Phishing in Turkey: Legal Framework, Bank Responsibility, and Victim Remedies
yazarı lawyerfbc
açık Ağustos 20, 2025

Introduction

Phishing in Turkey has become one of the most prevalent forms of banking fraud, typically executed via SMS or email links that mimic official bank communications. Under Turkish law, these attacks are prosecuted as aggravated fraud when committed through digital systems, while banks remain subject to strict security obligations imposed by the Banking Law, BDDK regulations, and KVKK. This article sets out the applicable legal framework, clarifies when banks may be liable alongside the offender, and explains the practical steps victims should take to recover their losses.

1. Legal Framework Governing Phishing in Turkey

a) Turkish Penal Code (TCK)

  • Article 157 – Fraud: Defines fraud as deceiving someone through false representations for unlawful gain.
  • Article 158 – Aggravated Fraud: When fraud is committed through digital platforms, online systems, or by exploiting trust, penalties increase to 3–10 years imprisonment plus judicial fines.
  • Article 243 – Unauthorized Access to IT Systems: Penalizes illegal access to computer systems.
  • Article 244 – Data Interference: Covers altering, deleting, or misusing digital data.
  • Article 245 – Unauthorized Use of Bank or Credit Cards: Using another person’s card information without consent is punishable by 3–6 years imprisonment.

Phishing usually involves a combination of these crimes, often prosecuted under Article 158 (aggravated fraud) due to the use of digital means.

b) Banking Law and BDDK Regulations

Under the Banking Law (Law No. 5411) and BDDK regulations, banks are required to:

  • Implement strong customer authentication systems, including two-factor authentication (2FA), SMS verification, and mobile confirmation codes.
  • Monitor suspicious transactions and alert customers when unusual activities occur.
  • Maintain secure information technology systems to protect customer data.

A key regulation is the “Regulation on Banks’ Information Systems and Electronic Banking Services” (effective 2021), which explicitly requires banks to use multi-factor authentication and monitor risk-based activities.

c) KVKK (Law on the Protection of Personal Data, No. 6698)

Phishing involves the unlawful acquisition of personal data. Victims’ personal information, login details, and financial data are considered personal data under KVKK.

  • Data Controllers (banks) must adopt adequate security measures.
  • If negligence exists in preventing data breaches, banks may also face administrative fines under KVKK.

2. Judicial Approach and Bank Responsibility

Yargıtay (Court of Cassation) Decisions

The Turkish Court of Cassation has repeatedly ruled that:

  • If a transaction occurs without the customer’s knowledge or consent, and the bank failed to apply adequate security measures (such as SMS confirmation or fraud detection), the bank may be held liable for the loss.
  • If the bank proves it has fulfilled all obligations (2FA, timely warnings, system integrity), liability may shift entirely to the fraudster.

For example:

  • In multiple cases, Yargıtay has held banks jointly responsible for losses when they did not take reasonable measures to detect fraudulent transactions.
  • In contrast, if a customer voluntarily gave away their password or ignored explicit security warnings, courts may reduce or eliminate the bank’s liability.

3. Remedies Available for Victims

a) Criminal Remedies

Victims can file a complaint with the Public Prosecutor’s Office. The offender (if identified) may face charges for:

  • Aggravated fraud (TCK Art. 158),
  • Unauthorized use of banking information (TCK Art. 245),
  • Cybercrimes related to IT systems (TCK Art. 243–244).

Even if the fraudster resides abroad, Interpol red notices and international judicial cooperation may be used.

b) Civil Remedies

Victims may also seek financial compensation through civil proceedings:

  • Against the Offender: A direct lawsuit for damages under tort liability (Turkish Code of Obligations, Art. 49).
  • Against the Bank: If the bank failed to take necessary precautions, victims can sue for damages based on contractual liability and negligence.

c) Administrative Remedies

  • Victims can lodge complaints with BDDK (banking authority) and KVKK Board regarding the bank’s compliance failures.
  • If the bank’s security measures were inadequate, regulatory penalties may be imposed.

4. Who Can the Victim Claim Compensation From?

This is the most critical practical question. Victims usually wonder: should they pursue the fraudster, the bank, or both?

  • From the Fraudster (Primary Responsibility):
    • The offender is the main culprit.
    • Criminal proceedings will punish the fraudster.
    • Victims can file a civil lawsuit against them to reclaim stolen funds.
  • From the Bank (Secondary, Conditional Responsibility):
    • If the bank failed in its duty of care (e.g., no SMS confirmation, no fraud detection, weak IT systems), Yargıtay has held banks liable for compensating victims.
    • If the bank complied fully with regulations and the customer was negligent (e.g., voluntarily entered their password into a phishing site), the bank may not be held responsible.
  • Practical Approach:
    • Victims usually pursue both the offender and the bank simultaneously.
    • Courts determine liability distribution based on evidence of negligence.

5. Preventive Measures for Customers

  • Always verify official bank domains; banks never request passwords through SMS or email.
  • Never click suspicious links; log in directly via official banking apps.
  • Enable all available security features, including push notifications and biometric login.
  • Immediately report suspicious activity to your bank to block further transactions.

Conclusion

Phishing in Turkey is a serious cybercrime addressed under the Turkish Penal Code, Banking Law, BDDK regulations, and KVKK. Victims are not powerless:

  • Criminal law ensures punishment of offenders.
  • Civil law provides routes to compensation, either from the fraudster or, in some cases, from the bank.
  • Yargıtay’s case law emphasizes that banks cannot escape liability if they fail to implement robust security systems.

✅ In summary: Victims can claim their losses primarily from the fraudster, but if the bank’s negligence contributed, they can also claim compensation from the bank.

Categories:

Genel

Tags:

bank liability phishingbanking fraud law TurkeyBDDK regulationscybercrime Turkeyfraud victim remediesKVKK data protectionphishing in Turkey

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button