A phishing link from an online lending app can quickly turn into a bigger problem: stolen GCash or Maya details, unauthorized bank transactions, fake “legal action” messages, contact-list harassment, or a cloned payment page that makes you think you are paying your loan when you are actually sending money to scammers. In the Philippines, the safest response is to preserve evidence first, secure your accounts, then report the link to the right agency depending on what happened: CICC/1326 for cybercrime and scams, SEC for lending or financing company violations, NPC for misuse of personal data, NBI or PNP-ACG for investigation, and your bank, e-wallet, telco, or app store when the link involves an account, phone number, or mobile app.
What Counts as a Phishing Link from an Online Lending App?
A phishing link is a fake or deceptive link designed to make you give up sensitive information, send money, install malware, or log in to a cloned website. In online lending app cases, the link usually arrives through:
- SMS or text message
- Viber, Messenger, Telegram, WhatsApp, or in-app chat
- A fake collection notice
- A “payment verification” page
- A link pretending to be from GCash, Maya, ShopeePay, a bank, or a known lending app
- A link to download an APK file outside Google Play or the Apple App Store
Common examples include:
- “Your loan will be referred to court today. Click here to settle.”
- “Update your account to avoid penalty.”
- “Verify your identity for loan approval.”
- “Pay through this link for discount/waiver.”
- “Your contacts will be notified unless you settle now.”
- “Download our new collection/payment app here.”
The danger is not only the link itself. The message may also involve illegal debt collection, unauthorized use of your contacts, identity theft, cyber fraud, or financial account scamming.
Immediate Steps Before You Report
Do these first, especially if the link is still active.
Do not click the link again. If you already clicked it, close the page immediately.
Do not enter passwords, OTPs, PINs, card numbers, or ID details.
Take screenshots showing:
- the full message;
- sender number, account name, or profile URL;
- date and time received;
- the suspicious link;
- the online lending app name;
- any threat, harassment, or payment instruction.
Copy the message text if possible, but avoid opening the link just to copy it.
Record the app details:
- app name;
- developer name;
- Google Play or App Store link;
- website, Facebook page, or contact number;
- loan account number or reference number, if any.
Secure your accounts immediately if you clicked the link:
- change your email, e-wallet, bank, and lending app passwords;
- enable two-factor authentication;
- call your bank or e-wallet to block suspicious transactions;
- revoke app permissions such as contacts, camera, files, SMS, and location;
- uninstall suspicious apps only after saving evidence.
Warn your contacts if the app or collector accessed your phonebook. A short message is enough: “Please ignore any loan-related message using my name. A suspicious lending app/link may be involved. Do not click.”
This evidence matters because investigators and regulators usually need more than a general statement like “na-scam ako.” Screenshots, sender details, URLs, timestamps, transaction receipts, and app details help establish what happened, who may be involved, and which agency has jurisdiction.
Legal Basis in the Philippines
Cybercrime Prevention Act: RA 10175
The main cybercrime law is Republic Act No. 10175, or the Cybercrime Prevention Act of 2012. Phishing is not always labeled “phishing” in the statute, but the conduct may fall under several punishable cybercrime offenses, depending on the facts.
Relevant offenses may include:
- Illegal access if someone gains access to your account, device, email, e-wallet, or system without authority.
- Computer-related fraud if deception through a computer system causes damage or loss.
- Computer-related identity theft if someone uses your identity or credentials without authority.
- Aiding, abetting, or attempting cybercrime if the person sends the link or helps the scheme even before money is successfully stolen.
- Revised Penal Code crimes committed through ICT, because RA 10175 also covers offenses punishable under the Revised Penal Code when committed by, through, or with the use of information and communications technology. (Lawphil)
Anti-Financial Account Scamming Act: RA 12010
If the phishing link tries to steal your bank, credit card, e-wallet, or other financial account details, Republic Act No. 12010, or the Anti-Financial Account Scamming Act (AFASA), signed in 2024, may apply. The law specifically covers social engineering schemes, including deception through electronic communications to obtain sensitive identifying information that results in unauthorized access or control over a financial account. It also covers money mule activities and allows temporary holding of disputed funds under legal conditions. (Lawphil)
This is important when the link asks for:
- GCash or Maya login details
- bank username or password
- OTP
- credit card details
- selfie verification
- online banking credentials
- account recovery codes
Data Privacy Act: RA 10173
The Data Privacy Act of 2012, RA 10173, protects personal information and gives individuals rights over the processing of their data. The National Privacy Commission (NPC) has authority to receive complaints, investigate, adjudicate, and award indemnity in matters involving personal information. (National Privacy Commission)
This becomes relevant when an online lending app or its collectors:
- accessed your contacts without proper authority;
- used your photos, IDs, or phonebook for harassment;
- sent messages to your employer, relatives, or friends;
- falsely told contacts that they are co-makers or guarantors;
- disclosed your loan, alleged debt, address, or personal details to third parties;
- used your personal data for purposes beyond the loan application.
