If your online wallet was hacked in the Philippines, act fast. The first few hours matter because stolen funds can move from one e-wallet to another account, then to another bank, then to cash-out channels within minutes. Your goals are simple: stop further access, create a clear record, ask the wallet provider to trace and hold the funds, report the cybercrime, and escalate properly if the provider does not act. This guide explains what Philippine law says, what documents to prepare, which agencies handle complaints, and what realistic recovery options may be available.
What “online wallet hacked” usually means in Philippine legal terms
People use “hacked” to describe many situations, but the legal and practical response can differ depending on what actually happened.
Common examples include:
- Someone entered your e-wallet account without permission and sent money out.
- Your phone or SIM was stolen and used to access your wallet.
- You clicked a fake link and entered your password, MPIN, OTP, or selfie verification.
- A scammer pretended to be from the wallet provider, bank, courier, telecom, government agency, or online marketplace.
- Malware or a fake app captured your wallet credentials.
- Your account was taken over after your email, Facebook, Google, Apple ID, or mobile number was compromised.
- Your wallet account was used to receive scam proceeds even though you did not authorize it.
Under Philippine law, these incidents may involve financial account scamming, social engineering, unauthorized access, computer-related fraud, identity misuse, access device fraud, estafa, data privacy violations, or a combination of these.
The most important point: do not wait to figure out the exact crime before reporting. Your first report to the e-wallet provider should focus on blocking the account, preserving logs, tracing the transaction, and requesting a hold or recall of the disputed funds.
Philippine laws that protect e-wallet users
Republic Act No. 12010, or the Anti-Financial Account Scamming Act
The most directly relevant law is Republic Act No. 12010, the Anti-Financial Account Scamming Act (AFASA), enacted in 2024. It expressly covers e-wallets as financial accounts and applies to banks, non-banks, payment service providers, and other institutions under the Bangko Sentral ng Pilipinas (BSP).
AFASA punishes, among others:
- Money muling — using, lending, selling, renting, buying, or recruiting people to use financial accounts to receive or move illegal proceeds.
- Social engineering schemes — obtaining sensitive identifying information through deception or fraud, resulting in unauthorized access or control over a financial account.
- Economic sabotage — serious forms of financial account scamming, such as schemes involving three or more conspirators, three or more victims, mass mailers, or human trafficking.
You can read the text of the law here: Republic Act No. 12010 on Lawphil.
AFASA is especially important because it gives institutions authority to temporarily hold disputed funds and requires a coordinated verification process among involved financial institutions.
BSP Circular No. 1215, Series of 2025: temporary holding of disputed funds
BSP Circular No. 1215 implements AFASA rules on temporary holding and coordinated verification. In practical terms, this matters because a victim can ask the originating financial institution — usually the e-wallet or bank where the money came from — to trigger the process.
Key rules include:
| Issue | Practical meaning |
|---|---|
| Initial holding | Disputed funds may be initially held for not more than 5 calendar days. |
| Extended holding | The hold may be extended by up to 25 more calendar days, for a total of not more than 30 calendar days, unless extended by a court. |
| Coordinated verification | The involved institutions must trace and verify the disputed transaction. |
| If funds are held | Verification should be completed within the 30-calendar-day temporary holding period, unless a court extends it. |
| If no funds are held | Verification should generally be completed within 30 calendar days, extendable for meritorious reasons up to a total of 60 calendar days. |
| Supporting documents | You may be asked for a sworn complaint, affidavit, police report, screenshots, transaction records, and other evidence. |
Official source: BSP Circular No. 1215, Series of 2025.
Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act
Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, protects financial consumers, including users of digital financial products and services. It recognizes rights such as:
- equitable and fair treatment;
- protection of consumer assets against fraud and misuse;
- data privacy and protection; and
- timely handling and redress of complaints.
The law also gives financial regulators, including the BSP, authority over consumer redress and certain adjudication matters involving financial transactions. Read it here: Republic Act No. 11765 on the Supreme Court E-Library.
