What to Do If Your Email Is Hacked and Used for Scam Messages

If your email was hacked and used to send scam messages, act fast on two fronts: secure the account and create a clean record showing you were the victim, not the scammer. In the Philippines, this can involve cybercrime, identity theft, fraud, data privacy, banking, and evidence rules. The most important steps are to lock the account, warn contacts, preserve proof, report the incident to the right agencies, and document everything in case a victim, employer, bank, platform, or investigator later asks what happened.

What It Means Legally When a Hacked Email Sends Scam Messages

A hacked email incident is not just a “technical problem.” It may be a criminal act because someone accessed your account without authority, used your identity, and possibly deceived others into sending money or personal information.

Common examples include:

  • A scammer sends “I’m in an emergency, please send money” messages to your contacts.
  • Your email is used to send fake invoices, payment instructions, or bank details.
  • The hacker uses your account to reset passwords for Facebook, bank apps, e-wallets, or work systems.
  • Your email signature, company name, or personal photos are copied to make the scam look legitimate.
  • The scammer deletes sent messages so you do not immediately notice the activity.
  • Friends, clients, or relatives later accuse you because the scam came from your real email address.

In Philippine practice, the first question is usually: Was the account owner involved, negligent, or also a victim? A hacked sender is not automatically criminally liable merely because the scam message came from their email. But you should be ready to prove that the access was unauthorized and that you took reasonable steps once you discovered the incident.

Philippine Laws That May Apply

Cybercrime Prevention Act of 2012 — RA 10175

The main law is the Cybercrime Prevention Act of 2012, Republic Act No. 10175. Several provisions may apply when an email account is hacked and used for scam messages:

Act Possible legal basis Simple explanation
Logging in to your email without permission Section 4(a)(1), Illegal Access The hacker entered your account or system without authority.
Changing, deleting, or manipulating messages or account data Section 4(a)(3), Data Interference; Section 4(a)(4), System Interference The hacker altered or disrupted computer data or systems.
Using your name, email, photos, signature, or identifying details Section 4(b)(3), Computer-related Identity Theft The hacker used identifying information belonging to you without right.
Sending scam payment instructions or fake emergency requests Section 4(b)(2), Computer-related Fraud The account was used to cause damage or loss with fraudulent intent.
Defamatory scam messages sent in your name Section 4(c)(4), Cyberlibel, where applicable If the message contains defamatory statements, separate cyberlibel issues may arise.

The Supreme Court discussed the constitutionality of major portions of RA 10175 in Disini v. Secretary of Justice, G.R. No. 203335, February 18, 2014. For ordinary victims, the practical point is that cybercrime complaints are handled differently from ordinary neighborhood disputes because investigators often need account logs, IP information, device data, platform records, and digital preservation.

Revised Penal Code — Estafa and Related Offenses

If people were tricked into sending money, the scammer may also be liable for estafa under Article 315 of the Revised Penal Code. Estafa generally involves deceit or abuse of confidence that causes damage. A hacked email scam often fits the pattern of deceit: the recipient believes the email is truly from you, relies on the false message, and sends money or information.

Depending on the facts, other Revised Penal Code offenses may also be considered, such as falsification if fake documents, invoices, receipts, or authorization letters were used.

Data Privacy Act of 2012 — RA 10173

If the hacker accessed personal information in your inbox, contacts, attachments, HR files, client records, medical documents, IDs, bank details, or confidential work files, the Data Privacy Act of 2012, Republic Act No. 10173 may become relevant.

For individuals, this matters because your email account may contain personal data of other people. For businesses, professionals, schools, clinics, online sellers, employers, and associations, the incident may be a personal data breach if personal information was accessed, disclosed, or made vulnerable.

The National Privacy Commission’s breach guidance recognizes a 72-hour notification period in certain breach situations. The NPC explains its breach notification process through its Breach Reporting page. If the compromised email is used for business or organizational work, check quickly whether the incident must be assessed and reported under data privacy rules.

Electronic Commerce Act — RA 8792

The Electronic Commerce Act, Republic Act No. 8792, recognizes electronic documents and data messages. It is relevant because emails, logs, screenshots, downloaded message files, and electronic records can be used to prove what happened.

