Introduction
Banking fraud in Turkey is one of the most serious legal risks faced by individuals, companies, banks, payment institutions, merchants, investors and financial intermediaries. As banking services move rapidly into digital channels, fraud schemes have become more complex, faster and more difficult to detect. Fraudsters may use phishing links, fake bank websites, SIM swap attacks, malware, social engineering, remote access applications, stolen credit card data, mule accounts, fake investment schemes, forged payment instructions, fake invoices or business e-mail compromise methods to obtain unlawful financial benefit.
A banking fraud case in Turkey is rarely a simple dispute between two private parties. It may have civil consequences, such as compensation claims against banks, merchants, telecom operators or fraudsters. It may have criminal consequences, including investigation for fraud, qualified fraud, misuse of bank or credit cards, unlawful access to information systems, forgery, money laundering or participation in a criminal organization. It may also have regulatory consequences, especially where banks or financial institutions fail to comply with electronic banking security, anti-money laundering, customer identification, suspicious transaction reporting, banking confidentiality or internal control obligations.
Turkish banking law is based on the protection of confidence and stability in financial markets. Banking Law No. 5411 states that its purpose is to ensure confidence and stability in financial markets, support the efficient functioning of the credit system and protect depositors’ rights and interests. The same law regulates banking activities, credit exposure, confidentiality, bank management, supervision and regulatory obligations.
This article provides a comprehensive legal guide to banking fraud in Turkey, focusing on civil liability, criminal offenses, regulatory duties, evidence, remedies, compensation claims and practical steps for victims.
1. What Is Banking Fraud in Turkey?
Banking fraud can be broadly defined as unlawful conduct involving deception, unauthorized access, misuse of banking instruments, manipulation of payment systems or exploitation of financial institutions to obtain money, credit, goods, services or other economic benefit.
In Turkey, banking fraud may occur in many forms:
Online banking fraud, mobile banking fraud, credit card fraud, debit card fraud, phishing, SIM swap fraud, fake call center fraud, remote access fraud, ATM fraud, forged bank documents, fake loan offers, fake investment platforms, unauthorized EFT or FAST transfers, SWIFT fraud, business e-mail compromise, invoice redirection fraud, money mule accounts, forged cheques, fake bank guarantees, misuse of POS systems, virtual POS fraud and fraudulent loan applications.
The legal classification depends on the method used. If the fraud is committed through deception and a bank or information system is used as an instrument, qualified fraud may be considered. If bank or credit cards are acquired or used without consent, the specific offense concerning bank or credit cards may apply. If illegal proceeds are transferred or hidden, money laundering rules may become relevant. If the fraud involves unauthorized access to banking systems, cybercrime provisions may also arise.
2. Main Legal Framework for Banking Fraud
Banking fraud in Turkey is governed by multiple legal sources. The most important legal areas include:
Banking Law No. 5411, Turkish Penal Code No. 5237, Bank Cards and Credit Cards Law No. 5464, Regulation on Information Systems and Electronic Banking Services of Banks, Law No. 5549 on Prevention of Laundering Proceeds of Crime, Consumer Protection Law No. 6502, Personal Data Protection Law No. 6698, Turkish Code of Obligations, Turkish Commercial Code and Enforcement and Bankruptcy Law.
For electronic banking, the BRSA Regulation on Information Systems and Electronic Banking Services is highly relevant because it sets minimum procedures and principles for banks’ information systems, electronic banking services, risk management and information systems controls.
For credit card fraud, Law No. 5464 is important because it regulates card issuing institutions, cardholder information, transaction records, objections and security duties. The law requires card issuing organizations to provide adequate information and, upon request, submit transaction records within defined periods.
For anti-money laundering, Law No. 5549 states that its objective is to determine the principles and procedures for preventing the laundering of proceeds of crime.
3. Criminal Consequences of Banking Fraud
Banking fraud may lead to criminal investigation and prosecution. The applicable offense depends on the factual conduct.
The Turkish Penal Code regulates ordinary fraud and qualified fraud. Article 158 includes qualified fraud where the offense is committed by using information systems, banks or lending institutions as instruments. This provision is highly relevant in online banking fraud, fake loan schemes, phishing-based account takeover and bank-assisted deception cases.
