Introduction
Phishing attacks in Turkey have become one of the most common methods used in cyber fraud, online banking fraud, identity theft and unauthorized access cases. A phishing attack generally occurs when a fraudster deceives a person into revealing sensitive information such as passwords, internet banking credentials, credit card details, identity numbers, verification codes, e-mail passwords or social media login information. The deception may be carried out through fake SMS messages, e-mails, WhatsApp messages, social media links, cloned websites, fake cargo notifications, fake bank alerts, fraudulent investment platforms or imitation public authority pages.
Under Turkish law, phishing is not regulated by one single article named “phishing.” Instead, the criminal liability depends on the exact conduct and result. A phishing scheme may constitute qualified fraud, unauthorized access to an information system, system interference, misuse of bank or credit cards, unlawful acquisition of personal data, violation of privacy, forgery, blackmail or money laundering, depending on the facts of the case.
The Turkish cybercrime framework includes specific provisions in the Turkish Penal Code No. 5237, procedural rules in the Criminal Procedure Code No. 5271, international cooperation rules and Law No. 5651 on internet publications. The Council of Europe’s cybercrime profile for Turkey lists Turkish Penal Code Articles 243, 244, 245, 245/A and 158/1-f among the relevant cybercrime and computer-related fraud provisions.
This article explains phishing attacks in Turkey from a practical legal perspective. It covers criminal liability, penalties, digital evidence, victim rights, company responsibilities, personal data issues, bank transaction disputes and defence strategies.
1. What Is a Phishing Attack?
A phishing attack is a digital deception method designed to make the victim disclose confidential information or perform a harmful transaction. The attacker usually imitates a trusted person, institution or platform. The victim may believe that the message comes from a bank, cargo company, e-commerce platform, government institution, social media provider, employer, lawyer, insurance company, cryptocurrency exchange or known business partner.
Typical phishing examples include:
A fake bank SMS asking the victim to verify account security.
A fake cargo message demanding a small delivery fee.
A cloned e-government or tax refund page.
A fake social media login page.
A fraudulent investment platform asking for identity verification.
A fake lawyer or enforcement office message requesting payment.
A fake marketplace link sent to a buyer or seller.
A fake corporate e-mail requesting password renewal.
A fake bank call asking for SMS verification codes.
Phishing is dangerous because the victim may voluntarily enter information, but the consent is obtained through deception. In criminal law, the fact that the victim typed the password or approved a transaction does not automatically remove criminal liability. The legal issue is whether the victim’s will was manipulated by fraudulent conduct.
2. Main Criminal Provisions Applicable to Phishing in Turkey
Phishing cases in Turkey may involve several provisions of the Turkish Penal Code. The most relevant are:
Article 157 – Basic fraud. This provision punishes a person who deceives another through fraudulent acts and obtains benefit by causing damage to the victim or another person. The official English text provides imprisonment from one to five years and a judicial fine up to five thousand days.
Article 158/1-f – Qualified fraud through information systems, banks or financial institutions. Where phishing uses information systems, banks or credit institutions as instruments, the offence may become qualified fraud. The current text of Article 158 provides imprisonment from three to ten years and a judicial fine up to five thousand days; for subparagraphs including 158/1-f, the lower limit of imprisonment cannot be less than four years and the judicial fine cannot be less than twice the benefit obtained.
Article 243 – Unauthorized access to an information system. If phishing credentials are used to enter the victim’s e-mail, social media account, bank account, cloud account or company system, Article 243 may apply.
Article 244 – System interference and data manipulation. If the attacker changes passwords, deletes messages, transfers data, blocks access or manipulates account information, Article 244 may also become relevant.
Article 245 – Misuse of bank or credit cards. If the phishing attack results in unauthorized use of card information or bank card credentials, Article 245 may apply. The official English text of Article 245 punishes unauthorized use of another person’s bank or credit card and certain counterfeit card conduct with imprisonment and judicial fines.
Personal data offences. If identity information, passwords, phone numbers, financial information or private data are unlawfully obtained, stored or shared, Turkish Penal Code provisions concerning personal data may also be considered.
The correct legal classification depends on the factual chain: how the victim was deceived, what information was obtained, whether an account was accessed, whether money was transferred, whether card information was used and whether personal data was disclosed.
