If your email account was hacked and used to commit fraud, the first goal is to stop the damage, preserve proof, and make a clear record that the fraudulent messages were not sent by you. In the Philippines, this situation can involve several laws at the same time: cybercrime, estafa, identity theft, access device fraud, data privacy, and banking or e-wallet consumer protection rules. What you do in the first few hours can affect whether money can still be frozen, whether investigators can trace the login, and whether you can protect yourself if victims, banks, employers, clients, or police later ask why the fraud came from your email.

What “email account hacked and used for fraud” usually means

This situation commonly happens in one of these ways:

A hacker enters your Gmail, Yahoo, Outlook, company email, or business email account.
The hacker reads old messages to learn how you write, who you deal with, and what invoices or transactions are pending.
The hacker sends messages pretending to be you.
The hacker asks relatives, friends, customers, suppliers, or clients to send money.
The hacker changes bank details in an invoice.
The hacker uses your email to reset passwords for banking, e-wallet, crypto, social media, cloud storage, or marketplace accounts.
The hacker deletes sent messages or email rules to hide what happened.
Victims later blame you because the email came from your real account.

In Philippine legal practice, this is not treated as “just an email problem.” It may be evidence of a cybercrime, a fraud scheme, identity theft, or a financial account scam. The email owner may also become a witness, complainant, or sometimes a person initially questioned by investigators because the account was used as the visible tool of the crime.

The important point is this: being hacked does not automatically make you criminally liable. Criminal liability in the Philippines generally requires proof that you personally participated, intended the fraud, conspired with the scammer, knowingly benefited from it, or negligently allowed your account or financial account to be used in a way covered by law. But you still need to act quickly and document what happened.

Legal issues involved under Philippine law

Unauthorized access to your email account

Under the Cybercrime Prevention Act of 2012, Republic Act No. 10175, unauthorized access to a computer system may constitute illegal access. An email account is not just a mailbox; it is part of a computer system that stores electronic data, login records, communications, attachments, contacts, and recovery information.

If the hacker entered your account without permission, changed security settings, deleted messages, created forwarding rules, or used your account to send fraudulent emails, the incident may involve:

Illegal access
Data interference
Computer-related fraud
Computer-related identity theft
Computer-related forgery, especially where fake invoices, payment instructions, receipts, or authorizations were created or altered

RA 10175 also provides that crimes under the Revised Penal Code or special laws committed “by, through and with the use of” information and communications technology may be covered by the cybercrime law, with the penalty generally one degree higher.

Estafa or swindling through email

If someone was deceived into sending money because of the hacked email, the underlying fraud may be estafa under Article 315 of the Revised Penal Code.

Estafa usually involves:

deceit or fraudulent representation;
damage or prejudice to another person; and
a causal connection between the deceit and the loss.

For example, if a hacker used your email to tell a customer, “Please pay this new bank account instead,” and the customer sent ₱250,000 to the scammer, that may be prosecuted as estafa, with the email hack treated as the method or instrument of the fraud.

Identity theft and impersonation

If the hacker pretended to be you, used your name, signature block, personal details, business identity, or client relationship, the act may also fall under computer-related identity theft under RA 10175.

The Supreme Court in Disini v. Secretary of Justice, G.R. No. 203335, upheld the validity of penalizing computer-related identity theft while striking down certain unconstitutional portions of the cybercrime law, such as warrantless real-time traffic data collection and the DOJ “take-down” power. This matters because investigators must follow proper cybercrime warrant procedures and cannot simply demand private data without legal process.

Financial account scamming, phishing, and money mule issues

The Anti-Financial Account Scamming Act, Republic Act No. 12010, also known as AFASA, is now important in email fraud cases involving banks, e-wallets, payment accounts, credit cards, or other financial accounts.

AFASA covers, among others:

social engineering schemes, where a person obtains sensitive identifying information through deception or fraud;
use of electronic communications, including email, to obtain login credentials or financial account details;
money muling, such as allowing, selling, lending, buying, renting, or using financial accounts to receive or transfer criminal proceeds;
temporary holding of disputed funds by financial institutions, subject to legal rules and BSP regulations.

This is especially relevant if the hacker used your email to obtain OTPs, passwords, card details, GCash or Maya credentials, online banking access, or new payee instructions.

Access device fraud

The Access Devices Regulation Act of 1998, RA 8484, as amended by RA 11449, may apply where the hacked email was used to steal or misuse credit card numbers, account numbers, PINs, access codes, online banking credentials, or similar account access tools.

