Introduction
Business Email Compromise in Turkey, commonly known as BEC fraud, is one of the most dangerous forms of corporate cybercrime. It usually occurs when criminals compromise, imitate or manipulate business email communications in order to redirect payments, alter invoice details, impersonate executives or deceive employees into transferring money to fraudulent bank accounts.
Unlike simple online scams, BEC attacks target the trust structure of companies. The fraudster may monitor real correspondence between a supplier and a buyer, wait until a payment is expected, and then send a fake invoice with a changed IBAN. In other cases, the attacker may impersonate a company director and instruct the accounting department to make an urgent transfer. The email may look genuine, the commercial relationship may be real, and the invoice may appear consistent with previous transactions. This is why BEC fraud often causes substantial financial loss before the victim realizes that the payment was redirected.
Under Turkish law, Business Email Compromise is not regulated under a single article named “BEC.” Depending on the facts, the conduct may constitute qualified fraud, unauthorized access to information systems, system interference, unlawful acquisition or transfer of personal data, forgery, misuse of bank accounts, money laundering or criminal organization activity. The main criminal provisions are found in the Turkish Penal Code, particularly Article 158 on qualified fraud and Articles 243–244 on cybercrimes. The Council of Europe’s cybercrime profile for Turkey identifies Articles 243, 244, 245 and 245/A as core cybercrime provisions and also refers to Article 158/1-f for computer and communications fraud.
This article explains Business Email Compromise in Turkey from a legal and practical perspective. It covers fake invoice fraud, criminal liability, digital evidence, corporate responsibility, data breach obligations, bank and payment issues, victim remedies and defence strategies.
1. What Is Business Email Compromise?
Business Email Compromise is a cyber-enabled fraud technique where criminals use email communication to deceive a company into sending money, confidential data or valuable business information. The attacker may compromise a real email account or may simply imitate one by using a similar domain name, display name or email signature.
Common BEC scenarios include:
A supplier’s email account is hacked and the attacker sends new bank account details.
A company executive is impersonated and an urgent transfer instruction is sent to accounting staff.
A fake invoice is sent from a domain that looks almost identical to a legitimate supplier’s domain.
A real invoice is intercepted and altered before being forwarded to the buyer.
An employee’s mailbox is compromised and hidden forwarding rules are created.
A fraudster monitors real negotiations and intervenes only at the payment stage.
An attacker impersonates a lawyer, logistics company, customs broker or consultant and asks for payment.
A payroll email is altered so that employee salary payments are redirected.
The defining feature is deception based on business trust. The victim is not randomly targeted; the fraudster often studies the commercial relationship and uses timing, tone, document format and email history to make the request appear legitimate.
2. Fake Invoice Fraud in Turkey
Fake invoice fraud is one of the most common forms of BEC in Turkey. The victim company may receive an invoice that appears to come from a real supplier, customer, shipping company, law firm, consultant or service provider. The invoice may include correct product details, contract references, company logos, signatures and previous correspondence. The only fraudulent element may be the bank account.
In some cases, the attacker changes only the IBAN. In others, the attacker sends an email stating that the supplier’s bank account has changed due to audit, tax, banking, currency or compliance reasons. The accounting department then transfers funds to the fraudulent account.
Fake invoice fraud may be especially successful in international trade, shipping, construction, textile, energy, medical supplies, machinery, software licensing and import-export transactions because companies regularly deal with foreign suppliers, invoices, proforma invoices, freight documents and currency transfers.
Under Turkish law, the main offence is usually qualified fraud if the perpetrator uses deceptive acts to obtain unlawful benefit through information systems, banks or credit institutions. BEC fraud also frequently involves unauthorized access if a real mailbox was hacked.
3. Qualified Fraud Under Turkish Penal Code Article 158/1-f
The central criminal provision in many BEC cases is Article 158/1-f of the Turkish Penal Code, which concerns fraud committed by using information systems, banks or credit institutions as instruments. Turkish legal commentary on Article 158 explains that the offence of qualified fraud is aggravated where information systems or banking channels are used, and current practice treats this as one of the most important forms of cyber-enabled fraud.
The legal elements of fraud generally include:
A deceptive act.