Cybercrime Prevention Act, Access Devices Law, and Estafa
Depending on the facts, the following laws may also apply:
| Law | When it may apply |
|---|---|
| RA 10175, Cybercrime Prevention Act of 2012 | Illegal access, computer-related fraud, identity-related cyber offenses, phishing, malware, or account takeover. Official text: RA 10175. |
| RA 8484, Access Devices Regulation Act, as amended by RA 11449 | Fraudulent use of access devices such as account numbers, PINs, passwords, codes, cards, or similar means of account access. Official text: RA 8484 and RA 11449. |
| Article 315 of the Revised Penal Code | Estafa or swindling, especially where deceit caused the victim to part with money. Official text: Revised Penal Code. |
| RA 8792, Electronic Commerce Act | Recognition of electronic documents and data messages, useful when presenting electronic evidence. Official text: RA 8792. |
| Civil Code Articles 1170 and 2176 | Civil liability for fraud, negligence, breach of obligation, or quasi-delict where damage is caused by fault or negligence. |
What to do immediately if your e-wallet is hacked
1. Block access and stop further transfers
Do these first:
- Open the wallet app only if it is safe to do so.
- Use the app’s freeze, lock, kill switch, lost phone, report fraud, or account recovery feature.
- Change your wallet password, MPIN, and linked email password.
- Remove unknown devices if the app allows device management.
- Disable biometrics if your phone was stolen.
- Call your mobile provider if your SIM was lost, stolen, or suddenly lost signal.
- Change passwords for linked accounts such as Gmail, iCloud, Facebook, online banking, and shopping apps.
- If a bank account or card is linked to the wallet, immediately report to that bank as well.
Under BSP’s AFASA-related rules, covered financial institutions are expected to have stronger security controls such as fraud monitoring systems, transaction velocity checks, device and account change monitoring, geolocation monitoring, blacklist screening, real-time notifications, account suspension tools, money lock features, and customizable transaction limits. These features are not just “nice to have”; they are part of the regulatory direction for fraud prevention.
2. Report to the e-wallet provider through its official fraud channel
Report through the provider’s official app, website, hotline, or verified support channel. Do not use numbers or links sent by strangers.
In your report, say clearly:
- “My e-wallet account was accessed without my authority.”
- “The transaction is disputed.”
- “Please block my account or outgoing transfers immediately.”
- “Please trace the disputed transaction chain.”
- “Please initiate temporary holding of disputed funds under AFASA and BSP Circular No. 1215, if applicable.”
- “Please provide a complaint reference number.”
- “Please preserve all logs, including device, IP, geolocation, OTP, authentication, session, and transaction logs.”
Ask for confirmation in writing through email, in-app ticket, or SMS. BSP Circular No. 1160 requires BSP-supervised institutions to maintain complaint channels, including closely monitored communication channels available on a 24/7 basis, and to give immediate written acknowledgment through the same channel. Official source: BSP Circular No. 1160, Series of 2022.
3. Preserve evidence before anything disappears
Do not delete chats, SMS messages, emails, call logs, app notifications, or screenshots. Scammers often delete accounts quickly.
Prepare a folder containing:
| Evidence | Why it matters |
|---|---|
| Screenshots of unauthorized transactions | Shows amount, date, time, reference number, and recipient details. |
| Wallet account profile page | Shows your registered name, mobile number, and account identifiers. |
| SMS or app notifications | Helps establish the exact time you learned of the transaction. |
| OTP messages | Shows whether an OTP was generated and what transaction it described. |
| Emails from the provider | Shows account changes, new login, device registration, or security alerts. |
| Scam messages, links, or caller details | Helps prove phishing, smishing, vishing, or impersonation. |
| Phone call logs | Useful for tracing scam calls. |
| Police report or affidavit | Often needed for extended holding, law enforcement, or escalation. |
| Valid ID | Needed for complaint verification. |
| Timeline of events | Helps investigators understand what happened without guessing. |
When taking screenshots, include the date, time, full phone screen, sender name or number, URL, transaction reference number, and recipient details. If possible, export emails as PDF and save original message headers.
4. File a formal dispute with the provider
A chat with customer support is helpful, but for recovery you should also file a clear written dispute.
Include:
- Your full name and registered mobile number or wallet ID.
- Date and time you discovered the compromise.
- Date, time, amount, and reference number of each unauthorized transaction.
- Recipient wallet, bank, merchant, or mobile number shown in the app.
- Whether your phone, SIM, email, or social media account was also compromised.
- Whether you received OTPs, login alerts, or device change notices.
