If your GCash, Maya, ShopeePay, GrabPay, Coins.ph, bank-linked wallet, or other online wallet was hacked, the most important thing is to act quickly and document everything. In the Philippines, a hacked e-wallet may involve cybercrime, financial account scamming, data privacy violations, and consumer protection issues. This guide explains what to do first, how to report the incident, what laws protect you, what evidence to prepare, and how recovery or escalation usually works in real life.
What “online wallet hacked” usually means in the Philippines
People use “hacked” to describe different situations. Legally and practically, the details matter because they affect which remedy applies.
Common hacked-wallet situations include:
- Someone entered your wallet without permission and transferred money out.
- You were tricked into giving an OTP, PIN, password, selfie verification, or account recovery code.
- A fake customer service page or phishing link captured your credentials.
- Your SIM was replaced, cloned, or taken over, allowing the scammer to receive OTPs.
- Your phone was stolen and your wallet was accessed.
- A scammer used your wallet as a receiving or “mule” account.
- Your linked bank account, credit card, or debit card was charged through the wallet.
Under BSP rules implementing the Anti-Financial Account Scamming Act, a disputed transaction can include an electronic transfer facilitated by social engineering, while an erroneous transaction is different: it generally means the sender made a mistake, such as entering the wrong account or amount. This distinction matters because fraud-related disputed transactions may trigger temporary holding and verification procedures, while sender-error cases are handled differently. (Bureau of the Treasury)
Legal basis: your rights when an online wallet is hacked
Anti-Financial Account Scamming Act, or RA 12010 of 2024
Republic Act No. 12010, known as the Anti-Financial Account Scamming Act or AFASA, is now one of the most important laws for hacked e-wallet cases in the Philippines. It covers financial account scamming, including money muling and social engineering schemes. (Lawphil)
The law treats e-wallet credentials as sensitive information. “Sensitive identifying information” includes usernames, passwords, bank account details, credit card details, e-wallet information, and other account credentials. (Lawphil)
AFASA is especially important because it gives financial institutions and authorities a clearer framework for dealing with suspicious or disputed electronic transfers. It allows financial institutions to temporarily hold disputed funds and coordinate verification with other institutions involved in the transfer chain. (Lawphil)
It also places obligations on covered institutions. Financial institutions must protect account access through adequate risk management systems, and AFASA recognizes restitution where a financial institution’s failure to apply the required standard of diligence contributes to a loss. A criminal conviction is not required before restitution can be pursued under the law’s institutional liability provisions. (Lawphil)
AFASA penalties can be serious. Money muling may be punished by imprisonment and fines, while social engineering schemes carry heavier penalties. The law also imposes higher penalties in certain cases, such as when the victim is a senior citizen or when the offense amounts to economic sabotage. (Lawphil)
BSP rules on temporary holding of disputed funds
The Bangko Sentral ng Pilipinas has issued implementing regulations for AFASA. These rules apply to BSP-supervised institutions, including banks, non-bank financial institutions, payment service providers, and other financial service providers. The rules expressly cover financial accounts such as e-wallets. (Bureau of the Treasury)
For hacked-wallet victims, the most practical rule is this: a receiving institution may initially hold disputed funds for up to five calendar days. If proper supporting documents are submitted within that initial period, the hold may be extended for an additional period of up to 25 calendar days, for a total of up to 30 calendar days, unless a court extends it. (Bureau of the Treasury)
This is why speed matters. If the scammer quickly withdraws the funds as cash, converts them, or moves them through several accounts, recovery becomes much harder.