Deception of the victim.
Unlawful benefit obtained by the perpetrator or another person.
Damage to the victim or a third person.
In BEC cases, the deceptive act may be the fake invoice, altered IBAN, spoofed email, compromised mailbox, fake signature, false payment instruction or impersonation of a supplier or executive. The unlawful benefit is usually the transferred money. The damage is the payment loss suffered by the company or business partner.
Article 158/1-f is particularly relevant because BEC attacks use both information systems and banks. The deception occurs through email, domain infrastructure, digital documents and online communication. The benefit is obtained through bank transfers or payment systems. Recent Turkish legal sources state that, for fraud committed by using information systems or banks as instruments, the lower limit of imprisonment is four years and the judicial fine cannot be less than twice the unlawful benefit in the relevant aggravated forms.
4. Unauthorized Access to Email Accounts
Many BEC cases begin with unauthorized access to an email account. The attacker may obtain credentials through phishing, malware, password reuse, weak passwords, exposed remote access, social engineering or compromise of a cloud account. Once inside the mailbox, the attacker may monitor conversations, download attachments, set forwarding rules, delete security alerts or send emails from the genuine account.
This may trigger Turkish Penal Code Article 243, which punishes unlawful access to an information system or unlawfully remaining in such a system. The cybercrime provisions listed by UNODC include Article 243 on access to a data processing system and Article 244 on damaging, deleting, changing, preventing access to data or sending available data elsewhere.
If the attacker only enters the email account without changing anything, Article 243 may be the starting point. If the attacker deletes emails, creates forwarding rules, changes account recovery data, transfers correspondence or blocks the rightful user’s access, Article 244 may also become relevant.
For companies, this distinction matters. A criminal complaint should explain whether the fraudster merely imitated an email address or actually compromised an account. Evidence such as login alerts, IP records, cloud audit logs, mailbox rules and password reset notifications may determine which offence applies.
5. System Interference and Data Transfer Under Article 244
Business Email Compromise may also involve system interference or data transfer. For example, the attacker may create a hidden email forwarding rule to automatically send all supplier communications to an external address. The attacker may delete warning emails from the bank or supplier. The attacker may change invoice attachments or manipulate payment records in an accounting system.
Article 244 is relevant where data is deleted, altered, made inaccessible, inserted into a system or sent elsewhere. This provision may apply if the attacker transfers emails, invoice data, customer records or payment information out of the company system. It may also apply if the attacker changes data in an ERP, accounting or supplier management system.
In corporate BEC cases, the investigation should examine:
Was the mailbox accessed without authorization?
Were emails deleted or altered?
Were forwarding rules created?
Were invoices modified?
Was data exported?
Were bank details changed in the accounting system?
Were credentials used after employment termination?
Was malware installed?
These questions help determine whether the case is only qualified fraud or also a direct cybercrime under Articles 243–244.
6. Corporate Liability and Corporate Victim Status
In most BEC cases, the company is the victim. The company loses money because employees are deceived into paying a fake account. However, corporate liability may also arise in a broader sense if poor internal controls, weak cybersecurity, inadequate payment verification or negligent data protection contributed to the incident.
Turkish criminal law generally focuses on the criminal liability of natural persons. However, companies may face civil liability, administrative consequences, data protection exposure and internal governance problems. Managers, employees, IT staff, finance officers, vendors or service providers may be examined depending on the facts.
Corporate liability risks may include:
Failure to implement reasonable payment approval controls.
Failure to protect corporate email accounts.
Failure to train employees against phishing.
Failure to detect suspicious forwarding rules.
Failure to maintain proper log records.
Failure to revoke former employee access.
Failure to protect personal data in compromised mailboxes.
Failure to notify affected persons or authorities where personal data is breached.
Contractual disputes with suppliers over who bears the loss.
For example, if a buyer pays a fake IBAN after receiving an email that appears to come from the supplier, a dispute may arise between buyer and supplier. The buyer may argue that the supplier’s mailbox was compromised and the supplier should bear the loss. The supplier may argue that the buyer failed to verify new bank details. The outcome depends on evidence, contract terms, course of dealing, cybersecurity measures and fault allocation.