- What you did immediately after discovering the incident.
- A request for account blocking, transaction tracing, temporary holding, coordinated verification, and written results of investigation.
- Copies of screenshots, IDs, police report, affidavit, and other evidence.
Be factual. Avoid exaggeration. AFASA also penalizes malicious reporting where a person, with malice or bad faith, files completely unwarranted or false information that results in temporary holding of funds.
5. Report to cybercrime authorities
A provider complaint is not the same as a criminal complaint. If money was stolen or your identity was used, report to law enforcement.
You may approach:
| Office | Best for | Notes |
|---|---|---|
| PNP Anti-Cybercrime Group (PNP-ACG) | Cybercrime complaints, phishing, identity misuse, online scams, e-wallet hacking | Bring ID, screenshots, transaction records, and affidavit if available. |
| NBI Cybercrime Division / Computer Crimes Division | Cybercrime investigation, online fraud, digital evidence | NBI’s citizen charter lists investigative assistance for victims of computer crimes. Official source: NBI investigative assistance for computer crimes. |
| DOJ Office of Cybercrime | Cybercrime policy coordination and reporting guidance | Official page: DOJ reporting of cybercrime incidents. |
| CICC / Inter-Agency Response Center | Initial reporting or coordination for online scams and cyber incidents | Useful for quick reporting, but serious money-loss cases should still be documented with law enforcement and the provider. |
For a formal criminal complaint, expect to prepare a complaint-affidavit narrating what happened, with supporting documents. Some offices can assist with complaint sheets or sworn statements, but bringing an organized evidence packet makes the process smoother.
6. Escalate to the BSP if the e-wallet provider does not act properly
For BSP-supervised institutions such as banks and many e-money issuers, the usual process is:
- Report first to the institution’s Financial Consumer Protection Assistance Mechanism (FCPAM) or official customer service channel.
- Get a ticket or reference number.
- Wait for the provider’s action or response, unless the situation remains urgent and unresolved.
- If unsatisfied, escalate to the BSP Consumer Assistance Mechanism.
The BSP says consumers should first report to the BSI’s FCPAM, then escalate to BSP through BSP Online Buddy (BOB) if dissatisfied. Official source: BSP guide on filing a complaint with BSP-CAM.
You may also check BSP consumer channels here: BSP Consumer Assistance Channels.
When escalating, attach:
- provider ticket number;
- your written complaint;
- provider’s replies or lack of response;
- screenshots and transaction references;
- affidavit or police report, if available;
- explanation of what remedy you seek, such as refund, written investigation results, correction of records, or restoration of account access.
Can you get the stolen money back?
Recovery is possible, but it depends on timing, evidence, and where the funds went.
You have a better chance if:
- you reported immediately;
- the funds are still within the same wallet or another BSP-supervised institution;
- the recipient account has not cashed out or moved the funds again;
- you have complete transaction reference numbers;
- the provider promptly triggers temporary holding and coordinated verification;
- the facts show unauthorized access, social engineering, money muling, or provider control failure.
You may face more difficulty if:
- the funds were already withdrawn as cash;
- the recipient account was also hacked or used by a mule;
- the transaction was authorized from your own device after OTP entry;
- screenshots are incomplete;
- you delayed reporting for days or weeks;
- the wallet provider finds evidence of gross negligence or breach of security terms.
Even if the provider denies reimbursement, that is not always the end. You may still pursue BSP escalation, law enforcement investigation, a criminal complaint, or civil recovery depending on the amount and facts.
When is the e-wallet provider liable?
AFASA provides that institutions must protect access to client financial accounts through adequate risk management systems and controls, such as MFA, fraud management systems, and account owner enrollment and verification processes.
The provider may be exposed to liability where there is evidence of:
- failure to employ adequate risk management systems and controls;
- failure to exercise the required degree of diligence in preventing loss;
- failure to temporarily hold disputed funds when required under AFASA and BSP rules;
- defective handling of consumer complaints;
- poor security after suspicious account changes, device changes, or unusual transactions;
- inadequate notification of high-risk transactions;
- failure to preserve or review logs properly.
However, the provider may deny liability if it can show that it had adequate systems, the transaction passed proper authentication, and the loss was caused by the user’s own act, such as voluntarily giving OTPs or credentials to a scammer. This is why your timeline and evidence matter.