The NPC has previously dealt with online lending app cases involving contact-list access, disclosure of loan information to third parties, threats, and excessive processing of personal data. In one NPC decision involving an online lending application, complaints included use of borrowers’ contact lists to contact third persons, disclosure of loan-related information, harassment, threats, and excessive processing beyond what was necessary.
SEC Regulation of Lending and Financing Companies
Online lending apps are not outside regulation simply because they operate through a phone app or website. Lending companies and financing companies are regulated under laws such as RA 9474, the Lending Company Regulation Act of 2007, and RA 8556, the Financing Company Act of 1998, as amended. The Securities and Exchange Commission (SEC) regulates lending and financing companies and records online lending platforms. (Lawphil)
The SEC has also warned the public about unrecorded online lending platforms and reminds users to verify authorized online lending platforms through the SEC. A 2026 SEC advisory reposted by a local government stated that listed unrecorded online lending platforms were not authorized to offer, process, or provide loan products through app stores or websites, and directed complaints to the SEC Financing and Lending Companies Department or the SEC iMessage portal. (Bulacan Government)
SEC Memorandum Circular No. 18, Series of 2019 also prohibits unfair debt collection practices by financing and lending companies, including threats, false representations, publication of borrower information, abusive language, and contacting persons in the borrower’s contact list other than those named as guarantors or co-makers.
Civil Code and Revised Penal Code Remedies
Depending on the facts, phishing-linked online lending abuse may also involve:
- Civil Code Articles 19, 20, and 21 — abuse of rights, acts contrary to law, and acts contrary to morals, good customs, or public policy that cause damage.
- Civil Code Article 26 — protection against prying into privacy, meddling with family relations, or similar acts causing humiliation.
- Revised Penal Code Article 282 or 283 — grave threats or light threats, if the collector threatens unlawful harm.
- Revised Penal Code Article 287 — unjust vexation, in some harassment situations.
- Revised Penal Code Article 315 — estafa, if deceit causes financial loss, subject to the facts and prosecutor’s evaluation.
- RA 8484, Access Devices Regulation Act, if the phishing involves credit cards, account access devices, or similar credentials.
The right label matters less at the reporting stage than the quality of your evidence. Investigators and prosecutors determine the proper charges after reviewing the documents and digital trail.
Where to Report Phishing Links from Online Lending Apps
| Situation | Where to Report | Best For |
|---|---|---|
| Suspicious link, scam message, phishing, fake payment page | CICC / I-ARC Hotline 1326 | Quick cybercrime/scam reporting and referral |
| Unauthorized lending app, abusive collection, fake loan app, unrecorded OLP | SEC iMessage / SEC Financing and Lending Companies Department | Regulatory complaint against lending or financing company |
| Contacts accessed, data shared, photos/IDs used, privacy violation | National Privacy Commission | Data privacy complaint |
| Money stolen, account hacked, identity theft, repeated cyber harassment | NBI Cybercrime Division or PNP Anti-Cybercrime Group | Criminal investigation |
| Bank, e-wallet, card, OTP, or online banking involved | Bank/e-wallet provider immediately | Blocking, dispute, temporary hold, account recovery |
| Scam text or suspicious mobile number | Your telco and/or NTC-related reporting channel | Number blocking, SIM-related action |
| App still available on Google Play or App Store | Google Play / Apple App Store reporting tools | App review, takedown, platform enforcement |
| Link appears in Google search or browser warnings are needed | Google Safe Browsing phishing report | Browser/search protection against malicious URLs |
Step-by-Step: How to Report Properly
1. Report the Scam or Phishing Link to CICC / Hotline 1326
For cyber scams, the most practical first report is often through the Inter-Agency Response Center (I-ARC) Hotline 1326, handled through the government’s cybercrime response network. Government sources describe Hotline 1326 as a 24/7 channel for scams including phishing, text scams, email scams, caller ID spoofing, romance scams, investment scams, and other online scams. (Philippine Information Agency)
Prepare the following before contacting 1326:
- your full name and contact number;
- screenshot of the message;
- suspicious URL;
- sender number or account;
- name of the lending app;
- amount lost, if any;
- bank/e-wallet reference number, if money was transferred;
- brief timeline of what happened.