Another important provision is Article 245 of the Turkish Penal Code, which criminalizes improper use of bank or credit cards. It covers acquiring, holding or using another person’s bank or credit card without consent, or securing benefit for oneself or third parties through such use.
Depending on the facts, additional offenses may arise. These may include forgery of private or official documents, unlawful access to information systems, obstruction or disruption of an information system, data manipulation, misuse of trust, theft, laundering of assets acquired from an offense, or membership in a criminal organization.
A criminal complaint should not be drafted in generic terms. It should identify the exact method of fraud, transaction dates, account numbers, recipient accounts, phone numbers, IP addresses if available, phishing links, messages, bank responses and persons involved. A strong criminal complaint should ask the prosecutor to request urgent bank records, freeze suspicious accounts where possible, identify mule account holders and obtain digital evidence before it disappears.
4. Qualified Fraud Through Banks and Information Systems
Many banking fraud cases are evaluated under qualified fraud because fraudsters often use banks, payment systems or information systems as instruments. Examples include fake bank websites, fake investment accounts, fraudulent loan advertisements, e-commerce payment fraud, fake escrow accounts and deception through online banking channels.
The key element is deception. The victim must be misled by fraudulent conduct, and the offender must obtain unlawful benefit by causing loss. Where electronic systems or banks are used as instruments, the offense may become qualified.
In practice, prosecutors and courts examine whether the fraudster created a false appearance of trust. For example, use of a bank logo, fake bank employee identity, spoofed phone number, forged receipt, fake IBAN ownership, fake payment screen or fraudulent investment platform may strengthen the allegation of deception.
However, not every banking loss is automatically criminal fraud. A civil loan dispute, ordinary commercial non-payment or contract breach may not constitute fraud unless deception existed from the beginning or criminal intent can be shown. The distinction between civil debt and criminal fraud is therefore critical.
5. Misuse of Bank or Credit Cards
Credit card and debit card fraud frequently falls under Article 245 of the Turkish Penal Code. This may include using another person’s physical card, stolen card information, copied card data, unauthorized online card transactions, card-not-present fraud, or use of card details obtained through phishing.
Card fraud disputes often include both criminal and civil aspects. The criminal case targets the offender. The civil case may involve the bank, merchant, payment institution or card network depending on who failed to prevent or reverse the unauthorized transaction.
Important evidence includes transaction slips, 3D Secure records, SMS approvals, cardholder objection, merchant records, IP logs, delivery address, device information, chargeback documents and bank response.
If the customer promptly reports unauthorized card use, the bank’s conduct after notification becomes important. Failure to block the card or process objections properly may create civil liability.
6. Online Banking Fraud
Online banking fraud usually involves unauthorized access to a customer’s bank account through internet banking or mobile banking. Fraudsters may obtain credentials through phishing, malware, fake applications, social engineering or remote access software.
The legal question is often whether the transaction was truly authorized and whether the bank fulfilled its professional security duties. Banks usually argue that the correct password, device approval, SMS code or mobile confirmation was used. Victims argue that the bank failed to detect abnormal behavior, new device registration, suspicious IP address, unusual transfer amount, rapid account emptying or transfer to suspicious recipient accounts.
Electronic banking records are decisive. These may include login time, IP address, device ID, SIM card status, recipient account data, transfer amount, authentication method, mobile approval records, SMS records, fraud monitoring alerts and call center records.
A banking fraud lawsuit should be supported by a precise timeline. Courts are more likely to understand the case if the petition shows when the victim received the phishing message, when the login occurred, when the transfer was made, when the victim notified the bank and when the bank acted.
7. Phishing Fraud
Phishing is one of the most common banking fraud methods in Turkey. Fraudsters send fake SMS messages, e-mails, social media messages or advertisements that appear to come from a bank, cargo company, public authority, tax office, e-commerce platform or payment provider. The victim clicks a link and enters credentials, card details or one-time passwords into a fake website.
Phishing cases create a difficult civil liability question. The bank may argue that the customer voluntarily entered security credentials into a third-party fake website. The customer may argue that the bank failed to prevent a suspicious transaction or did not use adequate fraud detection.