3. Phishing as Qualified Fraud Under Turkish Penal Code Article 158/1-f
In many phishing cases, the main criminal charge is qualified fraud under Article 158/1-f of the Turkish Penal Code. This is because phishing usually relies on information systems and banking channels. A fake website, fake SMS link, cloned bank page, fraudulent mobile application or fake payment screen may be used to deceive the victim.
The essential elements of fraud are:
The perpetrator must perform fraudulent conduct.
The victim must be deceived.
The deception must cause the victim or another person to suffer damage.
The perpetrator or another person must obtain unlawful benefit.
In phishing cases, fraudulent conduct may consist of creating a fake website, sending a deceptive message, impersonating a bank, imitating a cargo company, using a fake domain name, copying an official logo, creating a fake investment dashboard or pretending to be a public authority. The deception is usually stronger because the attacker uses institutional names, logos, urgent warnings and technical-looking pages.
Article 158/1-f becomes relevant because the fraud is committed by using information systems, banks or credit institutions as instruments. Turkish legal commentary explains that using information systems or trusted banking institutions provides significant convenience for fraud and is therefore treated as a qualified form.
4. Common Phishing Scenarios in Turkey
Phishing methods constantly change, but certain patterns are frequently seen in Turkish practice.
Fake Bank Security Messages
The victim receives an SMS or e-mail claiming that their bank account is blocked, suspicious activity has been detected or urgent verification is required. The link directs the victim to a fake bank page. The victim enters login credentials, card information or SMS codes. The attacker then makes unauthorized transfers or purchases.
Fake Cargo and Delivery Fee Messages
The victim receives a message saying that a cargo package cannot be delivered unless a small fee is paid. The payment page collects card details. A small payment request may later lead to larger unauthorized transactions.
Fake E-Government or Tax Refund Pages
The victim is told that a tax refund, social benefit, traffic fine discount or public payment is available. The page imitates an official interface and collects identity data, bank credentials or card details.
Fake Marketplace Links
The fraudster contacts a seller or buyer through an online marketplace and sends a fake payment or shipping link. The victim enters card or bank information believing that the platform is processing the transaction.
Fake Investment and Cryptocurrency Platforms
The victim is directed to a professional-looking platform promising high returns. Initial fake profits may be shown on a dashboard. Later, the victim is asked to deposit more money or share identity documents. Withdrawal requests may be blocked.
Corporate Phishing and Business E-Mail Compromise
An employee receives a fake password renewal e-mail or a fake invoice message. Once credentials are captured, attackers may monitor correspondence and send fraudulent payment instructions to customers or accounting departments.
Each scenario requires a specific legal strategy because the evidence, suspects, money flow and applicable offences may differ.
5. Relationship Between Phishing and Unauthorized Access
Phishing often begins as fraud but continues as unauthorized access. For example, a victim may enter an e-mail password into a fake page. If the attacker then logs into the e-mail account, the act may constitute unlawful access to an information system under Article 243.
If the attacker only obtains credentials but never enters the account, the legal analysis may focus on fraud, attempted fraud, personal data offences or prohibited tools, depending on the facts. If the attacker enters the account and reads messages, Article 243 becomes stronger. If the attacker deletes messages, changes recovery e-mail, transfers files or blocks the lawful user’s access, Article 244 may arise.
This distinction matters because cybercrime charges should be based on concrete conduct, not general labels. A criminal complaint should explain whether the attacker merely deceived the victim, obtained credentials, entered an account, changed data, transferred money or misused card information.
6. Online Banking Phishing and Unauthorized Transfers
Online banking phishing is one of the most serious forms of phishing in Turkey. The victim may be tricked into sharing internet banking credentials, mobile banking passwords, card information, SMS verification codes or device approval data. Once the attacker obtains access, money may be transferred to mule accounts or used for purchases.
The legal classification may involve:
Qualified fraud under Article 158/1-f.
Unauthorized access under Article 243.
System interference under Article 244 if data or access settings are changed.
Bank or credit card misuse under Article 245.
Money laundering or participation offences if funds are moved through third-party accounts.
