If someone used your name, ID, selfie, phone number, or contacts to open a lending app account in the Philippines, treat it as both a financial fraud problem and a data privacy/cybercrime problem. The goal is not just to stop the collectors. You also need to preserve evidence, dispute the debt in writing, report the identity theft to the proper agencies, protect your bank/e-wallet accounts, and prevent the fake loan from damaging your credit record.
What identity theft through a lending app usually looks like
In Philippine online lending cases, identity theft often happens in one of these ways:
- Someone uses your lost ID, passport, driver’s license, UMID, PhilID, or company ID to pass “Know Your Customer” or KYC checks.
- A scammer gets access to your phone, SIM, email, or e-wallet and opens a loan account.
- Your face, selfie, or video verification is copied, manipulated, or taken under false pretenses.
- A lending app accesses your contact list, gallery, SMS, or device data beyond what is necessary.
- A person you know uses your personal details and lists your relatives or friends as “references.”
- A fake or unlicensed lending app collects personal data, then uses threats, public shaming, or fake debt notices to pressure payment.
The legal issue is not simply “utang.” If you did not apply for the loan, did not receive the money, and did not consent to the transaction, the case may involve computer-related identity theft, access device fraud, data privacy violations, falsification, estafa, or unfair debt collection practices, depending on the facts.
Are you liable for a lending app loan you did not apply for?
Generally, a person should not be treated as liable for a loan they did not authorize. A loan contract requires consent. Under the Civil Code of the Philippines, contracts require consent, object, and cause. If your identity was stolen, the central issue is that your supposed consent was fake.
That does not mean you can ignore the problem. In practice, lending apps and collection agents may continue sending messages unless you create a clear paper trail showing that:
- you deny applying for the loan;
- you deny receiving the loan proceeds;
- your identity documents or personal data were misused;
- you reported the incident to the proper authorities; and
- you demanded that the lender investigate, freeze collection, stop reporting the account as yours, and preserve evidence.
If the lending company later files a collection case, your written dispute, police/NBI report, screenshots, and credit report dispute records may become important evidence.
Key Philippine laws that protect you
Data Privacy Act of 2012: your personal data cannot be used freely
The Data Privacy Act of 2012, Republic Act No. 10173, protects personal information and sensitive personal information such as names, addresses, contact numbers, government IDs, financial details, biometrics, and other identifying data.
For lending app cases, this matters because lenders and lending platforms must follow data privacy principles such as:
- transparency — you should know what data is collected and why;
- legitimate purpose — data should be used only for a lawful and declared purpose;
- proportionality — the app should not collect more data than necessary;
- security — the company must protect your data from unauthorized access or misuse.
The National Privacy Commission also issued specific rules on loan-related data processing through NPC Circular No. 20-01, as amended by NPC Circular No. 2022-02. These rules are especially relevant when a lending app accesses contact lists, uses character references improperly, or contacts people who never agreed to be guarantors.
In a 2026 joint public advisory, the DICT, NPC, and SEC reminded online lending platforms that unnecessary app permissions, excessive contact-list processing, harassment, public shaming, and contacting people other than actual guarantors for debt collection are prohibited. The advisory also says a guarantor must have separately consented to be bound as a guarantor; being named as a contact or character reference is not the same thing as guaranteeing the loan. See the official DICT-NPC-SEC advisory on online lending platforms.
Cybercrime Prevention Act: using your identity online may be a crime
The Cybercrime Prevention Act of 2012, Republic Act No. 10175, penalizes computer-related identity theft. This covers the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person without right.
In a lending app situation, this may apply when someone uses your personal information, ID, selfie, login credentials, or device-linked data to create or control an online loan account.
Access Devices Regulation Act: fraudulent access to apps, banking, cards, and accounts
The Access Devices Regulation Act of 1998, Republic Act No. 8484, as amended by Republic Act No. 11449, may apply when the fraud involves online banking, e-wallets, cards, account numbers, PINs, codes, apps, or other means of account access.
RA 11449 specifically expanded the law to cover acts such as accessing an application, online banking account, credit card account, ATM account, or debit card account in a fraudulent manner, even if no monetary loss results.
This matters if the stolen lending app identity was connected to:
- a bank account;
- e-wallet account;
- debit card;
- credit card;
- OTP;
- SIM-linked financial account;
- app login credentials; or
- payment channel used to receive or move loan proceeds.
Financial Products and Services Consumer Protection Act
The Financial Products and Services Consumer Protection Act, Republic Act No. 11765, protects consumers of financial products and services, including digital financial products. It recognizes rights such as fair treatment, disclosure and transparency, data privacy, protection against fraud and misuse, and timely handling of complaints.
