What to Do If Your Facebook Account Is Hacked or Used for Identity Theft

Discovering that someone has taken over your Facebook account—or created a fake account using your name and photos—can be frightening. The person may be messaging your relatives for money, posting damaging statements, accessing private conversations, or using your identity to commit fraud. The most important steps are to secure your email and devices, preserve evidence, recover or report the account, warn possible victims, and promptly report serious incidents to the proper Philippine authorities.

Was Your Facebook Account Hacked, Cloned, or Used for Identity Theft?

These situations are related but legally different:

Situation What happened Typical example
Hacked account Someone accessed your real Facebook account without permission Your password, email address, or profile details were changed
Cloned or impersonating account Someone created a separate fake profile using your name, photos, or personal details A new account messages your friends asking for emergency money
Identity theft Someone intentionally acquired, used, possessed, altered, or transferred your identifying information without right The offender uses your identity to obtain money, deceive others, or damage your reputation
Account fraud Your account or identity was used to deceive someone into transferring money or property Your relative sends money to a bank or e-wallet account supplied by the hacker

A cloned account does not necessarily mean your original account was accessed. The offender may simply have copied publicly available photographs and information. However, using those details to impersonate you may still constitute computer-related identity theft under the Cybercrime Prevention Act. (Lawphil)

What to Do Immediately After Your Facebook Account Is Hacked

1. Secure your email account first

Your email account is usually the key to recovering Facebook and other online accounts. Before changing your Facebook password:

  1. Change your email password using a trusted device.
  2. Sign out all unknown email sessions.
  3. Remove unfamiliar recovery email addresses and phone numbers.
  4. Check whether the hacker created an email-forwarding rule.
  5. Enable two-factor authentication.
  6. Review recent security alerts and login activity.

Use a password that you have never used on Facebook, email, online banking, shopping platforms, or other websites.

If your mobile number suddenly stopped receiving calls or text messages, contact your telecommunications provider immediately. The attacker may have attempted a SIM-related takeover.

2. Preserve evidence before posts or messages disappear

Do not focus only on recovering the account. Evidence may be deleted as soon as the hacker realizes you have regained access.

Save the following:

  • Screenshots of the profile, posts, stories, advertisements, and messages
  • The complete Facebook profile URL, not merely the displayed name
  • Dates and approximate times of unauthorized logins or changes
  • Facebook security emails showing password, email, or phone-number changes
  • Messages sent to your relatives, customers, or coworkers
  • Bank account numbers, e-wallet numbers, QR codes, phone numbers, and payment links supplied by the offender
  • Transaction receipts and reference numbers
  • Names and contact details of people who received fraudulent messages
  • Screenshots showing your original profile and the impersonating profile side by side

Whenever possible, capture the entire screen, including the browser address bar and the device’s date and time. Keep the original files. Do not crop, annotate, enhance, or repeatedly resave your only copy.

Ask recipients of fraudulent messages to preserve their own copies. Their screenshots and sworn statements may be stronger evidence than a screenshot forwarded to you.

3. Use Facebook’s official account-recovery process

Go to the official Facebook hacked-account recovery page, preferably using a phone, computer, browser, and internet connection that you previously used to access the account. Facebook specifically recommends using a familiar device when attempting recovery. (Facebook)

Follow the prompts to:

  1. Identify your account.
  2. Report that it was compromised.
  3. Reset the password.
  4. Review recent profile changes.
  5. Remove unfamiliar email addresses and phone numbers.
  6. Log out unknown devices.

Do not pay anyone who claims to have an “inside contact” at Facebook. Account-recovery scams commonly target people who have publicly posted that they were hacked.

4. Review everything the attacker could have changed

After recovering the account, check:

  • Password and security: Remove unfamiliar sessions and devices.
  • Contact information: Delete unknown email addresses and phone numbers.
  • Two-factor authentication: Replace any authentication method added by the attacker.
  • Connected applications: Remove unfamiliar apps, websites, and browser extensions.
  • Facebook Pages: Check whether new administrators were added or legitimate administrators removed.
  • Advertising accounts: Look for unauthorized campaigns, spending limits, and saved payment methods.
  • Meta Pay or payment settings: Remove unauthorized cards or accounts.
  • Messenger: Check archived chats, deleted conversations, and messages sent while the account was compromised.
  • Blocked list: Hackers sometimes block close relatives so they cannot warn the victim.
  • Name, username, birthday, and profile URL: Confirm that they were not changed.

Also scan your device for malware and remove suspicious applications. Changing passwords on an infected device may simply give the attacker the new password.

5. Report a cloned or impersonating account

If the offender created a separate fake profile, use Facebook’s reporting tools. You may report an impersonating profile even when you cannot access your own Facebook account. The official Facebook impersonation-reporting guidance explains the available reporting options. (Facebook)

Ask several trusted contacts to report the fake profile independently. Tell them to select the option indicating that the account is pretending to be you or someone they know.