An “access device” is broad. It can include a card, account number, PIN, code, or other means of account access that can be used to obtain money, goods, services, or transfer funds.

Data privacy concerns

The Data Privacy Act of 2012, RA 10173, may apply if the hacked email contained personal information, sensitive personal information, IDs, tax numbers, bank records, medical records, employment files, client lists, school records, or customer data.

For ordinary personal email accounts, the National Privacy Commission is usually more relevant if personal data was misused, exposed, or if a company, employer, school, clinic, bank, or online platform failed to protect or properly handle your personal data.

For businesses and organizations, a hacked company email may trigger breach-management obligations. The National Privacy Commission breach reporting guidance explains that mandatory breach notification may be required when sensitive personal information or data that can enable identity fraud was accessed by an unauthorized person and is likely to cause serious harm.

Electronic evidence

Emails, logs, screenshots, headers, attachments, cloud records, IP addresses, login alerts, and transaction receipts can be used as evidence if properly preserved and authenticated.

The Electronic Commerce Act of 2000, RA 8792, recognizes electronic documents and data messages. The Supreme Court’s Rules on Electronic Evidence, A.M. No. 01-7-01-SC, provide rules on admissibility and authentication of electronic documents.

In practical terms, this means screenshots help, but they are usually not enough by themselves. Investigators and courts may need the original email, full headers, account activity logs, device records, transaction references, and testimony from someone with personal knowledge.

What to do immediately if your email was hacked and used for fraud

1. Regain control of the account

Start with account recovery through the email provider. Use the official recovery page only. Do not click “recovery” links sent by strangers.

Once you regain access:

Change the password to a long, unique password.
Turn on two-factor authentication or multi-factor authentication.
Sign out of all sessions on other devices.
Remove unknown recovery emails, recovery phone numbers, authenticator apps, passkeys, or backup codes.
Check forwarding rules and filters.
Check delegated access or connected apps.
Check recently deleted messages, sent items, archive, trash, spam, and drafts.
Check whether the hacker created auto-replies, labels, or hidden filters.
Save login activity showing unfamiliar devices, IP addresses, dates, or locations.

Do not simply delete everything suspicious. Deleting may make you feel safer, but it can destroy useful evidence.

2. Warn likely recipients

Send a short warning from a secured channel. If the hacker may still control your email, use another verified method such as SMS, phone call, Messenger, WhatsApp, Viber, LinkedIn, company announcement, or a new secured email.

A practical warning can say:

My email account was compromised. Please ignore any recent request from this address asking for money, new payment details, gift cards, bank transfers, OTPs, passwords, or confidential documents. Verify any transaction with me by phone before acting.

For business email compromise, call affected clients, suppliers, or accounting contacts directly. Fraudsters often rely on people being too embarrassed or too busy to verify payment changes.

3. Contact your bank, e-wallet, and payment providers

If money was sent or a financial account may be affected, report it immediately to the bank, e-wallet, remittance company, payment gateway, or credit card issuer.

Ask them to:

block or freeze suspicious transactions if still possible;
flag the receiving account;
preserve records;
issue a reference number;
provide the fraud report procedure;
coordinate with the receiving financial institution;
advise whether AFASA temporary holding procedures may apply.

Under RA 12010, financial institutions may temporarily hold funds subject of a disputed transaction for a period prescribed by BSP rules, generally not exceeding 30 calendar days unless extended by court. Time matters because funds can be quickly withdrawn, split, converted, or transferred through money mule accounts.

For unresolved complaints against banks, e-money issuers, and other BSP-supervised institutions, the BSP Consumer Assistance Mechanism allows escalation after first reporting to the institution’s customer assistance channel.

4. Preserve digital evidence properly

Create a folder for evidence. Save copies in at least two secure locations.

Preserve:

Evidence	Why it matters
Full fraudulent email	Shows sender, recipient, content, date, and attachments
Full email headers	May show routing information and technical traces
Login activity	May show unauthorized access from unfamiliar devices or locations
Password reset notices	Shows how the hacker entered or tried to maintain control
Forwarding/filter rules	Shows concealment or ongoing interception
Screenshots of messages	Useful for quick review, but not a substitute for original data
Bank/e-wallet receipts	Shows amount, account, date, and reference number
Chat messages with victims	Shows how fraud was discovered
Provider alerts	Shows suspicious login or account changes
Your warning notices	Shows you acted promptly after discovery
Police/NBI/CICC/BSP/NPC reference numbers	Shows you reported the incident

When possible, download the original email in .eml or .msg format. Screenshots should include the device date/time and visible sender details, but do not crop important portions.