For lending apps, the relevant regulator is often the Securities and Exchange Commission, because lending companies and financing companies are generally regulated by the SEC.
SEC rules on unfair debt collection
The SEC issued Memorandum Circular No. 18, series of 2019, prohibiting unfair debt collection practices by financing companies, lending companies, and their service providers.
Collectors should not use threats, insults, obscenities, violence, false representations, public shaming, or illegal pressure tactics. A collector also cannot lawfully threaten imprisonment for a mere unpaid civil debt. Article III, Section 20 of the 1987 Philippine Constitution states that no person shall be imprisoned for debt.
This protection does not excuse fraud. But if you are a victim whose identity was used without permission, the lender or collector should not treat you as a criminal just to force payment.
Civil Code remedies for abuse, privacy invasion, and damages
The Civil Code of the Philippines may also matter. Articles 19, 20, and 21 require people to act with justice, honesty, good faith, and respect for rights; a person who willfully or negligently causes damage contrary to law may be liable. Article 26 protects a person’s dignity, personality, privacy, and peace of mind.
These provisions may support claims for damages in serious cases involving public shaming, false accusations, harassment of family members, reputational injury, or misuse of personal information.
What to do immediately if your identity was stolen through a lending app
1. Secure your phone, SIM, email, e-wallets, and bank accounts
Do this first because identity theft often continues after the fake loan account is opened.
- Change passwords for your email, lending apps, e-wallets, online banking, and social media.
- Turn on two-factor authentication using an authenticator app where possible.
- Remove unknown devices from your email, Google, Apple, e-wallet, and banking accounts.
- Call your bank or e-wallet provider if loan proceeds or suspicious transfers touched your account.
- Ask your telco to check if your SIM was replaced, duplicated, or registered suspiciously.
- If your phone was stolen, request SIM blocking or replacement and report the device loss.
- Revoke unnecessary app permissions for contacts, camera, SMS, files, microphone, and location.
If your National ID, passport, driver’s license, or other government ID was used, keep a written record of when you discovered the misuse. If the physical ID was lost or stolen, report that separately to the issuing agency or appropriate authority.
2. Preserve evidence before deleting anything
Do not rely on memory. Save evidence in a way that shows dates, numbers, names, and account details.
Collect:
- screenshots of loan app messages, SMS, emails, and in-app notices;
- screenshots of threats, public posts, group chats, or messages to your contacts;
- call logs showing collector numbers and dates;
- the app name, website, package name, app store link, and company name;
- loan account number, reference number, due date, amount, interest, penalties, and disbursement details;
- the name of the lending company or financing company, if shown;
- proof that the receiving bank/e-wallet account was not yours;
- copies of IDs that may have been misused;
- proof that you were abroad, at work, hospitalized, or otherwise unable to apply, if relevant;
- affidavits or screenshots from relatives or friends who were contacted.
For important screenshots, include the full screen with the date/time if possible. Export chats instead of sending only cropped images. If a collector calls, write a short incident log immediately after the call: date, time, number, name used, exact threats, and witnesses nearby.
3. Send a written dispute to the lending app or lending company
Report the account as fraudulent in writing. Use the official email, in-app support, website complaint form, or registered business contact. Avoid relying only on phone calls.
Your message should be short but complete:
I am disputing this loan/account because I did not apply for it, did not authorize it, and did not receive the proceeds. I believe my identity and personal data were used without my consent. Please immediately freeze collection activity, stop contacting my contacts, stop reporting this as my debt, preserve all KYC documents, device logs, IP logs, disbursement records, consent records, call recordings, and collection records, and provide me the result of your fraud investigation in writing.
Ask for the following:
- copy of the loan application;
- KYC documents allegedly submitted;
- selfie/video verification records;
- IP address, device ID, phone number, email, and SIM used for registration;
- bank/e-wallet account where loan proceeds were released;
- consent logs and privacy notice accepted;
- list of third-party collectors handling the account;
- confirmation that collection and credit reporting are suspended while under fraud investigation.
Do not sign a “settlement,” “restructuring,” “promise to pay,” or “acknowledgment of debt” unless the document clearly states that you are not admitting the loan and are only resolving a disputed identity theft matter.
4. File a cybercrime report with PNP ACG or NBI Cybercrime
For identity theft, fake online accounts, unauthorized app access, e-wallet misuse, or hacking, report to:
- PNP Anti-Cybercrime Group (PNP ACG)
- NBI Cybercrime Division
The 2026 DICT-NPC-SEC advisory lists the PNP ACG email as acg@pnp.gov.ph and the NBI Cybercrime Division email as ccd@nbi.gov.ph, with other official contact channels in the advisory.