Financial Products and Services Consumer Protection Act, or RA 11765 of 2022
Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, protects consumers of financial products and services, including payments, remittances, digital channels, and similar services. It recognizes consumer rights such as fair treatment, transparency, protection of assets against fraud and misuse, data privacy, and timely complaint handling. (Supreme Court E-Library)
BSP Circular No. 1160 implements these protections for BSP-supervised financial institutions. It requires institutions to maintain systems for consumer protection, including mechanisms for complaints, protection of client information, fair treatment, effective recourse, and protection of consumer assets against fraud and misuse. (Bureau of the Treasury)
In practice, this means your e-wallet provider should not simply ignore a fraud report or give you vague template replies. It must have a consumer assistance mechanism, handle unauthorized or fraudulent transaction reports, and provide a reasonable resolution process. BSP guidance also emphasizes 24/7 reporting channels for unauthorized or fraudulent transactions. (Bureau of the Treasury)
Cybercrime Prevention Act, or RA 10175 of 2012
Republic Act No. 10175, the Cybercrime Prevention Act of 2012, may apply when someone accesses your wallet account, device, email, or credentials without authority. It penalizes cyber offenses such as illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related fraud, and computer-related identity theft. (Supreme Court E-Library) (Supreme Court E-Library)
A hacked wallet may therefore be both a financial complaint and a cybercrime complaint.
Access Devices Regulation Act, or RA 8484
Republic Act No. 8484, the Access Devices Regulation Act of 1998, can also be relevant. It defines an access device broadly to include a card, code, account number, PIN, or other means of account access that can be used to obtain money, goods, services, or initiate a fund transfer. (Lawphil)
The law also recognizes the importance of prompt notice. For lost access devices, the holder must notify the issuer, and proper notice can affect liability for fraudulent use from the time of reporting. (Lawphil)
Data Privacy Act, or RA 10173
If your personal data, ID, selfie verification, phone number, address, biometrics, or account credentials were compromised, the Data Privacy Act of 2012 may also apply. The National Privacy Commission can receive complaints, investigate, settle or adjudicate matters, and award indemnity where appropriate. (National Privacy Commission)
Personal information controllers must implement reasonable and appropriate safeguards. They must also notify the NPC and affected data subjects when sensitive personal information or information that may enable identity fraud is believed to have been acquired by an unauthorized person and is likely to cause real risk of serious harm. (National Privacy Commission)
Civil Code and Revised Penal Code remedies
Depending on the facts, you may also have civil and criminal remedies under older laws.
Under the Civil Code, a party guilty of fraud, negligence, delay, or breach of obligation may be liable for damages. The Civil Code also recognizes liability for quasi-delict when a person, by act or omission, causes damage to another through fault or negligence. (Supreme Court E-Library) (Lawphil)
Under the Revised Penal Code, estafa may apply when a person defrauds another through deceit or abuse of confidence. In online wallet cases, estafa may overlap with cybercrime, AFASA, or access-device offenses depending on how the scam was committed. (Supreme Court E-Library)
What to do immediately if your e-wallet was hacked
1. Lock down the wallet and all linked accounts
Use a clean device if possible. If you suspect your phone has malware, use another phone or computer.
Immediately do the following:
- Change your wallet password or MPIN.
- Change the password of the email address connected to the wallet.
- Log out all active sessions if the app allows it.
- Remove or freeze linked bank accounts, debit cards, and credit cards.
- Turn on multi-factor authentication.
- Change passwords for related accounts, especially online banking, telco apps, and email.
- If your SIM may have been compromised, contact your telco and request blocking, SIM replacement, or account protection.
Do not reuse old passwords. If your email is compromised, the scammer may still be able to reset your wallet password even after you change the wallet PIN.
2. Report the unauthorized transaction to the wallet provider
Report through the official in-app help center, hotline, email, or verified website of the wallet provider. Avoid links from text messages, social media comments, or search ads pretending to be customer service.
Use clear wording:
“I am reporting unauthorized transactions from my e-wallet account. Please immediately lock or restrict the account, investigate the transactions, preserve logs, and initiate temporary holding or coordinated verification of the recipient accounts if the funds are still traceable.”