5. File an incident report with cybercrime authorities

You may report to:

the NBI Cybercrime Division or a Regional Cybercrime Center;
the PNP Anti-Cybercrime Group or its regional cybercrime unit;
the Cybercrime Investigation and Coordinating Center (CICC), especially for scam reporting and coordination;
the DOJ Office of Cybercrime, particularly for coordination, policy, cybercrime referrals, and cross-border issues.

The NBI Citizen’s Charter for investigative assistance to victims of computer crimes refers to filing a complaint form, executing sworn statements or submitting prepared affidavits, and submitting supporting documents for evaluation by investigators.

A barangay blotter or police blotter can help create an initial record, but it is usually not enough to start a serious cybercrime investigation. For tracing, subpoenas, warrants, preservation requests, or prosecutor action, you generally need a formal complaint supported by evidence and sworn statements.

6. Prepare an affidavit or sworn statement

For a formal complaint, investigators often require a sworn statement or affidavit. It should be factual and chronological.

Include:

Your full name, address, contact details, and ID information.
The email account involved.
When you last had normal access.
When you discovered the hack.
What unusual activity you found.
What fraudulent emails were sent.
Who received the emails.
Whether money or information was lost.
What steps you took to secure the account.
What documents you are attaching.
A clear statement that you did not authorize the access, messages, transactions, or payment instructions.

If you are abroad, Philippine authorities may require your affidavit to be notarized, consularized, or apostilled depending on where it will be used and the specific office handling the complaint. Philippine embassies and consulates may notarize certain documents for use in the Philippines. In countries that are parties to the Apostille Convention, an apostille may be used for public documents, but investigators or prosecutors may still ask for specific formatting or additional identification.

7. Ask for preservation of computer data

Under RA 10175 and the Rule on Cybercrime Warrants, A.M. No. 17-11-03-SC, law enforcement can pursue preservation and disclosure of computer data through proper legal processes.

This is important because email providers, internet service providers, banks, e-wallets, and platforms do not keep all logs forever. Some records may be overwritten or become difficult to retrieve.

The Rule on Cybercrime Warrants provides for mechanisms such as:

preservation of computer data;
warrant to disclose computer data;
warrant to intercept computer data;
warrant to search, seize, and examine computer data.

Ordinary complainants do not personally issue these warrants. You provide facts and evidence so investigators and prosecutors can determine what legal process is needed.

Where to report depending on what happened

Situation	Report to	Practical notes
Email was hacked, but no money lost yet	Email provider, CICC, PNP-ACG or NBI Cybercrime	Preserve logs quickly; warn contacts
Money was sent to a bank or e-wallet	Bank/e-wallet first, then CICC, PNP-ACG or NBI	Ask for immediate transaction hold or fraud flag
Your clients received fake invoices	Bank/e-wallet, NBI/PNP cybercrime, affected clients	Business email compromise cases need fast coordination
Personal data or IDs were exposed	NPC, NBI/PNP if criminal misuse occurred	NPC focuses on data privacy violations and breaches
You are being accused because the fraud came from your email	NBI/PNP cybercrime, your bank, employer/client if relevant	Preserve proof that access was unauthorized
The hacker is abroad or platform is foreign	NBI/PNP, DOJ Office of Cybercrime	Cross-border requests take longer and need formal process
Your company email was compromised	Company IT/security, DPO, management, affected clients, authorities	May involve breach notification and corporate controls

Can you be liable if your hacked email was used to scam someone?

It depends on the evidence.

You are generally not criminally liable merely because a hacker used your account without your knowledge or consent. The prosecution must prove the elements of the offense and your participation beyond reasonable doubt.

However, legal risk can arise if evidence suggests that you:

allowed another person to use your email or financial account;
knowingly lent your account to receive or transfer funds;
benefited from the proceeds;
ignored repeated warnings while the fraud continued;
deleted evidence after learning of the investigation;
gave false statements to investigators;
used weak or shared company credentials in violation of clear duties and caused foreseeable damage;
participated in a fake invoice, investment, loan, or remittance scheme.

Civil liability is different from criminal liability. Under Civil Code principles such as Article 19, Article 20, Article 21, and Article 2176, a person may be made to answer for damages in proper cases involving bad faith, abuse of rights, violation of law, or negligence. For example, a business that failed to act after being repeatedly warned that its email was compromised may face civil claims from a client who paid a fraudulent account. But negligence must still be proven; it is not presumed simply because a hack occurred.