In these cases, immediate action is essential. The victim should notify the bank, block accounts and cards, object to transactions and file a criminal complaint. The complaint should request collection of bank records, recipient account information, IP logs, device information, SMS verification logs and camera footage if withdrawals were made from ATMs.
7. Bank and Credit Card Phishing
Many phishing schemes target credit card or debit card details. The victim may enter card number, expiry date, CVV code and 3D Secure verification code into a fake page. The attacker may then make online purchases, subscribe to digital services, buy gift cards, purchase electronic goods or transfer value through other channels.
Where another person’s card is used without consent to obtain benefit, Article 245 may apply. This provision is particularly important in card-not-present transactions, fake payment pages and online shopping fraud. The official English text of Article 245 recognizes criminal liability for unauthorized use of another person’s bank or credit card and benefit obtained through such use.
The evidence may include merchant records, payment gateway logs, bank authorization records, 3D Secure data, IP addresses, delivery addresses, phone numbers, e-mail addresses, order confirmations and cargo records.
Victims should not only file a criminal complaint but also submit a transaction objection to the bank. The banking dispute process and criminal investigation are separate but related. Bank records can become important evidence in the criminal file.
8. Phishing and Personal Data Protection Law
Phishing almost always involves personal data. Names, identity numbers, phone numbers, addresses, e-mail accounts, passwords, bank information, card details, photos, signatures and device information may all be personal data depending on the context. The Turkish Personal Data Protection Law No. 6698 defines personal data as any information relating to an identified or identifiable natural person and applies to natural or legal persons processing such data through automated means or filing systems.
Where a phishing attack affects a company’s customers, employees or users, the incident may also become a personal data breach. The data controller must assess whether personal data processed by it was obtained by unauthorized persons and whether notification obligations arise. The Turkish Personal Data Protection Board’s Decision No. 2019/10 states that controllers must document personal data breaches, affected data subjects should be informed within the shortest reasonable period after identification, and processors must notify controllers without delay if personal data held by them is obtained unlawfully.
For companies, this means that phishing is not only a criminal complaint issue. It may require internal investigation, forensic analysis, breach assessment, notification to the Personal Data Protection Authority, communication with affected persons and remedial security measures.
9. Law No. 5651 and Removal of Fraudulent Online Content
Phishing attacks frequently use fake websites, fake social media profiles, fake advertisements or fraudulent online pages. In such cases, rapid removal or blocking of access may be necessary to prevent further victimization.
Law No. 5651 regulates internet actors such as hosting providers and access providers. Legal analysis of Law No. 5651 explains that hosting providers are not generally obliged to check the content they host, but they must remove unlawful content after being informed under the relevant procedures; access providers must also block access when required and retain traffic information under the applicable rules.
For phishing victims, this means that a legal strategy may include:
Criminal complaint.
Preservation of website and traffic data.
Content removal request.
Access blocking request where conditions exist.
Platform takedown notice.
Domain and hosting provider notification.
Bank and payment provider notification.
Fast action is crucial because phishing websites may disappear quickly, domain records may change and logs may be overwritten.
10. Digital Evidence in Phishing Cases
Digital evidence is the foundation of phishing investigations. The most important evidence may include:
SMS messages.
E-mails and full e-mail headers.
WhatsApp or Telegram correspondence.
Fake website URLs.
Domain registration records.
Screenshots of fake pages.
Bank transfer receipts.
Recipient IBAN information.
Card transaction records.
IP logs.
Device identifiers.
SMS verification logs.
3D Secure records.
Platform account records.
Hosting provider information.
Cargo delivery records.
ATM camera footage.
Cryptocurrency wallet addresses.
Forensic examination reports.
Screenshots are useful, but they should not be the only evidence. A screenshot may not show metadata, source information or technical routing. E-mail headers, URLs, bank records and provider logs often carry greater evidentiary value.
Victims should preserve the original message, not merely a screenshot. E-mails should not be deleted. Links should be copied carefully. Bank notifications should be saved. If a fake website is still active, a notarial determination or technical preservation method may be considered where appropriate.
11. What Should Victims Do After a Phishing Attack?
A phishing victim in Turkey should act immediately. The first hours are often decisive.
The victim should:
Contact the bank immediately.
Block affected cards and accounts.