Ask for:
- A complaint or ticket reference number
- Confirmation that your account is locked or secured
- A list of disputed transaction reference numbers
- Instructions for submitting a sworn complaint, affidavit, police report, or other documents
- The deadline for submitting documents if a temporary hold is being requested
Under BSP rules, account owners are expected to immediately report disputed transactions to their financial institution and cooperate by submitting documents and information needed for verification. (Bureau of the Treasury)
3. Ask for temporary holding of disputed funds
If the money was transferred to another wallet or bank account, ask the provider to trigger the AFASA/BSP temporary holding process.
The first institution should prepare a disputed transaction report, preserve the source account details, initially hold funds when applicable, and transmit holding requests to receiving financial institutions involved in the transfer chain. (Bureau of the Treasury)
You may be asked to submit documents such as:
- A sworn complaint
- A complaint-affidavit
- A police report or cybercrime complaint report
- Screenshots and transaction records
- Any document showing why the transaction is likely unauthorized or fraudulent
BSP rules state that supporting documents for extended holding should be submitted within the initial holding period and should detail the circumstances and reasons why the transaction is likely disputed. (Bureau of the Treasury)
4. Contact linked banks, cards, and telco immediately
If your e-wallet is linked to a bank account, debit card, or credit card, contact those institutions too. Do not assume the wallet provider will notify them.
Ask the bank or card issuer to:
- Block the card or account from further wallet charges
- Dispute unauthorized card or bank transactions
- Preserve logs and transaction records
- Issue a certificate, statement, or reference number for your complaint
If a SIM swap or phone number takeover is involved, contact your telco and request written confirmation of any SIM replacement, porting request, or unusual account activity.
5. Preserve evidence before anything disappears
Do not delete messages, emails, transaction notices, app notifications, or call logs. Screenshots help, but originals are better.
Save:
- Wallet transaction history
- Transaction reference numbers
- Sender and recipient account names or masked numbers
- SMS OTPs and alerts
- Emails from the wallet provider
- Chatbot transcripts
- Phishing links and fake pages
- Social media profiles used by the scammer
- Call logs and phone numbers
- Device model, phone number, and SIM details
- Bank or card statements showing unauthorized charges
The Supreme Court has recognized that electronic messages and photos may be admissible as evidence when properly presented, although authenticity and relevance still have to be shown. (Supreme Court of the Philippines)
6. Do not share OTPs, PINs, passwords, or ID photos with strangers
Scammers often pretend to be wallet employees, BSP personnel, NBI agents, PNP officers, or “recovery specialists.” Real complaint handling should not require you to give your OTP, MPIN, password, or full card details to a stranger.
The BSP’s consumer guidance specifically warns the public not to share sensitive information such as PINs, passwords, account numbers, ATM or credit card details, passbooks, passports, and IDs.
Where to report a hacked online wallet in the Philippines
| Office or institution | When to report there | What you should ask for |
|---|---|---|
| E-wallet provider | Immediately after discovering unauthorized access or transactions | Account lock, investigation, reference number, reversal request, temporary holding request |
| Linked bank or card issuer | If the wallet pulled money from a bank account, debit card, or credit card | Card blocking, charge dispute, bank investigation, written reference number |
| Telco | If SIM swap, lost phone, stolen SIM, or OTP interception is suspected | SIM blocking, replacement, account activity record, written confirmation |
| NBI Cybercrime Division | For criminal investigation of hacking, phishing, identity theft, or online fraud | Complaint intake, evaluation forms, cybercrime report |
| PNP Anti-Cybercrime Group | For police cybercrime reporting and investigation | Police report, complaint docket, assistance tracing accounts |
| CICC Inter-Agency Response Center 1326 | For scam reporting and guidance, especially phishing, spoofing, and online scams | Incident report guidance and referral |
| BSP Consumer Assistance Mechanism | If the wallet or bank does not act properly or you are dissatisfied after first reporting to the institution | BSP complaint reference and escalation |
| National Privacy Commission | If personal data, IDs, account credentials, or sensitive information were mishandled or breached | Privacy complaint, investigation, possible indemnity |
The NBI Cybercrime Division’s citizen-facing process includes filling out a complaint form and evaluation form for cybercrime complaints. (National Bureau of Investigation)
The Cybercrime Investigation and Coordinating Center’s 1326 hotline has been described by government sources as a 24/7 reporting channel for scams, including phishing, text scams, email scams, spoofing, and online scams. (Philippine News Agency)
How to escalate to BSP if the wallet provider does not help
For complaints against BSP-supervised institutions, the usual process is:
Report first to the e-wallet provider or bank. This is the first-level Financial Consumer Protection Assistance Mechanism, often called FCPAM.