What victims of the fraudulent email should do

If you received the fraudulent email and sent money, act immediately.

Call your bank or e-wallet provider.
Report the transaction as fraudulent.
Ask whether the receiving account can be frozen or flagged.
Save the fraudulent email with full headers.
Save all payment receipts and reference numbers.
Contact the supposed sender through a different channel to verify the compromise.
File a report with CICC, NBI Cybercrime, or PNP-ACG.
Prepare an affidavit-complaint if you intend to pursue a criminal case.
Do not negotiate privately with people claiming they can “recover” funds for a fee.
Do not send more money to “unlock,” “verify,” or “refund” the transaction.

Many scams include a second fraud: someone contacts the victim pretending to be a recovery agent, hacker, bank insider, police officer, or lawyer who can retrieve the money for an upfront fee. Treat that as a separate red flag.

Common real-life scenarios in the Philippines

Fake emergency money request to relatives

A hacker sends messages such as:

“Nasa meeting ako. Pahiram muna ₱20,000. I’ll pay later.”

This often targets relatives, churchmates, classmates, or coworkers. Even small amounts matter because the same message may be sent to many contacts.

Fake supplier bank details

A hacked business email sends:

“Please deposit to our new account. Our old BDO/BPI/Metrobank account is under audit.”

This is common in business email compromise. The victim believes they are paying a real supplier. The fraud may only be discovered when the real supplier follows up on unpaid invoices.

Fake job, visa, or immigration processing

The hacker uses the email account of a recruiter, agency worker, school officer, or consultant to ask for “processing fees,” “show money,” “embassy appointment fees,” or “document authentication fees.”

Foreigners and overseas Filipinos are vulnerable because they may not easily verify Philippine bank accounts, local IDs, or agency registrations.

Fake investment or crypto instructions

The hacker uses a trusted email thread to send wallet addresses, payment links, or “limited-time investment” instructions. These cases can involve cybercrime, estafa, securities violations, money laundering indicators, or financial account scamming depending on the facts.

Email used to reset other accounts

Sometimes the email account is only the entry point. Once inside, the hacker resets passwords for banking, e-wallets, social media, online stores, cloud drives, and messaging apps. This can lead to multiple reports across different platforms.

Documents usually needed for reporting

Prepare both digital and printed copies if filing in person.

Document	Notes
Government-issued ID	Passport, driver’s license, UMID, PhilID, PRC ID, etc.
Affidavit or sworn statement	State facts chronologically
Screenshots	Include dates, sender, recipient, and message content
Original emails or `.eml` / `.msg` files	Better than screenshots alone
Full email headers	Useful for technical tracing
Account login activity	From Google, Microsoft, Yahoo, or company email admin logs
Bank/e-wallet transaction receipts	Include reference numbers and receiving account details
Complaint reference numbers	From bank, e-wallet, CICC, NBI, PNP, BSP, or NPC
Proof of account ownership	Recovery notices, account settings, business registration if company email
Company authority	Board secretary certificate, SPA, or authorization letter if filing for a corporation
Client or victim statements	Useful if money was sent because of the fraudulent email

For corporations, partnerships, schools, clinics, employers, or agencies, investigators may ask who is authorized to represent the entity. Bring a secretary’s certificate, board resolution, special power of attorney, or written authorization, depending on the organization.

Timelines and practical bottlenecks

Step	Usual timeframe	Common bottleneck
Account recovery	Same day to several days	Hacker changed recovery options
Bank/e-wallet fraud report	Immediate	Funds already withdrawn or transferred
Temporary hold request	Urgent; same day is best	Delay in reporting or incomplete transaction details
NBI/PNP complaint intake	Same day to several days	Lack of affidavit, IDs, original emails, or transaction proof
Preservation/disclosure requests	Varies	Requires proper law enforcement action and legal process
Prosecutor preliminary investigation	Months, depending on docket	Respondent identity may still be unknown
Court case after filing	Often years	Cybercrime evidence, witnesses, cross-border data, court congestion

The biggest practical problem is speed. Email providers and platforms may be foreign companies. Banks may need complete transaction details. Receiving accounts may be mule accounts opened under fake, stolen, rented, or exploited identities. Investigators may need warrants or international cooperation before private subscriber data is disclosed.

What not to do

Avoid these mistakes:

Do not delete the fraudulent emails.
Do not reset everything without first saving login activity and security alerts.
Do not publicly accuse a specific person unless you have reliable evidence.
Do not send money to “recover” funds.
Do not ignore small unauthorized transactions; they may be test transfers.
Do not rely only on a barangay blotter.
Do not submit edited screenshots as your only proof.
Do not let an employee or relative file for a company without written authority.
Do not assume the bank will automatically refund the money.
Do not delay reporting because you are embarrassed.