Change passwords from a secure device.
Enable two-factor authentication.
Do not delete SMS, e-mail or chat messages.
Preserve screenshots and URLs.
Save bank transaction details.
Object to unauthorized transactions.
Notify the relevant platform.
File a criminal complaint.
Request identification of recipient accounts.
Request preservation of logs.
Check whether other accounts were compromised.
If personal data was exposed, consider KVKK remedies.
If private content was published, seek removal or access blocking.
A criminal complaint should be detailed and chronological. It should explain when the message arrived, what it said, which link was clicked, what information was entered, which transactions occurred, where money was transferred, which accounts were accessed and what evidence exists.
12. Can Victims Recover Their Money?
Money recovery depends on speed, traceability and whether the funds can be frozen before being withdrawn or transferred. In phishing cases, fraudsters often use mule accounts. Money may be transferred through several accounts, withdrawn in cash, converted into cryptocurrency or used for purchases.
Victims should immediately notify their bank and request action against suspicious transactions. A criminal complaint should request bank record collection, identification of recipient account holders, freezing or seizure measures where legal conditions exist and investigation of all account movements.
Recovery is easier when action is taken quickly. If the money remains in the recipient account, legal measures may be more effective. If funds have already been withdrawn, the case may require tracing account holders, ATM footage, phone records and related suspects.
Civil compensation claims may also be possible against perpetrators. In limited situations, responsibility of banks, payment providers, platforms or companies may be discussed, but this depends heavily on the facts, security measures, authentication process, user conduct and contractual framework.
13. Corporate Phishing: Employer and Company Responsibilities
Companies are frequent targets of phishing. Employees may receive fake password renewal messages, fake invoices, fake CEO instructions, fake supplier IBAN changes or malicious attachments. A single compromised corporate e-mail account may lead to large financial loss and data breach exposure.
Companies should implement:
Employee phishing training.
Multi-factor authentication.
Payment approval procedures.
Vendor bank account verification.
E-mail security systems.
Strong password policies.
Access control.
Incident response plans.
Log retention.
Personal data breach response procedures.
Cyber insurance review.
Legal review of suspicious transactions.
A company should never change supplier bank details based only on an e-mail. The change should be confirmed through a trusted phone number already recorded in the company’s files, not through the number written in the suspicious e-mail.
Corporate phishing incidents may create both victim rights and legal obligations. The company may file a criminal complaint, but it may also need to assess whether customer or employee data was exposed. If personal data was affected, KVKK notification duties may arise.
14. Criminal Complaint Strategy for Phishing Victims
A strong criminal complaint should not be generic. It should identify the legal and technical structure of the incident.
The petition should include:
A clear summary of the phishing method.
The exact date and time of messages.
The phone number, e-mail address or account used by the attacker.
The fake URL or platform.
Screenshots and original digital records.
The information entered by the victim.
Bank transaction details.
Recipient account information.
Card transaction details.
Account access changes.
Damage amount.
Suspected persons, if known.
Requests for bank, provider and platform records.
Legal qualification under Articles 158/1-f, 243, 244, 245 and personal data provisions where applicable.
Request for urgent preservation of digital evidence.
The petition should also explain why the conduct is not a simple civil dispute. In phishing, the deception usually exists from the beginning and is supported by fake identities, cloned pages, manipulated messages and unlawful benefit.
15. Defence Strategies in Phishing Allegations
Phishing investigations sometimes include suspects whose bank accounts, phone numbers, addresses or identities were used by others. A person may be accused because money entered their account or a phone line is registered in their name. However, criminal liability requires proof of intent, participation and causal connection.
Common defence arguments include:
The accused did not create the phishing page.
The accused did not send the message.
The accused did not control the recipient account.
The accused’s bank account was used by another person.
The accused was also deceived by a fake job or commission offer.
There is no evidence of fraudulent intent.
The IP evidence does not identify the accused.
The device was used by another person.
The transaction was part of a genuine commercial relationship.
The dispute is civil, not criminal.
The accused did not obtain or keep the unlawful benefit.
The prosecution must prove more than suspicion. In phishing cases, digital and banking evidence should be examined carefully. Account movements, cash withdrawals, phone records, communications with organizers, device data and benefit sharing may become decisive.