7. KVKK and Personal Data Breach Obligations
BEC attacks often involve personal data. A compromised mailbox may contain customer names, employee information, phone numbers, identity documents, addresses, invoices, contracts, payment details, bank information and confidential communications. If personal data processed by a company is obtained by unauthorized persons, the incident may trigger obligations under the Turkish Personal Data Protection Law No. 6698.
The Turkish Personal Data Protection Board’s Decision No. 2019/10 requires breach notification to the Board without delay and states that where notification cannot be made within 72 hours, the reasons for delay must be attached; information may be provided gradually where it cannot be provided at once.
This is highly relevant for BEC. A company should not focus only on the stolen money. It must also ask whether personal data in the compromised mailbox was accessed, copied or transferred. If customer or employee data was exposed, the company may need to assess KVKK notification duties.
A proper BEC response should therefore include:
Mailbox forensic review.
Identification of affected data categories.
Assessment of whether personal data was accessed.
Determination of when the company became aware of the breach.
Documentation of containment measures.
KVKK notification assessment.
Communication with affected persons if legally required.
Preservation of evidence for criminal complaint.
8. Digital Evidence in Business Email Compromise Cases
Digital evidence is the backbone of BEC investigations. The success of a criminal complaint, civil claim or defence often depends on whether evidence is preserved quickly and correctly.
Important evidence includes:
Original fraudulent emails.
Full email headers.
Sender and reply-to addresses.
Domain names and lookalike domains.
SPF, DKIM and DMARC authentication results.
IP addresses in email headers.
Cloud email login logs.
Mailbox forwarding rules.
Password reset records.
Suspicious login alerts.
Invoice attachments and metadata.
Bank transfer receipts.
Recipient IBAN and account holder information.
WhatsApp or phone communication about payment.
Supplier confirmation messages.
Internal approval records.
ERP or accounting system logs.
Server and firewall logs.
Employee device logs.
CCTV or ATM footage if money is withdrawn.
The original email is especially important. A printed copy or screenshot may not show technical routing information. Full headers may reveal whether the email was spoofed, sent from a compromised account or routed through suspicious servers.
Companies should preserve evidence before deleting emails, closing accounts or reconfiguring mailboxes. Technical recovery is important, but uncontrolled remediation can destroy valuable evidence.
9. Immediate Steps After Discovering BEC Fraud
A company that discovers a fake invoice payment should act immediately. The first hours may determine whether money can be frozen before being withdrawn or transferred.
The company should:
Contact its bank immediately.
Request urgent recall or blocking of the transfer.
Identify the recipient bank and account.
Notify the recipient bank through banking channels if possible.
Preserve all emails and headers.
Do not delete the compromised mailbox.
Disable suspicious forwarding rules after preserving evidence.
Change passwords and enable multi-factor authentication.
Check whether other payments were affected.
File a criminal complaint.
Request collection of bank records and account movements.
Assess KVKK data breach duties.
Notify the real supplier or customer.
Preserve internal approval records.
Engage forensic and legal support if the amount is substantial.
Speed is essential because BEC fraudsters often move money through mule accounts, cash withdrawals, cryptocurrency purchases or multiple bank transfers.
10. Criminal Complaint Strategy
A criminal complaint in a BEC case should be precise and evidence-based. It should not merely state that “our company was defrauded.” It should explain the commercial relationship, payment expectation, email chain, fraudulent alteration, bank transfer, discovery of fraud and evidence.
A strong complaint should include:
Company identity and authorized signatory information.
Description of the real commercial relationship.
Copy of the genuine invoice or contract.
Fraudulent email and fake invoice.
Full email headers.
Bank transfer receipt.
Recipient IBAN and account holder information.
Date and time of transfer.
How the fraud was discovered.
Information showing whether an email account was compromised.
IP or login records if available.
Internal approval process.
Damage amount.
Requests for bank records, account movements and freezing where legally possible.
Requests for email provider logs and IP data.
Legal qualification under Article 158/1-f and Articles 243–244 where applicable.
If the fake invoice used a lookalike domain, the complaint should also include domain registration information, screenshots of the website if any, DNS records if available and evidence of similarity with the legitimate domain.
