal Rights Against the Bank
Banks in the Philippines must exercise a high degree of diligence
Banking is treated as a business affected with public interest. Under the General Banking Law of 2000, the fiduciary nature of banking requires high standards of integrity and performance. (Bureau of the Treasury)
The Supreme Court has repeatedly held that banks must treat their depositors’ accounts with meticulous care. In a case involving unauthorized withdrawals, the Court reiterated that banks are expected to exercise the highest degree of diligence because they handle public money and their relationship with depositors is impressed with public interest. (Supreme Court of the Philippines)
This does not mean every hacking incident automatically makes the bank liable. But it does mean the bank cannot dismiss your complaint with a generic “OTP was used” or “transaction successful” response without properly investigating whether its systems, controls, alerts, transaction limits, device enrollment process, fraud monitoring, and customer assistance procedures worked as they should.
Financial consumers have statutory rights
Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act, gives financial consumers rights such as fair treatment, disclosure and transparency, protection of consumer assets against fraud and misuse, data privacy and protection, and timely handling and redress of complaints. BSP Circular No. 1169 implements procedures for consumer assistance, mediation, and adjudication under this law.
BSP Circular No. 1160 also requires BSP-supervised financial institutions to maintain a consumer protection risk management system. This system should identify, measure, monitor, and mitigate financial consumer protection risks, including risks affecting consumer assets.
AFASA may require restitution when the institution failed its duties
AFASA is especially important for hacked bank accounts and drained savings. It requires financial institutions to protect access to financial accounts through adequate risk management systems and controls, such as multi-factor authentication, fraud management systems, and verification processes. The law also provides that compliant institutions are generally not liable for losses due to account owner fault or negligence, but if the institution fails to employ adequate risk management systems or fails to exercise the highest degree of diligence, it can be liable for restitution. Importantly, conviction of the offender is not required before restitution may be pursued. (Lawphil)
Civil Code principles may also apply
If the bank’s negligence or failure to follow its own procedures caused the loss, a civil claim may be based on breach of obligation or negligence. Article 1170 of the Civil Code makes those guilty of fraud, negligence, delay, or violation of the terms of an obligation liable for damages. Article 1173 explains negligence as the failure to observe the diligence required by the nature of the obligation and the circumstances. (Lawphil)
If the victim also acted carelessly, such as by sharing an OTP despite clear warnings, the bank may raise contributory negligence. Under Article 2179 of the Civil Code, contributory negligence may reduce the damages recoverable. (Lawphil)
Step-by-Step Process to Try to Recover the Money
1. File a formal dispute with the bank first
Your first formal step is the bank’s Financial Consumer Protection Assistance Mechanism, commonly referred to as the bank’s first-level complaint or FCPAM process.
Your written complaint should include:
- Your full name and contact details
- Account type and masked account number
- Date and time you discovered the loss
- Disputed transaction dates, amounts, and reference numbers
- Why the transactions are unauthorized
- Evidence attached as screenshots or PDFs
- A request to freeze or restrict the account
- A request to initiate fund tracing and temporary holding
- A request for written investigation results
- A request for reimbursement or restoration of funds, if justified by the facts
Keep the tone factual. Avoid exaggeration. Banks investigate based on records, timestamps, device logs, authentication events, and transaction trails.
2. Request temporary holding of the transferred funds
If the money was sent to another account, ask your bank to treat the matter as a disputed transaction under BSP Circular No. 1215 and to coordinate with the receiving institution.
The rules allow temporary holding where a complaint is filed by the source account owner through the bank’s 24/7 fraud reporting channel, where the bank’s fraud monitoring system detects a suspicious transaction, or where another institution sends a request. Banks must keep logs of these reports and actions.
During the initial holding period, the bank may require supporting documents. For extended holding, BSP rules refer to documents such as a sworn complaint, affidavit, police report, or other supporting documents, depending on the industry protocol and the facts of the transaction.