Before encouraging reports, preserve the profile URL, screenshots, messages, and other evidence. A successful takedown protects people, but it can also make evidence harder to retrieve later.

6. Warn your contacts through a different verified channel

Use your phone, email, another social-media account, or a trusted relative’s account to announce that your Facebook account was compromised.

State clearly that:

  • You are not requesting money.
  • People should not click links or send one-time passwords.
  • Any payment request must be verified through a known phone number.
  • Anyone who already paid should contact the bank or e-wallet provider immediately.

Avoid posting unnecessary technical details that could help the offender bypass your recovery efforts.

7. Contact banks and e-wallet providers immediately if money is involved

If the hacker accessed your financial account or convinced someone to transfer money:

  1. Call the bank or e-wallet provider using its official hotline.
  2. Request an immediate fraud hold, account restriction, or transfer-recall attempt.
  3. Obtain a complaint or ticket reference number.
  4. Identify the destination account, transfer time, amount, and transaction reference.
  5. Request preservation of transaction and subscriber records.
  6. Change banking passwords and revoke unfamiliar devices.
  7. Monitor accounts for small “test” transactions.

The Bangko Sentral ng Pilipinas advises consumers to report identity theft and related fraud immediately to the financial institution involved. A complaint should ordinarily be raised with the bank or e-wallet provider first. If the institution’s response is unresolved, the matter may be escalated through the BSP Consumer Assistance Channels and Online Buddy. (Bureau of Soils and Water Management)

Philippine Laws That May Apply

Cybercrime Prevention Act of 2012

Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, covers several acts commonly involved in Facebook hacking:

  • Illegal access: Accessing all or part of a computer system without right
  • Computer-related identity theft: Intentionally acquiring, using, misusing, possessing, altering, transferring, or deleting another person’s identifying information without right
  • Computer-related fraud: Unauthorized input, alteration, or deletion of computer data, or interference with a computer system, resulting in damage and accompanied by fraudulent intent

A mobile phone is treated as a “computer” for purposes of RA 10175. The Supreme Court has recognized that unauthorized access to a phone and interference with data stored on it may constitute cybercrime. (Lawphil)

In Disini Jr. v. Secretary of Justice, the Supreme Court substantially upheld the provisions on illegal access and computer-related identity theft. (Lawphil)

Estafa, threats, extortion, and defamatory posts

Depending on what the offender did, other offenses may also apply:

  • Estafa under Article 315 of the Revised Penal Code when deception causes someone to surrender money or property
  • Grave threats or other threats when the offender threatens violence, exposure of private information, or another criminal act
  • Robbery or extortion-related offenses when money is demanded through intimidation
  • Cyberlibel when the original author publishes a defamatory accusation through a computer system
  • Falsification or use of falsified documents when altered IDs, receipts, certificates, or electronic records are used
  • Violations of the Access Devices Regulation Act, as amended by RA 11449, when credit cards, account details, or access devices are misused

When offenses under the Revised Penal Code or another special law are committed through information and communications technology, Section 6 of RA 10175 may affect the applicable penalty. The precise charges depend on the offender’s acts, intent, evidence, and resulting damage. (Lawphil)

If financial accounts are used as mule accounts to receive or transfer scam proceeds, RA 12010, the Anti-Financial Account Scamming Act of 2024, may also become relevant. (Lawphil)

Data Privacy Act of 2012

RA 10173, the Data Privacy Act of 2012, protects personal information and penalizes certain forms of unauthorized processing, access, disclosure, and misuse. (Lawphil)

A National Privacy Commission complaint is most useful when a company, employer, online lender, school, organization, or other personal-information controller improperly collected, disclosed, retained, or failed to protect your data. It is not always the fastest or most appropriate procedure against an unidentified individual hacker. Criminal conduct should still be reported to cybercrime investigators.

The NPC requires a notarized Complaint-Assisted Form or verified complaint, supporting evidence, and witness affidavits where applicable. Its published procedure provides an initial 30-calendar-day period to determine whether to give due course to or dismiss a complaint without prejudice, while full adjudication may take approximately 10 to 12 months. (National Privacy Commission)

Civil damages for misuse of your identity

Articles 19, 20, 21, and 26 of the Civil Code may support a civil claim for damages when identity misuse, privacy invasion, humiliation, or other wrongful conduct causes injury.

Article 26 specifically requires every person to respect the dignity, personality, privacy, and peace of mind of others. It recognizes actions for damages, prevention, and other relief even when the conduct does not independently constitute a crime. (Lawphil)

Possible recoverable damages may include proven financial losses, moral damages in legally justified cases, litigation expenses, and other relief supported by the evidence. Recovery is not automatic. The victim must establish the wrongful act, the defendant’s responsibility, the resulting injury, and the legal basis for the damages claimed.