What if you accidentally gave your OTP or MPIN?
Report anyway.
Many victims are ashamed because they clicked a link or gave an OTP after being deceived. But social engineering is exactly the type of conduct AFASA addresses. The legal question is not simply “Did you type the OTP?” The investigation may also ask:
- Did the OTP clearly describe the transaction?
- Was there a suspicious device change before the transfer?
- Was the transaction unusual compared with your history?
- Did the provider send real-time, understandable notifications?
- Did the provider have fraud monitoring that should have flagged the pattern?
- Did the provider act quickly after your report?
- Were funds still available to hold?
- Was the recipient account a mule or fake account?
Be honest in your affidavit. A false or incomplete story can damage your complaint more than admitting you were deceived.
Documents commonly required
| Purpose | Documents usually needed |
|---|---|
| E-wallet dispute | Valid ID, written complaint, screenshots, transaction references, proof of account ownership, timeline. |
| Temporary hold or extended verification | Sworn complaint, affidavit, police report, transaction details, supporting evidence. |
| PNP/NBI complaint | Valid ID, complaint-affidavit or sworn statement, screenshots, links, phone numbers, wallet IDs, emails, proof of loss. |
| BSP escalation | Provider ticket number, prior complaint, provider response, evidence, desired remedy. |
| NPC complaint | Notarized complaint-assisted form or verified complaint, evidence, witness affidavits if any. |
| Representative filing for OFW/foreigner | Special Power of Attorney, valid IDs, and properly notarized or consularized documents if signed abroad. |
Special notes for OFWs and foreigners
If you are outside the Philippines, you can still report to the wallet provider and BSP online. The practical challenge is usually the sworn complaint-affidavit.
For documents signed abroad:
- If signed before a Philippine Embassy or Consulate, consular notarization is generally usable in the Philippines. Many embassies require personal appearance.
- If signed before a foreign notary, the document may need an apostille from the competent authority in that country, if the country is part of the Apostille Convention.
- If someone in the Philippines will file or follow up for you, prepare a Special Power of Attorney (SPA) authorizing that person to represent you before the provider, law enforcement, BSP, NPC, or court.
Check the relevant Philippine embassy or consulate for local notarial procedures. For general apostille information, see the DFA’s official portal: DFA Apostille.
Foreigners using Philippine e-wallets should also keep copies of passport pages, ACR I-Card if applicable, local SIM registration details, and proof that the wallet account belongs to them.
Common mistakes that hurt e-wallet hacking complaints
Waiting too long before reporting
Even a one-day delay can matter. Under AFASA’s temporary holding process, the funds must still be traceable and, ideally, still inside the financial system.
Reporting only on social media
A Facebook comment or X post is not a formal dispute. Use official complaint channels and get a reference number.
Deleting scam messages
Do not clean your inbox out of panic. Original messages, URLs, email headers, and phone logs may help establish the method of attack.
Failing to ask for temporary holding
Use clear language: “Please initiate temporary holding of the disputed funds and coordinated verification under AFASA and BSP Circular No. 1215.”
Sending more money to “recover” the account
Scammers often pose as recovery agents, wallet insiders, police contacts, or hackers-for-hire. Do not pay recovery fees to strangers.
Publicly posting recipient details without care
Posting names, wallet numbers, IDs, or photos online can create privacy or defamation issues, especially if the displayed recipient is a mule, hacked account, or innocent account holder. Give the details to the provider and investigators.
Using a barangay blotter as your only report
A barangay blotter may help document that you reported an incident, but it is not a substitute for a provider dispute, cybercrime complaint, or BSP escalation. Cybercrime and financial account scamming issues usually require the e-wallet provider, BSP, PNP, NBI, or prosecutor.
Other remedies after the provider investigation
If the provider does not return the money, possible next steps include:
| Remedy | When it may fit |
|---|---|
| BSP consumer escalation | The provider is BSP-supervised and failed to respond properly or denied your dispute despite evidence. |
| Criminal complaint | There is fraud, unauthorized access, identity misuse, phishing, money muling, or scam operation. |
| Data privacy complaint | Personal data, IDs, selfies, credentials, or account information were mishandled or exposed. |
| Civil action | You know the responsible person or entity and seek damages or reimbursement. |
| Small claims | For qualifying money claims not exceeding the current small claims threshold, subject to the Rules on Expedited Procedures in First Level Courts. The Supreme Court has announced a ₱1,000,000 threshold for small claims. Official source: Supreme Court rules on expedited procedures. |
For criminal cases, the civil liability may be pursued together with the criminal action unless reserved or separately filed. Under AFASA, conviction carries civil liability, including possible restitution for damage done.