3. Submit a sworn statement or affidavit if needed
A sworn statement is a written narrative signed under oath before a notary public or authorized officer. It usually states:
- You are the account owner
- You did not authorize the disputed transactions
- You did not benefit from the transfers
- When and how you discovered the loss
- What steps you took to report the incident
- What evidence you are attaching
For OFWs or foreigners abroad, the bank or agency may require documents signed before a Philippine embassy or consulate, or documents apostilled in the country where they were executed, depending on the document and where it will be used.
4. Escalate to the BSP if the bank does not resolve it properly
The BSP is usually a second-level recourse. This means you should first report the complaint to the bank’s customer assistance or FCPAM channel. BSP’s own consumer complaint guidance states that new complaints should first be raised with the BSP-supervised financial institution.
If the bank ignores the complaint, gives an inadequate response, or you are unsatisfied with the result, you may escalate to the BSP through its consumer assistance channels. BSP Circular No. 1169 states that BSP-CAM is the second-level recourse after the consumer has gone through the institution’s FCPAM, and that BSP-CAM is generally a condition precedent to BSP mediation or adjudication.
You may file through BSP’s online chatbot or, if you cannot access it, by submitting the Consumer Information Record form and supporting documents by email or other allowed channels. BSP’s complaint instructions require details of the concern, requested resolution, contact information, proof of complaint filed with the financial institution, the financial institution’s reply if any, and supporting documents. (Bureau of the Treasury)
Under BSP rules, the financial institution generally has 15 days from BSP’s directive to answer the complainant and copy BSP. The complainant may reply, and the institution may submit a rejoinder. The entire BSP-CAM process may take around 55 to 65 days from receipt to termination, depending on the case.
5. File a cybercrime complaint when there is hacking, phishing, identity theft, or mule activity
A drained bank account may involve criminal offenses under several laws.
Under the Cybercrime Prevention Act of 2012 or RA 10175, offenses may include illegal access, misuse of passwords or access codes, computer-related fraud, and computer-related identity theft. The law authorizes the NBI and PNP to handle cybercrime enforcement, and regional trial courts designated as cybercrime courts have jurisdiction over cybercrime cases. (Supreme Court E-Library)
Under RA 8484, the Access Devices Regulation Act, an access device includes a card, code, account number, PIN, or other means of account access that can be used to obtain money or initiate a fund transfer. Unauthorized access device fraud may apply depending on how the account, card, code, or credentials were used. (Lawphil)
Under AFASA, money muling and social engineering are separate punishable acts. Money muling can involve using, borrowing, selling, renting, or allowing the use of a financial account to receive or transfer proceeds of scams. (Lawphil)
For NBI cybercrime complaints, the NBI Citizens Charter describes a process where the complainant proceeds to the Cybercrime Division, fills out a complaint sheet, undergoes preliminary interview and initial investigation, and may execute sworn statements and submit devices or evidence for examination. The listed frontline filing steps have no stated filing fee and an estimated processing time of about 1 hour and 10 minutes for initial intake. (National Bureau of Investigation)
6. Consider a National Privacy Commission complaint if personal data was misused
If the incident involved a suspected data breach, unauthorized disclosure of your personal information, mishandling of your data, or failure to protect personal information, the Data Privacy Act of 2012 or RA 10173 may be relevant.
The National Privacy Commission allows data subjects to file complaints when personal information has been misused, maliciously disclosed, improperly disposed of, or when data privacy rights have been violated. Formal NPC complaints generally require the complaint form, supporting documents, and notarization, with submission options indicated by the NPC. (National Privacy Commission) (National Privacy Commission)
An NPC complaint is not always the fastest way to recover drained savings. It is most relevant when the problem includes compromised personal data, bank employee misuse, unauthorized disclosure, or a reportable personal data breach.
7. Consider civil action or BSP adjudication if the dispute remains unresolved
If the bank denies responsibility and the loss is significant, the next practical step may be BSP mediation or adjudication, or a civil case in court.