A simple report summary can be:
“I received a phishing link from a person claiming to collect for an online lending app. The message threatened legal action and asked me to pay through a suspicious link. I did not authorize the use of my personal data. I have screenshots, sender details, the URL, and the app name.”
2. Report the Online Lending App or Collector to the SEC
Report to the SEC if the issue involves:
- an online lending app operating without clear SEC authority;
- a lending or financing company using phishing links;
- false payment portals;
- abusive collection messages;
- threats or false claims of court cases, warrants, or barangay blotters;
- disclosure of your debt to contacts;
- harassment by third-party collectors.
The SEC’s iMessage SEC-Wide Ticketing System is its web-based platform for public inquiries, complaints, incidents, and requests. The SEC user guide explains that iMessage generates electronic tickets and allows users to track status and reply to the handling agent. (Securities and Exchange Commission)
Basic process:
Go to the SEC iMessage portal.
Choose “Open a New Ticket.”
Sign in or create the required account.
Select the service related to complaints on financing and lending companies, or the closest available complaint category.
Upload evidence:
- screenshots;
- payment receipts;
- loan agreement;
- app screenshots;
- URL;
- sender details;
- proof of harassment or threats.
Keep the ticket number.
The SEC iMessage guide shows that users can post replies and upload files to an existing ticket, so do not create multiple duplicate complaints if you simply need to add evidence. (Securities and Exchange Commission)
3. File a Data Privacy Complaint with the NPC
Report to the National Privacy Commission if the phishing link is connected to misuse of personal data. This is especially important if the lending app accessed your phone contacts, sent messages to your friends or employer, used your photos, or disclosed your debt to third parties.
The NPC complaint process generally requires a filled-out and notarized complaint-assisted form or verified complaint, together with evidence and witness affidavits. The NPC states that complaints may be filed personally, by registered mail, by courier, or by electronic mail as authorized by the Commission; electronic documents should be in PDF format when practicable. (National Privacy Commission)
Useful attachments include:
- screenshots of messages sent to you;
- screenshots from relatives, friends, co-workers, or employers who received messages;
- proof that the sender identified you or your debt;
- app permission screenshots;
- privacy policy or terms shown by the app;
- ID used in the loan application;
- loan account details;
- affidavit of the borrower;
- witness affidavits from contacts who received harassment messages.
A common bottleneck is lack of notarization. If the NPC requires a verified or notarized complaint, a plain email narration may not be enough to start formal adjudication.
4. Report to NBI Cybercrime Division or PNP Anti-Cybercrime Group
Go to law enforcement when:
- money was stolen;
- your account was hacked;
- your identity was used;
- the sender continues to threaten you;
- there are multiple victims;
- the link installs malware;
- there are fake warrants, fake subpoenas, or fake court documents;
- you need investigation, preservation of digital evidence, subpoenas, or possible criminal charges.
The NBI Cybercrime Division’s citizen charter for investigative assistance to victims of computer crimes states that the general public may seek assistance, undergo preliminary interview and initial investigation, execute sworn statements, submit prepared affidavits, and provide devices or documents relevant to the probe. It lists no fee for the initial steps and gives an indicative initial processing period, although the full investigation naturally takes longer depending on evidence and coordination. (National Bureau of Investigation)
Bring:
- government ID;
- printed screenshots;
- digital copies on phone or USB;
- transaction receipts;
- sender numbers and account links;
- the suspicious URL;
- your phone containing original messages;
- a written timeline;
- names of witnesses;
- notarized affidavit, if already prepared.
Do not edit screenshots. Keep original messages if possible because investigators may need metadata or to compare them with screenshots.
5. Report to Your Bank, E-Wallet, or Card Provider
If you entered credentials or lost money, contact your bank or e-wallet immediately. This is time-sensitive.
Ask for:
- account locking or temporary blocking;
- password/PIN reset;
- transaction dispute filing;
- reversal investigation;
- temporary holding of suspicious funds if still possible;
- replacement card or wallet security review;
- incident reference number.
Under RA 12010, financial institutions have mechanisms relating to disputed transactions, fraud management systems, temporary holding of disputed funds under legally prescribed periods, and coordinated verification. This is why fast reporting matters: if funds are still traceable within the system, there may be more options than if the money has already been withdrawn or transferred through multiple accounts. (Lawphil)
6. Report the Mobile Number to Your Telco
If the phishing link came by SMS or call, report the sender number to your telco using its official scam-reporting channel. Under the SIM Registration Act IRR, public telecommunications entities are required to provide user-friendly reporting mechanisms for end-users to report potentially fraudulent texts or calls. The IRR also defines spoofing and provides that subscriber information is confidential, subject to limited disclosure through legal processes such as subpoena based on a sworn written complaint involving criminal, malicious, fraudulent, or unlawful acts. (Supreme Court E-Library)
This means a telco customer service agent will usually not simply reveal the identity of a number owner to you. Law enforcement or another competent authority normally handles identity requests through legal process.