16. Money Mule Accounts and IBAN Use
Phishing schemes often use money mule accounts. A money mule is a person whose bank account is used to receive and transfer criminal proceeds. Some money mules knowingly participate. Others are deceived through fake job offers, “payment representative” promises or small commission arrangements.
Allowing one’s IBAN or bank account to be used by unknown persons is extremely risky. If the person knows or accepts the criminal purpose, liability may arise as participant in fraud or other offences. If the person was deceived, the defence must show lack of intent and lack of knowledge.
Evidence may include messages with organizers, commission payments, withdrawal records, ATM footage, bank account history, phone communications and whether the account holder immediately reported suspicious activity.
17. Phishing, Attempt and Multiple Offences
Not every phishing message results in completed fraud. If the victim detects the scam before entering information or before money is transferred, attempted fraud may be discussed depending on the concrete facts. If credentials are obtained but not used, personal data offences or preparatory conduct may be examined. If the attacker enters an account but no money is transferred, Article 243 may be more central.
Multiple offences may arise from one phishing incident. For example:
A fake bank page is created.
The victim enters credentials.
The attacker enters the bank account.
Money is transferred.
The recipient account holder withdraws money.
The victim’s personal data is stored.
The fake website remains active and deceives others.
This chain may involve qualified fraud, unauthorized access, bank card misuse, personal data offences, participation rules and possible money laundering analysis. Each suspect’s role must be assessed separately.
18. Prevention: How Individuals Can Reduce Risk
Individuals can reduce phishing risk by following practical security measures.
Do not click links in unexpected bank, cargo or government messages.
Check the official domain carefully.
Do not share SMS verification codes.
Do not install remote access applications upon request.
Do not trust urgent payment warnings.
Use official banking applications.
Enable two-factor authentication.
Use different passwords for different accounts.
Avoid saving card details on unknown websites.
Call the institution through its official number.
Do not send identity documents to suspicious platforms.
Regularly check bank and card transactions.
The law provides remedies after a phishing attack, but prevention is always stronger than litigation.
19. Prevention: How Companies Can Reduce Risk
Companies should treat phishing as a legal and operational risk. Recommended measures include:
Periodic employee training.
Simulated phishing exercises.
Multi-factor authentication for e-mail and cloud systems.
Strict access control.
Dual approval for payments.
Call-back verification for IBAN changes.
Secure e-mail gateways.
Domain monitoring.
Incident response plans.
Data breach response plans.
Vendor verification procedures.
Internal reporting channels.
Log retention and monitoring.
Clear disciplinary rules for careless credential sharing.
Legal and IT teams should work together. A phishing incident can become a criminal case, data breach, banking dispute, employment issue and civil compensation file at the same time.
20. Why Legal Assistance Is Important
Phishing cases are time-sensitive and technically complex. A victim may lose the chance to trace funds if action is delayed. A company may mishandle evidence during internal investigation. A suspect may face serious charges because their bank account was used by others. A data controller may miss notification obligations after a breach.
A Turkish cybercrime lawyer can assist with criminal complaints, urgent bank communication, evidence preservation, provider requests, access blocking, personal data breach assessment, compensation claims and defence petitions. In complex cases, digital forensic support may also be necessary.
Conclusion
Phishing attacks in Turkey are serious cybercrime incidents that may lead to qualified fraud, unauthorized access, system interference, bank or credit card misuse, personal data offences and civil compensation claims. The legal classification depends on the method used, the information obtained, whether the attacker accessed a system, whether money was transferred and whether personal data was affected.
For victims, the most important steps are immediate bank notification, preservation of digital evidence, password changes, transaction objections and a detailed criminal complaint. For companies, phishing requires both criminal law action and compliance review, especially where customer or employee data may be compromised. For suspects, defence should focus on intent, participation, digital attribution and whether the evidence truly links the accused to the phishing scheme.
In Turkey’s digital economy, a phishing message is not merely a suspicious link. It can be the beginning of a multi-layered criminal file involving fraud, cybercrime, banking records, personal data and cross-border digital evidence. Effective legal strategy depends on speed, technical precision and correct application of Turkish criminal law.
Yanıt yok