A strong claimant argument should focus on objective abnormality. Was the transfer inconsistent with the customer’s history? Was the recipient new? Was the amount unusually high? Did the customer’s account become empty within minutes? Was there a recent device change? Did the bank send meaningful warnings? Did the bank contact the customer before processing the transaction?
The answer may determine whether the loss is allocated to the customer, bank or both.
8. SIM Swap Banking Fraud
SIM swap fraud occurs when criminals unlawfully obtain control of the victim’s mobile phone number. They may then receive SMS verification codes and access online banking. This fraud type may involve telecom operator negligence, fake identity documents, insider assistance or weak verification procedures.
In SIM swap cases, both the bank and telecom operator may be examined. The telecom operator may be questioned for issuing a replacement SIM card without adequate identity verification. The bank may be questioned for permitting high-risk transactions immediately after a SIM change.
Evidence may include SIM replacement records, GSM operator logs, bank authentication records, SMS delivery records, transaction times, new device data, IP information and customer complaint records.
The timing is often critical. If the SIM replacement occurred shortly before the fraudulent transfer, and the bank processed a large transaction without additional verification, the victim may have stronger civil arguments.
9. Remote Access Application Fraud
Remote access fraud occurs when fraudsters convince victims to install applications that allow screen sharing or remote control. The fraudster may then observe banking credentials, approve transactions or guide the victim to approve transfers.
Banks may argue that the customer personally approved the transaction. Victims may argue that they were manipulated and that the transaction was suspicious enough to require intervention.
Courts may examine whether the transaction pattern was abnormal, whether the bank’s warnings were clear, whether new recipients were added, whether transfer limits were changed, whether several transfers occurred rapidly and whether the bank’s fraud monitoring system reacted.
Remote access cases require careful digital evidence collection. Victims should preserve application installation records, call logs, screenshots, messages and bank notifications.
10. Corporate Banking Fraud
Corporate banking fraud often differs from consumer fraud. Companies may be targeted through business e-mail compromise, fake supplier payment instructions, invoice redirection, forged board resolutions, unauthorized online banking user access, fake bank guarantee documents or internal employee fraud.
In business e-mail compromise, fraudsters may imitate a supplier or company executive and instruct payment to a fraudulent IBAN. In internal fraud, an employee with banking access may transfer funds without authority. In forged instruction cases, fraudsters may submit false payment orders to the bank.
Civil liability depends on the agreed banking mandate and security procedures. Did the bank follow authorized signatory rules? Was dual approval required? Were payment instructions verified? Did the bank ignore suspicious circumstances? Did the company fail to maintain internal controls?
Corporate customers are generally expected to have more sophisticated controls than consumers. However, banks still must follow agreed procedures and professional banking standards.
11. Money Mule Accounts
Many banking fraud schemes use money mule accounts. A mule account is an account used to receive, transfer or withdraw fraud proceeds. The account holder may be knowingly involved, negligent, manipulated or recruited through fake job advertisements.
Once stolen money enters a mule account, it may be withdrawn quickly or transferred through multiple accounts. This creates recovery difficulties.
From a criminal perspective, mule account holders may be investigated for fraud participation, money laundering, aiding, or other offenses depending on intent and conduct. From a civil perspective, the victim may claim unjust enrichment, tort damages or restitution against the recipient account holder if identifiable.
Banks holding mule accounts may also face regulatory questions if suspicious transaction patterns were obvious and not monitored. However, bank liability is not automatic; the facts must show a breach of duty and causal link.
12. Civil Consequences: Compensation Claims
A banking fraud victim may bring a civil compensation claim against the fraudster, recipient account holder, bank, merchant, telecom operator or other responsible parties depending on the facts.
A compensation claim against a bank usually requires proof of:
A fraudulent or unauthorized transaction; financial loss; bank breach of statutory, contractual or professional duty; and causal link between the bank’s breach and the loss.
The bank may defend itself by arguing that the customer was negligent, shared credentials, approved the transaction, ignored warnings, delayed notification or used an insecure device. The victim may respond that the bank’s security system was inadequate, the transaction was objectively suspicious, the bank failed to block the transfer after notification, or the bank did not preserve records.