A cybercrime report usually requires:
- valid government ID;
- complaint-affidavit or written narration;
- screenshots and digital evidence;
- links, URLs, phone numbers, emails, account names, and reference numbers;
- proof of ownership of the phone number, email, bank account, or e-wallet involved;
- proof that the loan account is fraudulent;
- names or details of suspects, if known.
A police blotter is useful, but for online identity theft, a more detailed cybercrime complaint is usually stronger. In serious cases, investigators may ask for original devices, email headers, transaction records, or certifications from banks, e-wallets, telcos, or platforms.
5. File an SEC complaint if the lender is a lending or financing company
If the issue involves a lending company, financing company, or online lending platform, file with the SEC through SEC iMessage. The SEC’s 2026 advisory identifies the Financing and Lending Companies Department or FINLEND as the office for unfair debt collection complaints involving lending and financing companies.
Include:
- company name and app name;
- SEC registration or certificate of authority details, if known;
- screenshots of collection messages;
- proof that the account is disputed as identity theft;
- police/NBI report, if already available;
- names and numbers of collectors;
- explanation of any contact-list harassment or public shaming.
The SEC complaint is especially relevant for:
- harassment;
- threats;
- public shaming;
- abusive collection;
- unregistered lending operations;
- failure to investigate identity theft;
- loan app ads or disclosures that appear misleading;
- online lending platforms not properly reported or recorded.
SEC action can lead to regulatory consequences such as fines, suspension, revocation, or other sanctions, but criminal prosecution is handled through law enforcement and prosecutors.
6. File with the National Privacy Commission for misuse of personal data
If your personal data, ID, selfie, contacts, or messages were collected, shared, retained, or used without proper authority, the National Privacy Commission may be the correct agency.
The NPC’s official page on filing formal complaints says a formal complaint must be in a specific format, printed, filled out, notarized, and submitted in person, by courier, or by scanned email to the NPC.
This route is important when:
- the app accessed your contacts unnecessarily;
- collectors contacted relatives, coworkers, or friends who were not guarantors;
- your photo or personal details were posted or sent to others;
- the company refuses to correct or erase wrong data;
- the lender keeps processing your data after you disputed identity theft;
- your data was used for harassment or public shaming.
A strong NPC complaint should explain what data was used, who used it, when it happened, how it harmed you, and what action you requested from the company before going to the NPC.
7. Check and dispute your credit record
A fake loan can later appear in credit reports and affect legitimate loan, credit card, housing, business, or employment-related checks.
The Credit Information Corporation maintains credit information submitted by covered financial institutions. If you obtain a CIC credit report and see an account that is not yours, use the CIC’s Online Dispute Resolution Process. CIC states that you need your credit report’s 14-digit Transaction Reference Number, and the report should generally be not more than 30 days old from issuance.
When disputing, attach:
- the credit report page showing the suspicious account;
- identity theft complaint or blotter;
- dispute letter to the lender;
- lender’s response or failure to respond;
- proof that you did not receive the proceeds;
- proof of wrong phone, email, address, or bank/e-wallet account used.
Do not wait until a bank rejects your loan application. Credit correction is often slower than filing the initial complaint.
8. Escalate to BSP if a bank or e-wallet is involved
If the fraud involves a bank, e-wallet, remittance company, or other BSP-supervised financial institution, first report through that provider’s fraud or consumer assistance channel. If unresolved, escalate through the BSP Consumer Assistance Mechanism, including the BSP Online Buddy or BOB.
This is relevant when:
- loan proceeds were sent to a bank or e-wallet account opened using your identity;
- your e-wallet was used to receive or move funds;
- an unauthorized transfer occurred;
- a bank or e-money issuer refuses to investigate;
- your SIM, OTP, or account access was compromised.