For civil cases involving money claims, jurisdiction depends partly on the amount. RA 11576 expanded the jurisdiction of first-level courts so that civil actions involving demands not exceeding ₱2,000,000, exclusive of interest, damages, attorney’s fees, litigation expenses, and costs, generally fall within first-level court jurisdiction. Claims above that threshold generally go to the Regional Trial Court. (Lawphil)
Small claims may be available for certain money claims not exceeding ₱1,000,000, but a complex hacked-account case involving bank negligence, fraud systems, technical evidence, and damages often does not fit neatly into a simple small-claims approach. (Supreme Court of the Philippines)
Documents to Prepare
| Document | Why it helps | Practical notes |
|---|---|---|
| Government ID | Proves identity and account ownership | Passport, driver’s license, UMID, national ID, or other accepted ID |
| Bank statement or transaction history | Shows the disputed debits | Highlight dates, times, amounts, and reference numbers |
| Screenshots of alerts and app history | Preserves real-time evidence | Include SMS, email, in-app alerts, and login notices |
| Complaint reference number from bank | Proves timely reporting | Ask for written confirmation |
| Written incident timeline | Helps bank, BSP, NBI, or PNP understand the case | Keep it factual and chronological |
| Affidavit or sworn complaint | Often needed for extended holding or law enforcement | Notarization may be required |
| Police, NBI, or PNP report | Supports criminal investigation and fund-hold requests | Bring printed and digital evidence |
| Proof of phishing or scam contact | Identifies method used | Save links, phone numbers, email headers, chat handles |
| Device or SIM evidence | Useful for malware, SIM swap, or lost phone cases | Include telco reports or SIM replacement records if available |
| Authorization or SPA | Needed if someone else files for you | OFWs and foreigners abroad may need consular notarization or apostille |
Do not send your PIN, password, OTP, full card number, CVV, or complete copies of sensitive documents unless specifically required through a secure official channel. BSP’s consumer complaint guidance warns consumers not to share PINs, passwords, account numbers, card numbers, passport details, or IDs unnecessarily in complaint forms or attachments.
Typical Timelines
| Stage | Typical timeframe | What may delay it |
|---|---|---|
| Bank hotline blocking | Immediate to same day | Wrong hotline, identity verification issues, system downtime |
| Initial temporary holding of disputed funds | Up to 5 calendar days | Funds already withdrawn or moved onward |
| Extended temporary holding | Up to 25 more calendar days, total up to 30 calendar days unless court-extended | Missing affidavit, police report, or supporting documents |
| BSP email or postal complaint evaluation | Around 7 banking days for evaluation or referral in BSP guidance | Incomplete forms or missing proof of bank complaint |
| BSP-CAM process | Around 55 to 65 days from receipt to termination | Bank replies, complainant replies, complexity of evidence |
| NBI or PNP complaint intake | Same day intake may be possible | Volume of complaints, technical examination, unavailable evidence |
| Criminal investigation | Weeks to months or longer | Mule accounts, cross-border transfers, fake identities |
| Civil case | Months to years | Court docket, technical evidence, expert testimony, appeals |
Common Scenarios in the Philippines
“The bank says the OTP was used, so I authorized it.”
Do not accept a one-sentence denial as the final word. Ask for the basis of the bank’s conclusion.
You can ask the bank to explain:
- When the device was enrolled
- Whether a new device or IP address was used
- Whether the transaction pattern was unusual
- Whether transaction limits were changed
- Whether alerts were sent before or after the transfer
- Whether multi-factor authentication was triggered
- Whether the bank’s fraud monitoring system flagged the transaction
- Whether the transfer went to a newly added beneficiary
- Whether the receiving account was reported in other fraud cases
If you gave an OTP to a scammer, your case becomes harder. But under AFASA, social engineering is itself recognized as a punishable method of financial account scamming. The real issue becomes whether the bank’s systems and warnings were legally adequate, whether the transaction was abnormal enough to trigger controls, and whether the bank acted promptly after your report.