In some cases, courts may allocate fault between bank and customer. The result depends on evidence and expert analysis.
13. Bank Liability in Banking Fraud Cases
Banks are not insurers against all fraud. However, they are professional institutions expected to operate secure systems, monitor suspicious activity and respond quickly to fraud notifications.
The BRSA regulation on electronic banking services is important because it sets minimum principles for banks’ information systems, electronic banking services and related risk management.
Bank liability may arise if the bank:
Uses weak authentication; fails to detect suspicious transfers; ignores abnormal transaction patterns; does not block the account after fraud notification; fails to preserve transaction logs; processes transactions despite obvious security alerts; does not comply with card objection procedures; or discloses customer secrets enabling fraud.
However, each case is fact-specific. A claim should not rely only on the general statement that “banks are responsible.” It must show what the bank should have done, what it failed to do, and how that failure caused the loss.
14. Customer Negligence and Comparative Fault
Customer negligence is a major defense in banking fraud cases. Banks often argue that the victim shared credentials, entered passwords into fake websites, approved mobile notifications, installed remote access software, gave SMS codes to fraudsters or failed to notify the bank in time.
Turkish courts may consider whether the customer acted with reasonable care. For consumers, the expected level of technical knowledge may be lower. For commercial customers, especially companies using corporate banking systems, the expected level of care may be higher.
Comparative fault may reduce compensation. For example, if the bank’s monitoring was weak but the customer also shared security codes despite clear warnings, the court may allocate responsibility between the parties.
The factual details are decisive. Generic warnings may not be enough if the transaction was highly suspicious. Conversely, strong bank records showing clear customer approval may weaken the customer’s claim.
15. Consumer Remedies in Banking Fraud
If the victim is a consumer, consumer law remedies may apply. The victim may file a written complaint with the bank, apply to the Banks Association of Türkiye customer complaint mechanisms where applicable, apply to a Consumer Arbitration Committee for disputes below the statutory threshold, or file a consumer court lawsuit after required pre-litigation steps.
For 2026, consumer disputes below TRY 186,000 may be brought before provincial or district Consumer Arbitration Committees; disputes at or above that amount cannot be decided by those committees and generally require mediation and consumer court proceedings.
In consumer banking fraud cases, the petition should include the fraud timeline, disputed transactions, complaint records, bank response, criminal complaint, evidence of lack of authorization, and legal basis for bank liability.
16. Commercial Remedies in Banking Fraud
If the victim is a company, the dispute is usually commercial. The company may send a legal notice to the bank, request preservation of logs, file a criminal complaint, initiate mandatory commercial mediation where required, file a commercial lawsuit, seek interim measures and pursue recipient account holders.
Commercial banking fraud claims often require detailed review of corporate banking agreements, authorized users, dual approval rules, internal company procedures, payment instruction protocols and bank security duties.
A company should act quickly. It should notify the bank immediately, request recall of transfer, contact recipient bank, file criminal complaint, preserve e-mails and verify whether internal credentials were compromised.
17. Criminal Complaint Strategy
A criminal complaint in a banking fraud case should be specific and evidence-based. It should include:
Victim identity, bank name, account number, transaction dates, transaction amounts, recipient accounts, recipient names if known, suspicious phone numbers, SMS messages, phishing links, e-mail headers, screenshots, device information, bank complaint records, call center records, SIM swap evidence and timeline of events.
The complaint should request urgent investigation steps such as freezing recipient accounts, identifying account holders, obtaining bank camera records where relevant, obtaining IP logs, requesting telecom records, tracing transfers, collecting digital evidence and identifying organized participants.
A criminal complaint may help identify offenders and freeze funds. However, it does not automatically result in compensation. The victim may still need civil proceedings for recovery.
18. Regulatory Consequences for Banks
Banking fraud may trigger regulatory scrutiny if it reveals weaknesses in bank systems, internal controls, electronic banking security, customer authentication, AML monitoring or confidentiality procedures.