Rules on Electronic Evidence

The Supreme Court’s Rules on Electronic Evidence, A.M. No. 01-7-01-SC, matter because screenshots alone are often weak if nobody can show where they came from, when they were taken, and whether they were altered. Good evidence preservation can make the difference between a useful complaint and a vague report that investigators cannot act on.

Anti-Financial Account Scamming Act — RA 12010

If the hacked email led to bank transfers, e-wallet transfers, mule accounts, fake payment instructions, phishing, or social engineering, the Anti-Financial Account Scamming Act, Republic Act No. 12010, may also be relevant. RA 12010 covers financial account scamming and gives enforcement tools involving financial accounts, including situations where banks, e-money issuers, or payment service providers need to act on disputed transactions.

First 24 Hours: What to Do Immediately

1. Secure the email account

Start with account recovery and containment.

Do the following as soon as possible:

  1. Change your email password using a trusted device.
  2. Sign out of all sessions.
  3. Turn on two-factor authentication or multi-factor authentication.
  4. Check account recovery email addresses and phone numbers.
  5. Remove unknown recovery options, forwarding rules, filters, app passwords, and connected apps.
  6. Check “Sent,” “Trash,” “Archive,” “Rules,” “Delegates,” and “Forwarding.”
  7. Review recent login activity, IP addresses, locations, and devices.
  8. Save or screenshot suspicious login records before they disappear.
  9. Change passwords for accounts connected to that email, especially banks, e-wallets, social media, cloud storage, work tools, and online shopping accounts.
  10. Use a different device if you suspect your phone or computer has malware.

A common mistake is changing the password but ignoring forwarding rules. Many hacked email accounts remain compromised because the hacker created a hidden rule that forwards all incoming messages to another address or automatically deletes security alerts.

2. Warn your contacts clearly

Send a short warning from a secured channel. If you are not yet sure your email is safe, use SMS, phone calls, Messenger, Viber, WhatsApp, or another verified account.

A practical warning can say:

My email account was compromised. Please ignore any recent message from my email asking for money, bank transfers, gift cards, investments, password resets, documents, or urgent favors. Do not click links or send money. Please send me a screenshot and the full email header if you received anything suspicious.

Be specific. If the scammer sent payment instructions, name the false bank, e-wallet, QR code, or account number if you know it. This helps prevent further losses.

3. Preserve evidence before deleting anything

Do not immediately delete all suspicious emails. Preserve first, clean later.

Save the following:

Evidence Why it matters
Screenshots of suspicious messages Shows what recipients saw.
Full email headers May show routing, sender servers, timestamps, and technical clues.
Suspicious login alerts Helps prove unauthorized access.
Account activity logs May show unfamiliar devices, locations, or IP addresses.
Scam bank/e-wallet details Helps trace money movement.
Recipient statements Shows who received the scam and what damage occurred.
Platform/security notices Shows when you discovered and recovered the account.
Police, bank, provider, or platform reference numbers Builds a chronological record.

For email evidence, ask recipients to save the original email and the full headers. A forwarded email is useful for awareness, but it may not preserve all technical information. In Gmail, for example, a recipient can use “Show original.” In Outlook, they can view message source or message headers. The exact steps vary by platform.

4. Check if money or sensitive accounts were affected

Look beyond the email inbox. Hackers often use email access to reset other accounts.

Check:

  • Online banking and credit card accounts
  • GCash, Maya, GrabPay, PayPal, Wise, Remitly, or other payment apps
  • Shopee, Lazada, Amazon, Apple ID, Google, Microsoft, Facebook, Instagram, LinkedIn
  • Work email, company files, cloud drives, and payroll systems
  • Domain registrar and hosting accounts if you run a business
  • Cryptocurrency accounts or wallets
  • Government portals where your email is used for login

If there are unauthorized bank or e-wallet transactions, report directly to the bank or e-money issuer first. The Bangko Sentral ng Pilipinas expects consumers to first raise unresolved concerns with the financial institution’s own consumer assistance mechanism before escalation through the BSP Consumer Assistance Channels and BSP Online Buddy.

Where to Report a Hacked Email Used for Scam Messages in the Philippines

PNP Anti-Cybercrime Group or NBI Cybercrime Division

For criminal investigation, the usual agencies are:

Office When to go there
PNP Anti-Cybercrime Group For cybercrime complaints, online scams, identity theft, hacked accounts, phishing, and cyber-enabled fraud.
NBI Cybercrime Division For cybercrime complaints, digital evidence evaluation, and cases needing deeper investigation or coordination.
DOJ Office of Cybercrime For cybercrime coordination, referrals, preservation concerns, and international cooperation issues.
City or Provincial Prosecutor For formal criminal complaint proceedings and preliminary investigation when enough evidence is ready.