How to File a Cybercrime Complaint in the Philippines

1. Prepare an incident folder

Organize your documents before approaching investigators:

Document or evidence Why it matters
Government-issued ID Establishes your identity
Sworn chronological narrative Explains what happened, when, and how you discovered it
Profile URLs and usernames Helps identify the accounts involved
Original screenshots and files Preserves posts, messages, payment instructions, and security alerts
Bank or e-wallet records Establishes financial loss and destination accounts
Witness details Identifies people who received messages or sent money
Proof that the identity belongs to you Shows legitimate ownership of the name, photos, Page, or business
Facebook recovery correspondence Documents unauthorized changes and recovery attempts
Police report from another country, if applicable Helps document an incident discovered or committed abroad

Create a simple timeline listing every significant event. Include Philippine time and the local time where you were located, especially if you live overseas.

2. Report the incident to cybercrime authorities

Serious hacking, identity theft, financial fraud, threats, or repeated impersonation may be reported to:

  • The PNP Anti-Cybercrime Group or the appropriate Regional Anti-Cybercrime Unit
  • The NBI Cybercrime Division or a Regional Cybercrime Center
  • The Cybercrime Investigation and Coordinating Center, including the national anti-scam hotline 1326
  • The local police, particularly when immediate threats, extortion, or physical danger are involved

The DICT continues to identify 1326 as a national channel for scam and cybercrime reports. Reports may also be sent through official DICT channels, including the contact information on the DICT website. (Dictionary)

The NBI’s published procedure requires the complainant to complete a complaint sheet, undergo an interview, provide sworn statements and supporting documents, and allow examination of relevant devices when necessary. The stated frontline intake process is free and may be completed in approximately one hour and ten minutes, but the actual investigation can take substantially longer. (National Bureau of Investigation)

3. Ask about immediate data preservation

Cybercrime evidence can disappear quickly. Tell the investigator if:

  • The account is still active.
  • Messages are being deleted.
  • The offender is changing usernames.
  • Money is still moving through financial accounts.
  • You know the destination bank, e-wallet, email address, telephone number, or IP-related information.

Section 13 of RA 10175 provides for preservation of certain computer data for minimum periods, while disclosure or examination generally requires lawful process and, where required, a court-issued cybercrime warrant. Prompt reporting gives investigators a better chance of sending preservation requests before relevant records are lost. (Lawphil)

A preservation request does not automatically give the victim or investigator access to the data. It is intended to prevent deletion while the necessary legal authority is obtained.

4. Execute a sworn complaint or affidavit

Investigators may ask you and your witnesses to execute sworn statements. A useful affidavit should identify:

  1. Who you are and how you own or control the account.
  2. When you last had legitimate access.
  3. How you discovered the unauthorized access or fake profile.
  4. What the offender changed, posted, or communicated.
  5. Who received fraudulent messages.
  6. Whether money, property, reputation, privacy, or safety was affected.
  7. What recovery and reporting steps you took.
  8. What evidence is attached.

Avoid speculation. Distinguish clearly between facts you personally observed and information reported by another person.

5. Understand that a police blotter is not the whole case

A police blotter records that you reported an incident. It may be useful for banks, employers, insurance claims, and account-recovery requests, but it does not by itself complete a criminal complaint.

A criminal case normally requires investigation, identification of the responsible person, sworn evidence, and evaluation by the prosecutor. Cybercrime cases involving unknown offenders often require court-authorized disclosure of subscriber, traffic, device, or financial-account information.

6. Barangay conciliation is generally not required for the core cybercrime charge

The Katarungang Pambarangay system does not cover offenses punishable by imprisonment exceeding one year or a fine exceeding ₱5,000. Because the principal offenses under RA 10175 carry penalties beyond that threshold, a victim generally does not need a barangay Certificate to File Action before reporting computer-related identity theft or illegal access. (Lawphil)

A separate minor dispute between residents of the same city or municipality may be treated differently, depending on the exact offense and circumstances.

Common Problems That Delay Facebook Hacking Cases

The victim waited until the account disappeared

Reporting months later may make platform, telecommunications, or financial records harder to obtain. Report promptly even if you do not yet know the hacker’s identity.

The screenshots do not show the account URL

Several Facebook accounts may use the same name and photo. Investigators need the profile link, username, message details, and other identifiers—not just a displayed name.

The victim publicly accused a suspected person without proof

Do not post that a particular person is the hacker unless reliable evidence supports the accusation. A false public accusation can create a separate defamation dispute and may alert the actual offender.