“I clicked a phishing link and the money went to an e-wallet.”
Report to both your bank and the e-wallet provider if you can identify the receiving wallet. Give your bank the recipient name, masked number, reference number, amount, and timestamp.
Ask your source bank to send a temporary holding request to the receiving financial institution. BSP Circular No. 1215 covers coordinated verification among financial institutions, including recipient and subsequent recipient institutions.
“I am an OFW and I cannot go to the branch.”
File the bank dispute through official hotline, email, or in-app support first. Do not wait until you can visit the Philippines.
If a sworn document or representative is required, the bank may ask for:
- A notarized affidavit abroad
- Consular notarization at a Philippine embassy or consulate
- Apostilled documents, depending on the country and intended use
- A Special Power of Attorney authorizing a trusted person in the Philippines
Keep all email headers, time-zone references, call logs, and bank ticket numbers. These help prove timely reporting even if you were overseas.
“I am a foreigner with a Philippine bank account.”
Foreigners can file bank complaints, BSP consumer complaints, and criminal complaints if the account is maintained in the Philippines or the damage occurred through a Philippine financial institution. AFASA provides jurisdiction where elements occur in the Philippines, where the computer system or infrastructure is in the country, where damage is caused to a person in the Philippines, or where the financial account is maintained with a financial institution operating in the Philippines. (Lawphil)
Bring your passport, ACR I-Card if applicable, local address or contact details, bank documents, and any notarized or apostilled authority if someone else will act for you.
“The receiving account belongs to a money mule.”
Do not threaten or harass the alleged mule online. Preserve the account details and report them through the bank and law enforcement.
AFASA punishes money mule activities, including allowing a financial account to be used to receive or transfer proceeds of financial account scams. The receiving account may be frozen or subjected to holding procedures, but false or malicious reporting can also create liability. AFASA penalizes improper or malicious reporting that causes funds to be held without proper basis. (Lawphil)
“Can PDIC reimburse my hacked savings?”
Usually, no. The Philippine Deposit Insurance Corporation protects insured deposits in banks ordered closed by the Monetary Board. It does not function as insurance for ordinary hacking, theft, phishing, or unauthorized online transfers from an operating bank. PDIC materials distinguish deposit insurance for closed banks from losses caused by theft or similar events. (Philippine Deposit Insurance Corporation)
Mistakes That Can Hurt Your Case
- Waiting several days before reporting the unauthorized transaction
- Calling the bank but failing to get a written case number
- Deleting phishing messages, SMS alerts, or email notices
- Continuing to use a compromised phone for banking
- Sending OTPs, passwords, full card numbers, or CVVs in complaint attachments
- Filing only with law enforcement but not with the bank’s fraud channel
- Assuming the BSP is the first step before the bank complaint
- Making exaggerated accusations not supported by evidence
- Posting full account numbers or personal data of alleged scammers online
- Ignoring requests for affidavits or documents during the temporary holding period
- Assuming PDIC will reimburse an operating-bank hacking loss
What to Write in Your Bank Complaint
A simple, effective complaint can look like this:
I am formally disputing the following transactions as unauthorized. I did not make, approve, benefit from, or authorize these transfers. I discovered the loss on [date and time] and immediately reported it through [hotline/app/branch/email]. Please block further access to my account, investigate the unauthorized transactions, initiate fund tracing and temporary holding or coordinated verification with the receiving financial institution, preserve all relevant logs, and provide a written explanation of your findings and the basis for any approval or denial of reimbursement.
Attach a table of disputed transactions:
| Date and time | Amount | Reference number | Recipient bank/e-wallet/account | Reason disputed |
|---|---|---|---|---|
| Unauthorized transfer | ||||
| Unauthorized transfer |
Frequently Asked Questions
Will the bank return my hacked money?