The Department of Justice Office of Cybercrime acts on cybercrime complaints and referrals, causes investigation and prosecution of cybercrimes, and may issue preservation orders. The DOJ also maintains a page on reporting cybercrime incidents.

The NBI’s citizen charter for investigative assistance for victims of computer crimes describes the filing of a complaint form and processing by the Cybercrime Division.

Bank, e-wallet, or payment provider

If anyone sent money because of the scam email, the victim should immediately report the transaction to the bank, e-wallet, or remittance provider.

The report should include:

  • Date and exact time of transfer
  • Amount
  • Sender and recipient account details
  • Transaction reference number
  • Screenshots of the scam email or chat
  • Police or cybercrime report reference number, if already available
  • Request for temporary hold, investigation, or reversal where available

Under RA 12010 and BSP rules, financial institutions have specific responsibilities in dealing with disputed transactions and financial account scamming. Speed matters because funds may be withdrawn or moved through mule accounts within minutes or hours.

National Privacy Commission

If personal data was exposed, especially in a work, business, school, clinic, association, or professional setting, consider whether the incident should be reported to the NPC.

Individuals may also file privacy complaints with the NPC. The NPC provides a process for filing formal complaints and states that a formal complaint generally needs a specific format, supporting evidence, and notarization.

SEC, if the hacked email promoted an investment scam

If the scam involved fake investments, trading groups, cryptocurrency “guaranteed returns,” lending schemes, or unauthorized solicitation of investments, the Securities and Exchange Commission may also be relevant. The SEC provides an online complaint and messaging portal through SEC i-Message Mo.

How to Prepare a Strong Cybercrime Complaint

A weak complaint says: “My email was hacked. Please help.”

A stronger complaint gives investigators a timeline, evidence, account details, and the specific harm.

Step-by-step complaint preparation

  1. Write a clear timeline

    Include the date and time you last accessed the account normally, when you discovered the hack, what suspicious activity you saw, when you secured the account, and who received scam messages.

  2. Identify the compromised account

    State the email address, provider, account name, recovery email or phone if relevant, and whether it was personal, business, or work-related.

  3. Describe the scam messages

    Attach screenshots or copies. Identify the words used, payment instructions, links, attachments, QR codes, or bank/e-wallet accounts.

  4. List affected recipients

    Include names and contact details of people who received the scam messages. If anyone sent money, identify them separately.

  5. Attach proof of unauthorized access

    Include security alerts, login history, unfamiliar IP addresses or devices, password reset notices, and provider recovery emails.

  6. Attach proof of recovery and mitigation

    Show when you changed passwords, enabled two-factor authentication, warned contacts, reported to the provider, and reported to banks or e-wallets.

  7. Preserve original files

    Keep original .eml files, PDFs, screenshots, and exports. Do not rely only on printed screenshots.

  8. Prepare a complaint-affidavit if needed

    For prosecutor-level filing, a complaint-affidavit is usually required. It should be signed and notarized. Witness affidavits from recipients may also be useful.

Documents commonly needed

Document or evidence Notes
Government-issued ID Bring original and photocopies.
Complaint-affidavit Often needed for formal prosecution.
Screenshots of scam emails Include visible sender, recipient, date, time, and message content.
Full email headers More valuable than screenshots alone.
Login activity records Shows unauthorized access.
Provider notices Gmail, Microsoft, Yahoo, Apple, or workplace IT alerts.
Bank/e-wallet transaction proof Needed if money was sent.
Recipient statements or affidavits Useful if contacts were deceived.
Notarized authorization or SPA Needed if someone files for you.
Company authorization Needed if filing for a business or employer.

If You Are Accused Because the Scam Came From Your Email

This is a common and stressful situation. A friend, client, employer, or buyer may say, “But the email came from your real address.”

Respond calmly and focus on proof.