Wait for the institution’s action or response. Keep all ticket numbers, emails, screenshots, and chat transcripts.
Escalate to BSP-CAM if you are ignored, delayed, or dissatisfied. BSP’s Consumer Assistance Mechanism accepts complaints through the BSP Online Buddy chatbot, email, mail, courier, and BSP regional offices or branches. (Bureau of the Treasury)
Attach proof that you already went through the provider first. BSP rules require complaint information and supporting documents showing prior availment of the institution’s FCPAM. (Bureau of the Treasury)
BSP-CAM is a second-level mechanism. Under BSP Circular No. 1169, it is also a condition precedent before BSP mediation or adjudication. BSP adjudication may cover purely civil money claims not exceeding ₱10 million, subject to the rules. (Bureau of the Treasury)
BSP also allows consumers to submit a Consumer Inquiry or Complaint Form and provides consumer assistance channels, including email. (Bureau of the Treasury)
Documents and evidence to prepare
| Document or evidence | Why it matters | Practical notes |
|---|---|---|
| Valid government ID | Proves your identity and wallet ownership | Use the same name registered with the wallet if possible |
| Wallet account details | Helps provider locate your account | Include registered mobile number, email, wallet ID, and account name |
| Transaction history | Shows what was taken and when | Export or screenshot the full transaction list, not just one line |
| Transaction reference numbers | Needed for tracing and disputes | Copy exact reference numbers; do not rely only on screenshots |
| SMS, email, and app alerts | Shows timing and unauthorized activity | Preserve original messages and notification timestamps |
| Phishing links or fake pages | Helps investigators identify the scam method | Screenshot the page and copy the full link if safe to do so |
| Call logs and phone numbers | Useful for tracing social engineering | Save numbers, dates, times, and call duration |
| Bank or card statements | Shows linked-account losses | Request official statements if needed |
| Telco report | Important for SIM swap or lost SIM cases | Ask for written confirmation of SIM replacement or account changes |
| Sworn complaint or affidavit | Often required for formal investigation or extended holding | Have it notarized if required by the receiving office |
| Police, NBI, or PNP report | Supports fraud investigation and fund-holding requests | Bring printed copies and digital copies |
| SPA or authorization letter | Needed if someone reports for you | OFWs and foreigners abroad may need consular notarization or authentication depending on where the document is executed |
Practical timelines and bottlenecks
| Step | Typical timing | Common bottleneck |
|---|---|---|
| Account lock request | Same day if hotline or app support is responsive | Long queues, automated replies, lack of live agent |
| Initial disputed-fund hold | Up to 5 calendar days under BSP rules when applicable | Funds already withdrawn or moved to another institution |
| Extended holding request | Up to 25 more calendar days, total up to 30 unless court-extended | Missing sworn complaint, affidavit, police report, or supporting documents |
| Wallet provider investigation | Days to several weeks | Provider says transaction appeared “authorized” due to OTP or device match |
| BSP escalation | After first reporting to provider | Lack of proof that FCPAM was used first |
| NBI or PNP cybercrime complaint | Intake may be same day; investigation may take longer | Need for complete evidence, account records, subpoenas, coordination |
| Prosecutor or court process | Often months or longer | Identifying the real scammer behind mule accounts |
The biggest practical problem is speed. AFASA and BSP rules can help hold disputed funds, but only if the money is still within reachable accounts. Once funds are withdrawn, converted, or layered through several accounts, recovery becomes more difficult and the case shifts heavily toward investigation and restitution.