7. Report the App or Link to Google, Apple, or Browser Protection Tools
If the lending app is still visible on Google Play, report it through Google Play’s “Flag as inappropriate” option on the app page. Google’s support instructions say users can open the app’s detail page, tap the menu, choose “Flag as inappropriate,” select a reason, and submit. (Google Help)
If the phishing page itself is still active, report the URL to browser and search protection services such as Google Safe Browsing. This will not replace a Philippine legal complaint, but it can help warn users and reduce further victims.
What to Include in Your Complaint
Use a short, organized format. Agencies receive many complaints, so clarity helps.
Suggested Complaint Structure
Your details
- full name;
- mobile number;
- email;
- address or city/province;
- whether you are the borrower, contact person, or third-party victim.
Respondent details
- online lending app name;
- company name, if known;
- collector name or account;
- phone number, email, social media account;
- website or app store link.
Incident summary
- date and time received;
- what the message said;
- what the link asked you to do;
- whether you clicked;
- whether you entered information;
- whether money was lost;
- whether your contacts were messaged.
Legal concern
- phishing/cyber fraud;
- data privacy violation;
- abusive debt collection;
- identity theft;
- unauthorized transaction;
- fake lending app.
Evidence list
- screenshots;
- link;
- receipts;
- app details;
- messages from contacts;
- IDs or documents used;
- bank/e-wallet reference numbers.
Requested action
- investigate the link and sender;
- record the complaint;
- require the company to respond;
- stop misuse of personal data;
- assist in blocking the link, number, or app;
- refer for criminal investigation if warranted.
Common Mistakes That Weaken Reports
Deleting Messages Too Early
Many victims delete texts out of fear or embarrassment. Save them first. Screenshots help, but original messages are better.
Reporting Only to the Barangay
A barangay blotter may document harassment, but barangays generally cannot trace phishing links, compel telcos to identify SIM users, investigate cybercrime infrastructure, or order app takedowns. Use the barangay only for local documentation or mediation issues, not as your only report.
Paying Through a Random Link
If you truly owe a loan, pay only through the official payment channels stated in your loan agreement or verified app. A collector’s personal QR code, shortened URL, or “discount link” is risky.
Assuming a Legitimate Debt Makes Harassment Legal
A lender may collect a valid debt, but it cannot use threats, deception, unauthorized disclosure, contact-list harassment, or phishing tactics. A real loan does not legalize unlawful collection methods.
Filing a Privacy Complaint Without Witness Screenshots
If your friends or co-workers received messages, ask them to screenshot the message with the sender, date, and time visible. Their screenshots and affidavits can be stronger than your statement alone.
Sending Only a Long Emotional Narrative
Explain what happened clearly, but attach proof. Agencies act more effectively on specific facts: who sent what, when, through what number/account, what link, what loss, and what evidence.
Special Situations
If You Are a Contact Person, Not the Borrower
You can still report. If a lending app messages you about someone else’s debt, threatens you, or claims you are a co-maker when you never agreed, your own personal data may have been misused. Save the messages and report to the NPC, SEC, and CICC as appropriate.
If the Message Says There Is a Warrant or Court Case
Collectors often misuse legal language. In the Philippines, a private collector cannot issue a warrant, cannot order arrest, and cannot create a criminal case by text message. Court notices do not normally arrive through suspicious payment links. Save the message and report it as possible deception, threat, or unfair collection practice.
If You Are a Foreigner in the Philippines
Foreigners can report cybercrime, scams, and privacy violations in the Philippines when the incident happened here, involved Philippine accounts, or used Philippine services. If a SIM is involved, note that the SIM Registration Act IRR provides special rules for foreign nationals: tourist SIMs are generally temporary for 30 days unless extended through an approved visa extension, while foreign nationals with other visa types may register under the telco’s process without the same 30-day tourist validity limit. (Supreme Court E-Library)
If you need to execute an affidavit while abroad, the receiving Philippine agency may require notarization, consular acknowledgment, or apostille depending on where the document is signed and how it will be used. Keep passport pages, visa details, Philippine contact number records, and transaction receipts.
If You Are an OFW or Filipino Abroad
You can start with online reporting channels such as SEC iMessage, NPC’s authorized complaint submission process, and CICC reporting channels. For formal sworn complaints, prepare a detailed affidavit and ask the receiving agency whether it needs consular notarization or apostille. If money was taken from a Philippine bank or e-wallet, report to that institution immediately even while abroad.