Practical steps:

  1. Do not argue emotionally in chat.
  2. Explain that the account was compromised.
  3. Send your warning notice and incident timeline.
  4. Ask them to preserve the original email and full headers.
  5. Give them your police, NBI, PNP ACG, bank, or provider reference number if available.
  6. Do not promise to reimburse unless you have decided to assume responsibility.
  7. Do not sign any admission that you sent the scam message.
  8. If they lost money, encourage immediate reporting to their bank/e-wallet and cybercrime authorities.

Under Philippine law, liability generally requires proof of participation, fault, negligence, or legal responsibility. If you were genuinely hacked, did not benefit from the scam, and acted promptly, those facts matter. However, if a business account was poorly secured, shared by multiple staff, or ignored repeated security warnings, civil or contractual issues may still arise depending on the relationship and evidence.

Special Issues for Businesses, Professionals, and Employers

A hacked personal email is serious. A hacked business or work email can be more complicated because it may involve clients, employees, suppliers, confidential records, payment instructions, and regulatory duties.

Common business scenarios include:

  • Fake supplier bank account change notices
  • Business Email Compromise involving invoices
  • Payroll diversion emails
  • Fake HR requests for employee data
  • Client documents accessed through email
  • Law office, clinic, accounting, or real estate files exposed
  • Unauthorized email blasts to customer lists

If the compromised account belongs to a company, school, clinic, law office, accounting office, online shop, or other organization, the response should include:

  • Internal incident report
  • IT forensic review
  • Password reset for all affected accounts
  • Review of forwarding rules and admin logs
  • Notice to affected clients, employees, suppliers, or users where appropriate
  • Assessment under the Data Privacy Act
  • Possible NPC breach notification
  • Bank alerts for payment instruction scams
  • Preservation of audit logs

For companies, the real risk is often not only the first scam email. It is the hidden access that allows the attacker to read months of invoices, customer data, legal documents, contracts, and internal approvals.

Special Issues for OFWs, Filipinos Abroad, and Foreigners

If you are abroad and the hacked email affected people in the Philippines, you can still begin mitigation immediately.

Practical options include:

  • Report to the email provider and preserve account recovery records.
  • Ask Philippine-based recipients to preserve original emails and headers.
  • Report unauthorized financial transactions to the relevant Philippine bank or e-wallet.
  • Authorize a trusted representative in the Philippines through a Special Power of Attorney if in-person filing is needed.
  • For affidavits executed abroad, check whether the document should be acknowledged before a Philippine Embassy or Consulate, or apostilled if executed in a Hague Apostille Convention country.
  • If the suspect, platform, or server is abroad, the DOJ Office of Cybercrime may become relevant because it is the central authority for international cooperation in cybercrime matters.

Foreigners in the Philippines should bring passport copies, visa/ACR information if applicable, local address details, and proof of relationship to the compromised account or affected transaction.

Timelines and Practical Bottlenecks

Step Typical timing Common bottleneck
Account recovery Same day to several days Recovery email or phone was changed by hacker.
Warning contacts Same day You may not know all recipients because messages were deleted.
Bank/e-wallet dispute Immediately Funds may already be withdrawn or transferred.
PNP/NBI initial report Same day to several weeks depending on office and completeness Incomplete screenshots, no headers, no transaction details.
Provider preservation or disclosure Time-sensitive Platforms may not release data without proper legal process.
Prosecutor complaint Weeks to months Need notarized affidavits and enough evidence identifying suspects.
Court process Months to years Cybercrime cases often require technical evidence and witness availability.

The biggest practical problem is delay. Email providers, banks, and platforms may retain useful logs only for limited periods. Law enforcement may need preservation and disclosure mechanisms before data disappears.

How Cybercrime Evidence Is Legally Obtained

Victims often ask: “Can the police just ask Google, Yahoo, Microsoft, Facebook, or the telco who did this?”

Usually, it is not that simple.

The Supreme Court’s Rule on Cybercrime Warrants, A.M. No. 17-11-03-SC, provides procedures for cybercrime warrants involving preservation, disclosure, interception, search, seizure, examination, custody, and destruction of computer data.

This matters because investigators may need court authority to obtain:

  • Subscriber information
  • Traffic data
  • Relevant account logs
  • Device or system data
  • Preserved content
  • Records from service providers

For persons or service providers outside the Philippines, the process may need to go through proper international cooperation channels. This is why early reporting and accurate evidence are important.