It depends on the facts. The bank may reimburse if the investigation shows unauthorized access, bank system weakness, failure to follow required controls, or failure to exercise the legally required degree of diligence. The bank may deny or reduce recovery if it finds that you authorized the transfer, shared credentials, ignored clear warnings, or delayed reporting. AFASA makes bank restitution possible when the institution failed to employ adequate risk management systems or failed to exercise the highest degree of diligence. (Lawphil)
How fast should I report an unauthorized bank transaction?
Immediately. Report the same day, preferably within minutes or hours. Fast reporting improves the chance of blocking the account, stopping further transfers, and temporarily holding funds before they are withdrawn or moved to other accounts.
Should I report to the bank, BSP, NBI, or PNP first?
Report to the bank first because it controls account blocking, fund tracing, and temporary holding requests. Then escalate to the BSP if the bank does not act properly or you are not satisfied. File with NBI or PNP when there is hacking, phishing, identity theft, mule activity, or a need for criminal investigation.
Can the BSP force my bank to refund me?
The BSP provides consumer assistance, mediation, and adjudication procedures under RA 11765 and BSP Circular No. 1169. The BSP process usually starts after you have filed with the bank’s FCPAM. BSP-CAM facilitates resolution and may lead to mediation or adjudication, but you must submit complete documents and proof that you first raised the complaint with the bank.
What if I gave my OTP to a scammer?
Your case becomes more difficult, but not automatically hopeless. The bank may argue that OTP use proves authorization. You can still raise issues such as social engineering, abnormal transaction patterns, weak fraud controls, delayed blocking, inadequate warnings, unusual device enrollment, or failure to temporarily hold funds after timely reporting.
Can I recover money transferred to another bank or e-wallet?
Possibly, but speed is critical. BSP rules allow temporary holding and coordinated verification of disputed funds among financial institutions. If the recipient withdrew the money or moved it through several accounts, recovery becomes much harder and may require law enforcement involvement.
Is a police report required before the bank acts?
Not always for the initial report. You should notify the bank immediately even before you have a police report. However, a police report, NBI complaint, PNP report, sworn complaint, or affidavit may be needed for extended holding, deeper investigation, or later proceedings. BSP Circular No. 1215 recognizes supporting documents such as a sworn complaint, affidavit, police report, or other evidence for extended holding procedures.
Can an OFW file a complaint from abroad?
Yes. An OFW can report through the bank’s official hotline, app, email, or online channels. If the bank or agency requires sworn documents, the OFW may need consular notarization, apostille, or a Special Power of Attorney for a representative in the Philippines.
Can foreigners complain about a hacked Philippine bank account?
Yes. A foreigner with a Philippine bank account may file a complaint with the bank, escalate to the BSP if the institution is BSP-supervised, and report cybercrime where Philippine jurisdiction exists. Bring passport details, account documents, local contact information, and properly authenticated authority if a representative will act on your behalf.
Is my hacked account covered by PDIC insurance?
Usually not. PDIC insurance applies to insured deposits in banks ordered closed by the Monetary Board, subject to PDIC rules and limits. It is not a general insurance policy for phishing, hacking, unauthorized transfers, or scams involving an operating bank. (Philippine Deposit Insurance Corporation)
Key Takeaways
- Report the hacked account to the bank immediately and get a written case number.
- Ask the bank to block the account, trace the funds, and initiate temporary holding or coordinated verification.
- Preserve screenshots, SMS alerts, emails, transaction references, call logs, phishing links, and bank complaint records.
- BSP escalation usually comes after you first file with the bank’s consumer assistance or FCPAM channel.
- AFASA, RA 10175, RA 8484, RA 11765, the Civil Code, and banking jurisprudence may all be relevant depending on the facts.
- Banks in the Philippines must exercise a high degree of diligence, but customer conduct such as sharing OTPs or delayed reporting can affect recovery.
- PDIC generally does not reimburse hacking losses from an operating bank.
- For large losses, mule accounts, identity theft, or phishing syndicates, bank reporting, BSP escalation, and cybercrime reporting should move in parallel.