Frequently Asked Questions
Should I report to the e-wallet provider or the police first?
Do both, but report to the e-wallet provider immediately because only the provider and involved financial institutions can quickly block access, trace the transaction, and request temporary holding of funds. Then report to PNP-ACG, NBI, or other cybercrime authorities for investigation and possible prosecution.
Can BSP force the e-wallet to refund me?
The BSP handles consumer complaints against BSP-supervised institutions and has powers under financial consumer protection laws. Whether you get a refund depends on the facts, evidence, applicable BSP rules, the provider’s investigation, and whether the provider failed to meet its duties. Escalating to BSP is important when the provider ignores, delays, or inadequately resolves your complaint.
How long does an e-wallet hacking investigation take?
Urgent account blocking should happen quickly. Under BSP Circular No. 1215, temporary holding may initially last up to 5 calendar days and may be extended up to a total of 30 calendar days unless a court extends it. Coordinated verification should be completed within the applicable period. Criminal investigations may take longer, especially if subpoenas, cybercrime warrants, telecom records, or platform records are needed.
What if the stolen money was sent to another e-wallet or bank?
Give the provider the full transaction reference number, date, time, amount, and recipient details. Under AFASA and BSP rules, institutions involved in a disputed transaction may coordinate to trace, hold, and verify funds moving through multiple accounts. Speed is critical because money may be withdrawn or transferred again.
What if I gave my OTP because I was tricked?
Still report. Social engineering is recognized under AFASA. Be truthful about what happened. The investigation may consider whether the provider’s security controls, transaction notifications, fraud monitoring, and response were adequate.
Can the police trace a scammer using only a mobile number or wallet name?
A mobile number or wallet name can help, but it may not be enough by itself. Scammers often use fake IDs, mule accounts, stolen SIMs, or hacked accounts. Investigators may need provider records, telco records, platform records, IP logs, device information, and cybercrime warrants.
What if my own e-wallet was used to scam other people?
Report immediately and ask the provider to lock the account, preserve logs, and document that you lost control of the wallet. File a cybercrime report. This is important because victims may identify your account as the recipient even if you were also a victim of account takeover.
Do I need a notarized affidavit?
For the first urgent report to the provider, usually no — report immediately through official channels. For extended holding, law enforcement, BSP escalation, prosecutor proceedings, NPC complaints, or court action, a sworn or notarized complaint-affidavit is often required or strongly helpful.
Can I file a complaint if I am abroad?
Yes. You can report to the provider and BSP online. For formal affidavits or SPAs signed abroad, use Philippine consular notarization or local notarization with apostille, depending on the country and document.
Is a data privacy complaint separate from a hacking complaint?
Yes. If your personal information, IDs, selfies, login credentials, or financial data were exposed, mishandled, or used without authority, you may have a data privacy issue. The National Privacy Commission requires a notarized complaint-assisted form or verified complaint with evidence. Official source: NPC mechanics for complaints.
Key Takeaways
- Report the hacked e-wallet immediately through the provider’s official fraud channel.
- Ask for account blocking, transaction tracing, temporary holding of disputed funds, coordinated verification, and a case reference number.
- Preserve screenshots, OTPs, emails, URLs, call logs, transaction references, and account alerts.
- AFASA and BSP Circular No. 1215 allow temporary holding of disputed funds, initially up to 5 calendar days and extendable up to a total of 30 calendar days unless extended by a court.
- Escalate to BSP if the provider does not respond properly after you use its official complaint mechanism.
- File with PNP-ACG or NBI for criminal investigation, especially for phishing, unauthorized access, identity misuse, or money muling.
- OFWs and foreigners can still pursue complaints, but sworn documents signed abroad may need consular notarization or apostille.
- A refund is not automatic, but fast reporting, complete evidence, and proper escalation improve your chances.