The BRSA supervises banks and may evaluate whether a bank’s electronic banking infrastructure and risk controls comply with applicable standards. The Regulation on Information Systems and Electronic Banking Services requires banks to manage information systems and electronic banking risks through minimum procedures and controls.
A fraud incident may also require internal investigation, board-level reporting, audit review, customer communication, system remediation and stronger monitoring rules.
Regulatory consequences are especially likely where fraud is systemic, affects many customers, results from security vulnerabilities, or involves internal bank misconduct.
19. MASAK and Anti-Money Laundering Consequences
Banking fraud proceeds often move through the financial system. Banks and other obliged parties must comply with anti-money laundering obligations under Law No. 5549. MASAK guidance states that suspicious transactions must be reported to MASAK through suspicious transaction reporting forms.
A bank may need to report suspicious transactions where fraud proceeds, mule accounts, rapid fund movement, layering, suspicious withdrawals or unusual customer behavior are detected. MASAK General Communiqué No. 13 sets principles and procedures for suspicious transaction reporting.
AML duties do not automatically compensate victims. But they are important for identifying suspicious flows, freezing funds where possible, detecting mule accounts and preventing wider financial crime.
20. Banking Confidentiality and Fraud Investigations
Fraud investigations often require access to banking data. Banks must balance confidentiality with lawful disclosure. The BRSA Regulation on Disclosure of Confidential Information determines the scope and procedures for sharing bank secrets and client secrets.
Banks may disclose information to legally authorized authorities such as courts, prosecutors, enforcement offices, MASAK or regulators. However, banks should not disclose customer information to unauthorized third parties.
Victims may sometimes face difficulty obtaining information about recipient accounts due to banking confidentiality. In such cases, criminal complaint and court requests may be necessary to obtain records.
21. Evidence in Banking Fraud Cases
Evidence is the backbone of every banking fraud case. Important evidence includes:
Bank statements, transaction receipts, mobile banking screenshots, phishing messages, SMS records, e-mails, call logs, suspicious phone numbers, bank complaint forms, bank responses, criminal complaint documents, recipient account details, IP logs, device records, authentication records, SIM swap records, 3D Secure records, POS records, credit card statements, e-mail headers, remote access application records and expert reports.
Victims should preserve evidence immediately. Deleting messages, resetting phones, losing screenshots or failing to record bank complaint dates may weaken the claim.
Banks should also preserve logs and records. Failure to produce technical records may harm the bank’s defense.
22. Expert Examination
Many banking fraud disputes require expert examination. Experts may analyze whether the transaction was authenticated, whether the bank’s system detected risk indicators, whether transaction behavior was abnormal, whether the customer’s device was compromised, whether the bank’s response was timely, and whether the loss could have been prevented.
In credit card cases, experts may review 3D Secure records, merchant data and chargeback procedure. In online banking cases, experts may review IP logs, device fingerprints, authentication data and transaction monitoring. In corporate cases, experts may review authorized user settings, approval workflows and bank mandate documents.
Parties should object to incomplete expert reports. A report that merely states “password was used” may be insufficient if the real issue is whether the bank ignored suspicious transaction patterns.
23. Interim Measures and Freezing Fraud Proceeds
Speed is crucial in banking fraud. Once funds are transferred, they may be withdrawn or moved through several accounts. Victims should immediately request that the bank contact the recipient bank and attempt recall or blocking.
In criminal proceedings, prosecutors may request freezing or seizure of funds where legal conditions are met. In civil proceedings, interim measures may be sought in appropriate cases. However, interim measures require legal basis and evidence.
The earlier the victim acts, the higher the chance of tracing and recovering funds. Waiting even a few hours may reduce recovery prospects.
24. Data Protection Consequences
Some banking fraud cases involve personal data breaches. If fraudsters obtained bank customer information through unlawful disclosure, weak data security, employee misconduct or vendor breach, data protection remedies may arise under Turkish personal data protection law.
Data protection claims require proof that personal data was unlawfully processed or inadequately protected and that this contributed to the fraud. Not every fraud case proves a bank data breach. But if customer data was leaked from bank systems or a bank vendor, the issue may become both a banking and data protection matter.