11. Can the Stolen Money Be Recovered?
Recovery depends on speed, banking records and whether funds remain traceable. In some cases, banks may recall the transfer if notified immediately. In other cases, funds may already be withdrawn or transferred.
A criminal complaint should request investigation of the recipient account, all subsequent transfers, ATM withdrawals, branch withdrawals, linked phone numbers, account opening documents and camera footage. If money was converted into cryptocurrency, wallet and exchange tracing may be necessary.
Civil claims may also be possible against direct perpetrators, account holders, mule participants or other responsible persons. However, recovery against money mules depends on proving their knowledge, participation or unjust enrichment depending on the legal route.
Disputes may also arise between the paying company and the real supplier. If the buyer paid a fraudulent account, the supplier may still demand payment of the real debt. The buyer may resist by arguing that the supplier’s compromised email caused the loss. This becomes a civil and commercial liability dispute requiring detailed evidence.
12. Supplier and Buyer Disputes After Fake Invoice Fraud
BEC often creates a painful question: who bears the loss, the buyer or the supplier?
The answer depends on facts. If the supplier’s genuine email was hacked and the fake IBAN came from the supplier’s real email account, the buyer may argue that the supplier failed to secure its communication channel. If the buyer received a suspicious bank change notice and failed to verify it through a trusted channel, the supplier may argue that the buyer was negligent. If the fraudster used a lookalike domain unrelated to the supplier’s systems, the analysis may shift again.
Relevant factors include:
Was the email sent from a real or spoofed address?
Had the supplier previously used the same bank account?
Was the IBAN change unusual?
Did the buyer call a known phone number to verify?
Did the contract specify payment account details?
Did the supplier warn of account compromise?
Did either party have cybersecurity obligations?
Were payment instructions altered after invoice issuance?
Did the buyer’s accounting department follow internal controls?
These disputes require careful contract and evidence analysis. BEC is both a criminal fraud and a commercial liability problem.
13. Internal Employee Misconduct and BEC
Sometimes BEC fraud involves insiders. An employee may assist the fraudster by sharing invoice schedules, approving suspicious payments, ignoring verification rules, forwarding emails or using company access for personal gain. A former employee may retain access to corporate email accounts and use that access to redirect payments.
If insider misconduct is suspected, the company should conduct a lawful internal investigation. Evidence may include access logs, mailbox activity, approval records, device logs, USB records, phone communications, bank account connections and witness statements.
However, employee privacy and data protection rules must be respected. The company should not conduct an unlimited search of private communications. Internal investigations should be scoped, documented, proportionate and legally supervised.
14. Bank Responsibility and Payment Security
In BEC cases, victims often ask whether the bank is responsible. The answer depends on the facts. Banks may hold important evidence and may be required to act upon urgent fraud notifications, but not every authorized transfer creates bank liability. If the company’s authorized employee approved the transfer through valid banking procedures, the bank may argue that it executed a legitimate instruction.
However, potential issues may arise where there were suspicious transaction indicators, inadequate controls, delayed action after notification, weak account opening procedures or failure to preserve information. These questions require fact-specific banking law analysis.
Victims should notify banks immediately and in writing. They should request transaction blocking, recall, recipient account information through legal channels and preservation of all relevant records.
15. Law No. 5651 and Fake Domains or Fraudulent Websites
Some BEC attacks use fake websites, lookalike domains or online pages imitating a supplier, law firm, logistics company or payment portal. In such cases, Law No. 5651 may become relevant for access blocking or content removal depending on the nature of the content.
Law No. 5651 regulates internet publications and internet actors such as access providers and hosting providers. Legal commentary notes that access providers have obligations concerning access blocking once informed of illegal content under the relevant legal framework.
If a fake domain continues to deceive customers, the company should preserve evidence and consider platform, hosting, registrar and legal takedown steps. However, content removal alone does not recover stolen money. It should be combined with criminal complaint and banking measures.
16. Prevention: Corporate Controls Against BEC
BEC is preventable when companies adopt strong controls. The most important rule is simple: never change supplier bank details based only on email.
Recommended controls include:
Call-back verification using a phone number already in company records.
Dual approval for all new IBANs.