Common mistakes that hurt hacked-wallet claims
Waiting too long before reporting
Many victims wait because they are embarrassed or hope the wallet provider will reverse the transaction automatically. Delay can be costly. Report immediately even if you are still gathering documents.
Saying “I was scammed” without identifying unauthorized transactions
Be specific. List the transaction date, time, amount, recipient, and reference number. A clear disputed-transaction report is easier to act on than a general complaint.
Deleting the phishing message or fake account
Do not delete scam messages, emails, social media chats, or call logs. Even if the content is embarrassing, it may help establish fraud, identity theft, or social engineering.
Assuming a barangay blotter is enough
A barangay blotter may help show that you reported the incident, but hacked-wallet cases usually need action from the wallet provider, bank, BSP, NBI, PNP cybercrime units, or prosecutors. Barangay conciliation is not a substitute for cybercrime investigation.
Paying “recovery agents”
Be very careful with people who claim they can recover hacked-wallet funds for an upfront fee. Many are follow-up scammers targeting victims a second time.
Confusing a wrong transfer with hacking
If you personally sent money to the wrong number or wrong recipient, that is usually an erroneous transaction, not necessarily a hacked-wallet case. Report it quickly, but expect a different process. The receiving account holder may need to consent to reversal unless fraud or unlawful conduct is shown.
Special issues for OFWs, foreigners, and people abroad
You can still report a hacked Philippine e-wallet even if you are outside the Philippines. The important question is whether the wallet, bank, recipient account, victim account, device, or transaction has a Philippine connection.
AFASA recognizes Philippine jurisdiction in several situations, including where elements of the offense are committed in the Philippines, where a Philippine financial account is involved, or where relevant systems or infrastructure are in the Philippines. (Lawphil)
Practical tips for OFWs and foreigners:
- Use the provider’s official international support channels.
- Save all timestamps with time zones.
- Prepare a scanned valid ID matching the wallet’s KYC records.
- If someone in the Philippines will file for you, prepare a Special Power of Attorney or authorization.
- Documents executed abroad may need notarization, consular acknowledgment, apostille, or authentication depending on the country and intended use.
- If your foreign phone number, roaming SIM, or overseas email was compromised, preserve records from the foreign telco or email provider.
- If you are a foreigner using a Philippine wallet, keep copies of your passport, ACR I-Card if applicable, local SIM registration details, and proof of Philippine account ownership.
The DFA’s apostille and authentication guidance is relevant when Philippine documents are used abroad or when representatives need properly authenticated authority documents. (DFA Appointment System)
Can the e-wallet provider be liable?
Yes, depending on the facts.
A wallet provider is not automatically liable for every scam, especially if the transaction was authenticated using the correct device, PIN, biometrics, or OTP. However, liability may arise if the provider failed to apply required safeguards, ignored red flags, mishandled your report, failed to preserve or coordinate disputed funds, or violated BSP consumer protection rules.
AFASA requires financial institutions to protect account access with adequate risk management systems and recognizes restitution where failure to apply the required standard of diligence contributes to the loss. (Lawphil)
RA 11765 and BSP Circular No. 1160 also require BSP-supervised institutions to protect consumer assets against fraud and misuse, protect client information, and provide effective recourse. (Bureau of the Treasury)
Possible remedies may include:
- Reversal or refund through the provider’s investigation
- Temporary holding and return of disputed funds if still available
- BSP consumer assistance, mediation, or adjudication where applicable
- NPC complaint if data privacy obligations were breached
- Criminal complaint against the scammer or mule account holder
- Civil claim for damages or restitution in the proper forum
Frequently Asked Questions
Can I get my money back if my GCash, Maya, or other e-wallet was hacked?