25. Merchant and Payment Institution Liability
Some fraud cases involve merchants, virtual POS providers, payment institutions or e-commerce platforms. For example, stolen card data may be used at an online merchant. A fake merchant may process fraudulent payments. A payment institution may fail to detect suspicious transaction volumes.
Liability depends on contractual relationships, payment rules, chargeback mechanisms, fraud monitoring obligations and whether the merchant or payment institution acted negligently.
Victims should not assume that only the bank may be liable. The full payment chain should be reviewed.
26. Practical Checklist for Victims
A victim of banking fraud in Turkey should immediately:
Call the bank and block accounts, cards and digital banking access.
Submit a written fraud objection.
Request reversal or recall of transfers.
Ask the bank to preserve all technical logs.
File a criminal complaint.
Preserve messages, links, call records and screenshots.
Request transaction details and bank response in writing.
Contact the telecom operator if SIM swap is suspected.
Identify whether the matter is consumer or commercial.
Check mediation or consumer arbitration requirements.
Seek legal support before signing any settlement or waiver.
27. Practical Checklist for Banks and Financial Institutions
Banks and financial institutions should:
Maintain strong customer authentication.
Monitor suspicious transaction patterns.
Detect new device, SIM swap and unusual transfer risks.
Use meaningful transaction warnings.
Preserve technical logs.
Respond quickly to fraud reports.
Train call center and branch staff.
Apply AML monitoring to mule accounts.
Report suspicious transactions where required.
Protect customer secrets.
Review fraud incidents internally.
Improve systems after repeated fraud typologies.
These steps protect both customers and the institution from legal and regulatory exposure.
28. Common Mistakes in Banking Fraud Cases
Victims often wait too long, rely only on verbal bank complaints, fail to file a criminal complaint, delete phishing messages, fail to request technical logs, do not identify the recipient account, miss consumer or commercial procedural requirements, or present the case without a clear timeline.
Banks may also make mistakes. They may provide generic rejection letters, fail to preserve logs, ignore abnormal transactions, delay blocking, rely only on password usage, fail to investigate mule accounts or fail to explain the transaction clearly.
A well-prepared case should avoid emotional generalizations and focus on dates, amounts, systems, warnings, authentication, abnormality, causation and damage.
29. Why Legal Support Is Important
Banking fraud in Turkey requires a combined legal and technical strategy. A Turkish banking fraud lawyer may assist with criminal complaints, bank notices, evidence preservation, consumer applications, mediation, commercial lawsuits, compensation claims, expert report objections, account tracing, MASAK-related issues, data protection complaints and settlement negotiations.
Legal support is especially important in high-value fraud, corporate account fraud, SIM swap fraud, phishing-based account takeover, disputed mobile approvals, bank refusal of compensation, mule account tracing and cases involving multiple financial institutions.
Conclusion
Banking fraud in Turkey has civil, criminal and regulatory consequences. A single fraudulent transaction may require a criminal complaint against fraudsters, a compensation claim against responsible parties, a regulatory assessment of bank systems, AML reporting review, data protection analysis and urgent action to freeze funds.
The most common banking fraud methods include phishing, SIM swap fraud, online banking takeover, credit card misuse, remote access fraud, business e-mail compromise, fake investment platforms, mule accounts and forged payment instructions. Turkish law provides several remedies, but success depends on speed, evidence and correct legal classification.
For victims, immediate action is essential. The bank must be notified, accounts must be blocked, evidence must be preserved and a criminal complaint should be filed quickly. For banks, strong electronic banking controls, transaction monitoring, AML compliance and customer communication are essential. For companies, internal payment controls and dual approval systems can prevent major losses.
In Turkish banking fraud cases, the central question is not only who committed the crime. The court may also ask whether the bank acted as a prudent financial institution, whether the customer acted carefully, whether suspicious transaction patterns were ignored, whether the loss could have been prevented and whether regulatory duties were fulfilled.
A strong legal strategy must therefore address all three dimensions: criminal liability of the fraudsters, civil compensation for the victim and regulatory responsibility of financial institutions. Banking fraud is not merely a technical incident. It is a serious legal event that can determine financial loss, institutional liability and criminal accountability.
Yanıt yok