Common Mistakes to Avoid

Deleting the evidence too early

Delete malware and revoke access, but preserve copies of suspicious messages, logs, and security alerts first.

Only taking cropped screenshots

A cropped image that shows only the message text may not prove sender, recipient, date, time, URL, account, or context. Take full screenshots and preserve original emails.

Warning contacts too vaguely

“Don’t mind my email” is not enough. Tell them not to send money, click links, open attachments, share OTPs, or follow payment instructions.

Using the compromised email to communicate before it is secured

If the hacker still has access, they may read your warnings, delete messages, or impersonate you again.

Ignoring connected accounts

Email is often the master key. Once compromised, the hacker may access cloud files, bank alerts, social media, shopping accounts, or work systems.

Paying “account recovery experts”

Many so-called recovery services on social media are scams. They may ask for payment, IDs, OTPs, or remote access and make the situation worse.

Posting too much publicly

It is fine to warn people, but avoid publishing your full email headers, IDs, phone numbers, bank details, or security screenshots publicly. Share sensitive evidence with investigators, banks, platforms, or affected parties through safer channels.

Frequently Asked Questions

Can I be arrested if my hacked email was used for scams?

Not automatically. Investigators must look at evidence of who accessed the account, who benefited, who controlled the destination accounts, and whether you participated. Still, you should report promptly, preserve proof of hacking, and document your mitigation steps.

What case can I file if my email was hacked in the Philippines?

Possible complaints may include illegal access, computer-related identity theft, computer-related fraud, and other cybercrime offenses under RA 10175. If money was taken, estafa under Article 315 of the Revised Penal Code and financial account scamming issues under RA 12010 may also be considered.

Should I report to the barangay first?

For hacked email and online scam incidents, the barangay is usually not the proper main forum, especially if the suspect is unknown, outside the barangay, or the case involves cybercrime evidence. Go to PNP ACG, NBI Cybercrime Division, the bank/e-wallet, or the proper prosecutor’s office depending on the facts.

What if someone sent money because they believed the scam email came from me?

Tell them immediately that the email was unauthorized, ask them to report the transaction to their bank or e-wallet, and ask them to preserve the original email and full headers. Provide your incident report reference number if you have one. Do not admit that you sent the message if you did not.

Are screenshots enough to file a cybercrime complaint?

Screenshots help, but they are often not enough by themselves. Better evidence includes full email headers, original email files, login logs, provider security alerts, transaction receipts, recipient statements, and account recovery records.

Do I need a notarized affidavit?

For an initial report, some agencies may receive basic information first. For a formal criminal complaint or prosecutor filing, a notarized complaint-affidavit and supporting affidavits are commonly required.

What if the hacked email is a company email?

Treat it as a security incident and possible data breach. Preserve admin logs, check forwarding rules, notify affected clients or suppliers where appropriate, assess Data Privacy Act obligations, and consider whether the NPC must be notified.

Can the email provider reveal who hacked me?

Providers usually do not release detailed subscriber, login, or content data to private individuals just because they ask. Law enforcement may need preservation requests, cybercrime warrants, or international cooperation procedures depending on the provider and location of the data.

Should I close the hacked email account?

Not immediately if it contains evidence. First secure it, export or preserve relevant records, check connected accounts, and document what happened. Closing the account too early may make it harder to retrieve logs, messages, and proof.

What if I am outside the Philippines?

You can start with account recovery, provider reports, bank/e-wallet reports, and evidence preservation. If Philippine filing is needed, you may authorize a representative through a properly executed Special Power of Attorney. Documents signed abroad may need consular acknowledgment or apostille, depending on the country.

Key Takeaways

  • Secure the email account first: change password, sign out all sessions, enable two-factor authentication, and remove suspicious forwarding rules.
  • Warn contacts immediately so they do not send money, click links, open attachments, or share OTPs.
  • Preserve evidence before deleting anything, especially full email headers, login logs, security alerts, and transaction details.
  • Report to the right office: PNP ACG or NBI for cybercrime, banks/e-wallets for financial transactions, NPC for data privacy issues, and SEC for investment scams.
  • A hacked sender is not automatically the scammer, but prompt reporting and good documentation help prove you were a victim.
  • Businesses should treat hacked email as a possible data breach, not merely a password problem.
  • Act quickly because platform logs, bank trails, and useful technical evidence may disappear or become harder to obtain over time.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login