If You Still Owe the Lending App Money
Reporting phishing or harassment does not automatically cancel a valid loan. Treat the issues separately:
- dispute the phishing, harassment, or privacy violation;
- continue asking for an official statement of account;
- pay only through verified official channels;
- keep receipts;
- do not pay through threats or suspicious links;
- report unfair collection even if the debt itself is real.
Practical Timelines and Bottlenecks
| Step | Usual Timing | Common Bottleneck |
|---|---|---|
| Hotline or cyber scam report | Same day | Incomplete screenshots or missing URL |
| Bank/e-wallet blocking | Immediate to a few days | Report made after funds moved out |
| Telco scam number report | Same day to several days | Sender used spoofing or disposable SIM |
| SEC iMessage ticket | Ticket created online; review may take weeks or longer | Wrong app/company name or no proof of SEC-regulated entity |
| NPC formal complaint | Filing depends on notarized documents; proceedings may take months | Complaint not verified/notarized or missing witness proof |
| NBI/PNP cybercrime investigation | Initial interview may be same day; investigation varies | Need for subpoenas, platform data, telco coordination |
| App store or phishing URL report | Varies | Link goes inactive, app changes name, developer uses mirror apps |
The biggest practical problem is speed. Phishing pages can disappear in hours, phone numbers can be discarded, and money can move through several accounts. Preserve evidence immediately and report financial loss first to the bank or e-wallet.
Frequently Asked Questions
Can I report a phishing link even if I did not lose money?
Yes. A phishing attempt can still be reported, especially if it asks for OTPs, passwords, IDs, e-wallet details, or payment through a suspicious link. Attempted cybercrime, attempted fraud, or platform abuse may still be relevant depending on the facts.
Which agency should I report to first?
If there is an immediate scam or suspicious link, start with CICC Hotline 1326 and your bank/e-wallet if financial accounts are involved. If the sender is an online lending app or collector, also report to the SEC. If your personal data or contacts were misused, report to the NPC.
Is an online lending app allowed to message my contacts?
Not simply because you installed the app. The NPC has treated contact-list misuse and disclosure of borrower information to third parties as serious data privacy issues in online lending cases. SEC rules also prohibit certain unfair collection practices, including improper disclosure and contacting people in the borrower’s contact list who were not named as guarantors or co-makers.
What if the lending app says I consented by accepting the terms?
Consent must still meet legal standards. Under the Data Privacy Act, processing must follow transparency, legitimate purpose, and proportionality. Excessive access to contacts, photos, files, or third-party information may still be questioned even if the app shows a broad consent clause.
Can the police or NBI trace the phishing link?
They may investigate using cybercrime tools, subpoenas, platform requests, telco records, hosting data, and financial transaction trails. Success depends on how quickly the report is made, whether records still exist, whether the scammer used foreign infrastructure, and whether there is enough evidence to identify accounts or devices.
Can I sue the lending app for damages?
Possible remedies depend on the evidence. Civil claims may be based on the Civil Code, privacy violations, contractual issues, or other laws. Administrative complaints before the SEC or NPC may also lead to regulatory action. Criminal cases require prosecutor evaluation and proof of the proper offense.
Should I uninstall the online lending app immediately?
If the app is suspicious, first save evidence: app name, account screen, loan details, permissions, messages, and payment instructions. Then revoke permissions, secure your accounts, and uninstall if needed. If you will report to NBI or PNP, keep the device and original messages available when possible.
What if the phishing link came from a real collector?
A real collector can still commit violations. Being connected to an actual debt does not excuse deceptive links, threats, public shaming, unauthorized data disclosure, or attempts to obtain passwords, OTPs, or e-wallet credentials.
Do I need a lawyer to report?
For initial reports to CICC, SEC iMessage, telcos, banks, app stores, or law enforcement intake, you can usually report on your own. For formal affidavits, NPC complaints, criminal complaints, or court cases, organized documents and properly sworn statements are important.
Key Takeaways
- Do not click or pay through suspicious lending app links.
- Preserve screenshots, URLs, sender details, app details, receipts, and witness messages.
- Report scam or phishing incidents to CICC Hotline 1326 and law enforcement if needed.
- Report lending app misconduct to the SEC, especially if the app is unrecorded or uses abusive collection tactics.
- Report misuse of contacts, photos, IDs, or personal data to the National Privacy Commission.
- Contact your bank, e-wallet, or card provider immediately if credentials or money are involved.
- A real debt does not give any lender or collector the right to phish, threaten, shame, or misuse personal data.