Where to report: quick reference table
| Problem | Main office or platform | What to prepare | Practical notes |
|---|---|---|---|
| Fake loan account using your identity | Lending app/company fraud or customer support | Written dispute, ID, screenshots, account number | Demand freeze of collection and preservation of KYC/device/disbursement records |
| Abusive collection by lending app | SEC iMessage / SEC FINLEND | Screenshots, collector numbers, app/company details | Best for threats, public shaming, unfair collection, unregistered lending activity |
| Misuse of ID, contacts, selfies, personal data | National Privacy Commission | Notarized complaint form, evidence, prior demand if available | Strongest for contact-list abuse, unauthorized processing, refusal to correct/delete data |
| Online identity theft, hacking, fake account | PNP ACG or NBI Cybercrime | Complaint-affidavit, screenshots, digital identifiers, transaction records | Needed for criminal investigation and possible prosecutor action |
| Suspicious bank/e-wallet movement | Bank/e-wallet first, then BSP if unresolved | Account records, transaction IDs, fraud report | Report fast because providers may have internal fraud deadlines |
| Fake loan appearing in credit report | Credit Information Corporation ODRS | CIC credit report with TRN, dispute documents | Report should generally be recent; preserve all lender replies |
| Court summons for alleged loan | First-level court handling the case | Verified Response, affidavits, evidence | Small claims response is usually due within 10 calendar days from summons |
If collectors are harassing your family, employer, or contacts
Being in your phonebook does not make someone a guarantor. A guarantor is a person who separately and clearly agrees to answer for the loan if the borrower defaults.
If collectors message your contacts, employer, neighbors, or relatives, save screenshots showing:
- the sender’s number or account;
- the exact message;
- the date and time;
- the recipient’s name;
- whether the message includes your photo, ID, debt amount, insults, threats, or accusations.
Then send a written demand to the lender:
This account is disputed as identity theft. Your collectors are contacting persons who are not guarantors and are disclosing or using my personal data. Immediately stop all third-party contact, preserve all collection records, identify the collection agency involved, and confirm in writing that the account is under fraud investigation.
If the harassment continues, include the new evidence in your SEC and NPC complaints. If the messages contain threats of violence, extortion, sexualized insults, fake criminal accusations, or doctored images, include them in the PNP/NBI cybercrime report as well.
If the lending app is unregistered, fake, or no longer on the app store
Many victims discover that the app has disappeared, changed names, or used several brands. Still gather what you can:
- app name and screenshots;
- Google Play/App Store URL or APK source;
- website and privacy policy;
- business name shown in text messages;
- bank/e-wallet accounts used for collection;
- collector phone numbers;
- Facebook, Viber, Telegram, WhatsApp, or email accounts used;
- payment instructions sent to you.
Report the app to SEC for possible unauthorized lending activity and to PNP/NBI for cybercrime or fraud. If the app processed personal data, the NPC may still be relevant even if the operator is hard to trace.
What if you receive a demand letter or court summons?
Do not ignore a real court summons. Many lending-related collection cases are filed in first-level courts such as the Metropolitan Trial Court, Municipal Trial Court in Cities, Municipal Trial Court, or Municipal Circuit Trial Court.
Under the Supreme Court’s Rules on Expedited Procedures in the First Level Courts, small claims cases may cover money claims up to ₱1,000,000.00. In small claims, the defendant is required to file a verified Response within the period stated in the summons, commonly 10 calendar days from receipt, together with supporting evidence.
If the loan is fraudulent, your Response should clearly say:
- you deny applying for the loan;
- you deny receiving the proceeds;
- your identity was stolen or misused;
- the lender failed to verify your identity properly;
- the account is under dispute with the lender, SEC, NPC, PNP/NBI, CIC, or BSP, as applicable;
- the plaintiff should produce the KYC records, disbursement records, device logs, and consent records.
Attach your evidence immediately. In small claims, evidence not attached to the Response may be difficult to present later unless the court allows it for good cause.
Special notes for OFWs, Filipinos abroad, and foreigners
Identity theft through Philippine lending apps can affect people outside the Philippines, especially if a Philippine SIM, e-wallet, old ID, passport scan, or local contact number was used.
If you are abroad:
- file initial reports by email or official online portals where accepted;
- execute a Special Power of Attorney if someone in the Philippines will obtain records or file documents for you;
- have foreign documents apostilled if issued in a country covered by the Apostille Convention, or authenticated through the proper consular process if not;
- report lost or misused passports to the issuing government;
- keep travel records, immigration stamps, employment certificates, or residence documents showing you were outside the Philippines when the account was opened;
- use one consistent Philippine mailing address and email address for agency replies.
The DFA’s Apostille information portal is useful when documents executed abroad must be used in Philippine proceedings.
Foreigners should also consider whether a copied passport, Alien Certificate of Registration card, work permit, or visa document was used. Report the compromised document to the issuing authority or embassy as appropriate, and preserve proof of the report.
Common mistakes that make identity theft cases harder
Deleting messages too early
Victims understandably want to delete threats and abusive messages. But screenshots, call logs, and chat exports are often the evidence that agencies need. Save first, then block if necessary.