Special notes for overseas Filipinos and foreigners

If you are outside the Philippines, you can still document the incident and coordinate with Philippine authorities, banks, and affected parties.

Practical steps:

Secure the account from where you are.
Save evidence in original digital form.
Report immediately to the Philippine bank, e-wallet, or affected institution.
Ask the victim or Philippine-based representative to file an urgent report if money is still traceable.
Prepare a sworn statement before a Philippine embassy/consulate or through a notarization/apostille process acceptable to the receiving office.
Keep timezone records clear. State dates with Philippine time if Philippine transactions are involved.
Use official government, bank, and platform channels only.

For foreigners dealing with Philippine accounts or victims, the same criminal laws may apply if the fraudulent act, damage, account, device, platform use, or victim connection has a Philippine element. RA 12010 also recognizes jurisdiction where elements were committed in the Philippines, where a relevant device or infrastructure is situated in the country, where damage was caused to a person in the Philippines, or where the financial account is maintained with an institution operating in the Philippines.

Helpful official references

Frequently Asked Questions

Am I criminally liable if my hacked email was used to scam someone?

Not automatically. Criminal liability requires proof of participation, intent, conspiracy, or another legally punishable act. If your account was accessed without your knowledge and you promptly reported and preserved evidence, that helps show you were a victim rather than a participant.

Should I file with the NBI or PNP Anti-Cybercrime Group?

Either may receive cybercrime complaints. The NBI Cybercrime Division and PNP Anti-Cybercrime Group both handle cybercrime investigations. Choose the office that is accessible and appropriate to the urgency. If funds were recently transferred, report to the bank or e-wallet first, then coordinate with cybercrime authorities.

Is a barangay blotter enough?

Usually, no. A barangay or police blotter may help record that you reported the incident, but a serious cybercrime or fraud case usually requires a formal complaint, sworn statement, evidence, and investigation by the proper law enforcement unit.

Can the bank or e-wallet reverse the transaction?

Sometimes, but not always. It depends on how fast you report, whether the funds are still in the receiving account, whether AFASA temporary holding procedures apply, and the bank or e-wallet’s verification process. Report immediately and ask for a reference number.

What if the hacker deleted the sent emails?

Check trash, archive, deleted items, filters, forwarding rules, account activity, and connected devices. Recipients may still have copies. Email providers may retain some records for limited periods, but access may require proper legal process through law enforcement.

Do screenshots count as evidence?

Screenshots can help, but they are weaker than original emails, full headers, system logs, transaction records, and authenticated electronic documents. Save the original email files and metadata whenever possible.

What if the scammer is using my name but not my actual email account?

That may still be identity theft, phishing, cyber fraud, or estafa depending on the facts. Preserve the fake email, domain name, profile, phone number, payment account, and messages. Warn contacts and report the impersonation to the platform and cybercrime authorities.

Can I sue the hacker for damages?

Yes, if the hacker is identified and evidence supports the claim. A criminal case may include civil liability. Separate civil remedies may also be available under the Civil Code for damages caused by fraud, bad faith, abuse of rights, or negligence.

What if I own a business and client data was inside the hacked email?

Treat it as a security incident. Secure the account, investigate what personal data was accessed, preserve logs, notify affected clients when appropriate, and assess whether NPC breach notification is required. If the email contained IDs, bank details, credentials, health records, or other sensitive data, the risk is higher.

How fast should I report?

Immediately. For financial fraud, hours matter. For cybercrime evidence, logs and platform data may not be available forever. For data breaches involving organizations, NPC timelines may also apply depending on the facts.

Key Takeaways

A hacked email used for fraud may involve cybercrime, estafa, identity theft, financial account scamming, access device fraud, and data privacy issues.
Being hacked does not automatically make you criminally liable, but you must act quickly to prove unauthorized access and stop further damage.
Secure the account, warn contacts, report to banks or e-wallets, preserve evidence, and file with the appropriate cybercrime authorities.
Save original emails, full headers, login activity, transaction receipts, and complaint reference numbers.
For financial transactions, immediate reporting improves the chance of freezing or tracing funds.
For business emails, check whether client data, invoices, payment instructions, or personal information were exposed.
A blotter is useful as an initial record, but a formal cybercrime complaint needs sworn statements and supporting evidence.
Do not delete suspicious messages or pay supposed “recovery agents.”