Possibly, but it depends on how fast you report, whether the funds are still traceable, whether the receiving account can be held, and whether the provider finds unauthorized or fraudulent activity. Under AFASA and BSP rules, disputed funds may be temporarily held when reported and supported properly, but recovery becomes harder if the money has already been withdrawn or moved.
What if I gave my OTP or PIN because I was tricked?
Still report it immediately. Giving an OTP may make the provider argue that the transaction was authenticated, but phishing and social engineering are recognized under AFASA. The key facts are how you were deceived, what the scammer represented, how quickly you reported, and whether the provider’s systems detected or failed to detect suspicious activity.
Should I report first to BSP, NBI, PNP, or the wallet provider?
Report first to the wallet provider because it can lock the account, trace the transaction, and request temporary holding. At the same time, report to your linked bank, card issuer, or telco if involved. For criminal investigation, go to NBI Cybercrime Division or PNP Anti-Cybercrime Group. Escalate to BSP if the wallet or bank fails to act properly or you are dissatisfied after using its consumer assistance mechanism.
How fast do I need to report a hacked wallet?
Immediately. The first few minutes and hours are crucial. BSP rules allow an initial temporary hold of disputed funds for up to five calendar days when applicable, but that only helps if the funds are still in reachable accounts. Report even if you do not yet have every document.
Can the recipient account be frozen?
It may be temporarily held under AFASA and BSP rules if the transaction qualifies as disputed and the required process is triggered. For longer restraints, law enforcement or a court order may be needed depending on the facts and stage of the case.
Is a police report required before the e-wallet investigates?
Not always for the initial report. You should report to the provider immediately even before getting a police report. However, for extended holding, formal investigation, BSP escalation, or criminal complaint, you may be asked for a sworn complaint, affidavit, police report, or NBI/PNP cybercrime complaint documents.
What if the wallet provider says the transaction was valid because OTP was used?
Ask for the basis of the finding and escalate if necessary. Request details such as device logs, IP/location indicators where available, authentication method, account changes, and transaction timeline. If you disagree, escalate through the provider’s FCPAM, then BSP-CAM, and consider NBI/PNP reporting if fraud or identity theft occurred.
Can I file a complaint if my personal data or ID was used?
Yes. If your ID, selfie, phone number, email, credentials, or other personal data were compromised or misused, the Data Privacy Act may apply. The National Privacy Commission can receive complaints and investigate possible violations involving personal information or sensitive personal information.
Can OFWs or foreigners report a hacked Philippine e-wallet?
Yes. A Philippine e-wallet or Philippine financial account can still be the subject of a complaint even if the victim is abroad. Prepare digital evidence, IDs, transaction records, and an authorization or Special Power of Attorney if someone in the Philippines will file documents for you.
Key Takeaways
- Report a hacked online wallet immediately to the wallet provider and ask for account locking, investigation, and temporary holding of disputed funds.
- AFASA, RA 11765, RA 10175, RA 8484, the Data Privacy Act, the Civil Code, and the Revised Penal Code may all be relevant depending on the facts.
- Speed matters because disputed funds may be held only if they are still traceable and reachable.
- Preserve original evidence, including transaction references, screenshots, messages, emails, call logs, and device or SIM records.
- Escalate to BSP only after reporting first to the wallet provider or bank, unless the issue involves urgent guidance or a separate regulatory concern.
- Report cybercrime aspects to NBI Cybercrime Division, PNP Anti-Cybercrime Group, or the CICC 1326 hotline.
- If personal data was compromised, consider a complaint with the National Privacy Commission.
- OFWs and foreigners can report from abroad, but authority documents may need notarization, consular acknowledgment, apostille, or authentication depending on where and how they will be used.