Give your suspicions and supporting facts privately to investigators.

Money was sent to an account belonging to a “mule”

The person whose bank or e-wallet account received the money may not be the person who hacked Facebook. Scam proceeds are often transferred through several accounts. Preserve the complete transaction trail and allow investigators to determine each participant’s role.

The victim deleted messages after recovering the account

Removing malicious content may be necessary to protect others, but preserve complete copies first. Record the URL, date, time, sender, recipient, and surrounding conversation.

The victim paid an unofficial recovery service

Only use Facebook’s official recovery process. Never give a supposed recovery agent your password, one-time password, authentication code, backup code, identification document, or remote access to your device.

What If You Are an OFW or Foreigner Outside the Philippines?

You may begin by preserving evidence, using Facebook’s recovery tools, reporting fraudulent transfers, and contacting Philippine cybercrime authorities remotely. However, investigators may later require a properly sworn affidavit, clarification interview, device examination, or personal appearance.

An affidavit or Special Power of Attorney executed abroad may be:

  • Signed before a Philippine embassy or consulate; or
  • Notarized locally and apostilled when the country is a party to the Apostille Convention and the document is eligible for apostille.

Documents bearing a valid apostille generally have legal effect in the Philippines without further Philippine embassy authentication. Requirements can differ by country and by the agency receiving the document, so confirm the preferred format before sending originals. (Philippine Embassy New Delhi)

RA 10175 gives Philippine Regional Trial Courts jurisdiction in circumstances specified by the law, including violations committed by Filipino nationals regardless of where they were committed and cases with sufficient connections to the Philippines. Cross-border cases may still take longer because subscriber records, platform information, witnesses, and suspects may be located in different countries. (Supreme Court E-Library)

Frequently Asked Questions

Can I file a case even if I already recovered my Facebook account?

Yes. Recovering the account does not erase the unauthorized access, fraudulent messages, identity misuse, financial loss, or other offenses that may already have occurred. Preserve the recovery emails and login history before they become unavailable.

Is creating a fake Facebook account in my name automatically identity theft?

Not every parody, fan page, or account using a similar name automatically constitutes criminal identity theft. The context, identifying information used, lack of authority, intent, representations, and resulting damage matter. A fake account that deliberately poses as you to deceive people presents a much stronger identity-theft case.

Can the police identify a hacker using only a Facebook profile?

Sometimes, but a profile alone may not be enough. Investigators may need subscriber details, login records, device information, financial-account records, phone numbers, email addresses, and witness evidence. Access to protected data generally requires proper legal process.

Do I need to know the hacker’s real name before filing a complaint?

No. You may report an unidentified offender and provide the available account links, usernames, phone numbers, email addresses, payment details, and transaction records. Identifying the offender is part of the investigation.

Should I negotiate with the hacker to recover my account?

Avoid paying, threatening, or making promises. Preserve the conversation and follow official recovery and reporting procedures. Payment does not guarantee that the account or stolen data will be returned.

What if my friend sent money because the hacker pretended to be me?

Your friend should immediately report the transfer to the sending bank or e-wallet provider and obtain a fraud reference number. Both of you should preserve the messages. Your friend is the direct financial-loss victim, while you may separately be the victim of hacking and identity theft.

Can I recover money sent to the scammer?

Recovery is possible in some cases, especially when the receiving institution is notified before the funds are withdrawn or transferred. It is never guaranteed. Speed, transaction method, account status, and the cooperation of financial institutions are critical.

Can I sue the hacker for damages?

A civil claim may be possible under the Civil Code and applicable criminal laws. You must identify the responsible person and prove the wrongful act, damage, and connection between the two. Practical considerations include the amount lost, the available evidence, court expenses, and whether the defendant has assets from which a judgment can be collected.

How long does a Facebook hacking complaint take?

Facebook recovery may take minutes, days, or longer depending on whether the attacker changed the account’s recovery information. Law-enforcement intake may occur on the day of filing, but tracing an unknown offender, obtaining warrants, securing overseas platform records, conducting preliminary investigation, and filing a court case can take months or more. There is no single guaranteed timeline.

Key Takeaways

  • Secure your email, phone number, devices, financial accounts, and Facebook account immediately.
  • Preserve complete screenshots, profile URLs, security emails, messages, payment records, and witness information before content is deleted.
  • Use only Facebook’s official hacked-account and impersonation-reporting tools.
  • Contact the bank or e-wallet provider immediately when money or account credentials are involved.
  • Serious incidents may constitute illegal access, computer-related identity theft, fraud, estafa, threats, or other offenses under Philippine law.
  • Promptly report the incident to the PNP Anti-Cybercrime Group, NBI Cybercrime Division, CICC hotline 1326, or other appropriate authorities so electronic and financial records can be preserved.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.