Only calling the lender
Phone calls are hard to prove. Always follow up in writing. Use email, ticket numbers, or in-app reference numbers.
Paying a small amount to “make it stop”
Payment may not stop harassment. It may also confuse the record if the lender later argues that payment shows acknowledgment. If money is paid under pressure, document clearly that it was paid under protest because of harassment or identity theft.
Not checking credit records
Some victims stop after the collectors disappear. Months later, the fake account may affect a credit application. Check and dispute early.
Treating all collectors as law enforcement
Collectors are not police, prosecutors, or judges. They cannot order your arrest. They cannot declare you guilty of estafa. They cannot legally shame you online to force payment.
Waiting for the app to “investigate” indefinitely
Give the lender a reasonable written deadline to acknowledge and investigate the fraud. If there is no meaningful response, escalate to SEC, NPC, PNP/NBI, CIC, or BSP depending on the issue.
Frequently Asked Questions
Someone used my name in a lending app. Do I have to pay?
If you did not apply, did not authorize the loan, and did not receive the money, you should dispute liability in writing. The lender should investigate and produce proof of the alleged application, KYC, consent, and disbursement. Do not ignore demand letters or court papers, because silence can make the situation worse.
Can a lending app contact my relatives or employer?
A lending app should not freely contact everyone in your phonebook. Under NPC and SEC guidance, contacting persons on a borrower’s contact list other than actual guarantors for debt collection is prohibited. A character reference is not automatically a guarantor.
Can I go to jail for not paying a lending app loan?
A person cannot be imprisoned for mere debt under Article III, Section 20 of the 1987 Constitution. However, fraud, falsification, cybercrime, or access device fraud can be criminal. If you are the identity theft victim, your focus should be proving that the application and account were unauthorized.
Should I file with the barangay first?
For online identity theft, unknown suspects, corporations, cybercrime, or offenses outside barangay conciliation, going to the barangay is often not enough. A barangay blotter may help document harassment, but cybercrime and identity theft should be reported to PNP ACG or NBI Cybercrime, and regulatory complaints should go to SEC or NPC where applicable.
What if I accidentally gave my ID and selfie to a fake lending app?
Report it as a data compromise. Preserve the app link, screenshots, privacy notice, chat messages, and upload confirmations. Secure your accounts, notify banks/e-wallets, and monitor credit records. If the app later uses your data for a fake loan or harassment, file with PNP/NBI, SEC, and NPC as appropriate.
Can I demand deletion of my data?
Under the Data Privacy Act, data subjects have rights involving access, correction, objection, blocking, erasure, and damages, subject to legal exceptions. If a lender needs certain records for fraud investigation, legal claims, or regulatory retention, immediate deletion may not be automatic. But the company should not continue unnecessary or abusive processing, especially after the account is disputed as identity theft.
What if the fake loan appears in my credit report?
Get a copy of the report, identify the account, and file a dispute through the CIC Online Dispute Resolution System if it is in the CIC database. Attach your police/NBI report, lender dispute, screenshots, and proof that the loan was not yours. Also demand that the lender correct or withdraw the erroneous submission.
What if the lending app says my selfie proves I borrowed?
A selfie alone does not settle the issue. Ask for the full KYC file, liveness verification result, device details, phone number, email, IP logs, disbursement account, and consent records. If the selfie was manipulated, taken from another source, or submitted by someone else, that supports an identity theft complaint.
What if I am an OFW or foreigner outside the Philippines?
You can start by sending written disputes and reports through official online channels. For Philippine filings that require a representative, execute a Special Power of Attorney and prepare properly authenticated or apostilled documents when needed. Keep proof that you were abroad when the account was opened or when the alleged loan was released.
What if the lender files a small claims case?
File a verified Response within the deadline stated in the summons, commonly 10 calendar days from receipt. Attach your identity theft evidence, dispute letters, police/NBI reports, and affidavits. Do not wait for the hearing date before preparing your documents.
Key Takeaways
- A fake lending app account in your name is not just a debt issue; it may involve cybercrime, data privacy violations, access device fraud, and unfair collection.
- Dispute the loan in writing immediately and demand preservation of KYC, device, consent, and disbursement records.
- Report cyber identity theft to PNP ACG or NBI Cybercrime, abusive lending practices to SEC, and data misuse to the National Privacy Commission.
- Check your CIC credit report and dispute any fake loan before it affects future credit applications.
- Collectors cannot lawfully threaten jail for mere debt or harass your contacts, employer, or relatives to force payment.
- If you receive a real court summons, respond on time and attach evidence immediately.