Dual approval for high-value payments.
Supplier master data change controls.
Written payment verification policy.
Multi-factor authentication for all email accounts.
Blocking auto-forwarding to external addresses.
SPF, DKIM and DMARC configuration.
Employee phishing training.
Warning banners for external emails.
Monitoring of lookalike domains.
Regular mailbox rule audits.
Separation of invoice approval and payment execution roles.
Use of secure supplier portals where possible.
Incident response plan.
Cyber insurance review.
BEC prevention should be treated as legal risk management. A company that has no payment verification process may face difficulty in later disputes with suppliers, customers or insurers.
17. Defence Strategies in BEC Allegations
Persons accused in BEC cases may include money mule account holders, employees, IT staff, company managers, suppliers or alleged organizers. Defence strategy depends on the person’s alleged role.
Common defence arguments include:
The accused did not create the fake email.
The accused did not control the recipient account.
The bank account was used by another person.
The accused was deceived as a money mule.
There is no proof of fraudulent intent.
The transaction was part of a genuine commercial relationship.
IP records do not identify the accused.
The email account was compromised by an unknown third party.
The company’s internal controls failed.
The screenshots or emails are incomplete.
The accused did not obtain or keep the unlawful benefit.
The legal classification is excessive.
In BEC cases, intent is crucial. Receiving money into an account is suspicious, but it does not automatically prove that the account holder designed or knew the fraud. The prosecution must prove knowing participation.
18. Corporate Defence After a BEC Incident
A company may also need to defend itself in civil or regulatory proceedings after a BEC incident. A supplier may sue for unpaid invoices. A customer may claim damages. A data subject may complain about exposure of personal data. A regulator may ask whether the company took adequate security measures.
Corporate defence should show:
The company had payment verification policies.
Employees were trained.
Email security measures were implemented.
The incident was detected and contained quickly.
The bank was notified immediately.
Evidence was preserved.
KVKK assessment was performed.
Criminal complaint was filed.
The company cooperated with authorities.
Remedial measures were implemented.
Documentation is critical. A company that cannot prove its controls may struggle even if it was also a victim.
19. Civil Compensation Claims
BEC fraud may lead to several civil claims:
The victim company may claim compensation from perpetrators.
The paying party may sue the recipient account holder.
A supplier may sue the buyer for unpaid invoice debt.
The buyer may seek damages from the supplier if supplier-side compromise caused the loss.
A company may claim damages from a negligent employee or contractor.
A customer may claim damages if personal data was exposed.
Civil liability depends on fault, causation, contractual obligations, unjust enrichment, negligence and proof of damage. The criminal file may support civil claims, but civil proceedings require a separate legal strategy.
20. Practical Checklist for BEC Victims in Turkey
A company targeted by BEC should immediately:
Stop any pending related payments.
Contact the bank and request urgent action.
Preserve the fraudulent email in original form.
Export full email headers.
Preserve invoice attachments and metadata.
Contact the real supplier through a trusted channel.
Check whether the company mailbox was compromised.
Check whether supplier email was compromised.
Collect internal approval records.
File a criminal complaint.
Request investigation of recipient bank account.
Assess whether personal data was exposed.
Consider KVKK notification duties.
Review payment controls.
Warn employees and relevant business partners.
Monitor for repeated attempts.
Acting quickly may increase the chance of recovery and strengthen the legal file.
Conclusion
Business Email Compromise in Turkey is a serious corporate cybercrime risk involving fake invoice fraud, payment redirection, email compromise, supplier impersonation and executive impersonation. The main criminal classification is often qualified fraud under Turkish Penal Code Article 158/1-f because information systems and banking channels are used as instruments. If a real email account is accessed, Articles 243 and 244 may also apply. If personal data in compromised mailboxes is exposed, KVKK breach notification duties may arise.
For victims, the most important steps are immediate bank notification, evidence preservation, criminal complaint, email forensic review and KVKK assessment. For companies, prevention requires strong payment verification controls, email security, employee training and incident response planning. For suspects, defence must focus on intent, digital attribution, account control, benefit and reliability of evidence. For commercial parties, BEC may also create difficult civil disputes about who bears the loss after a fake invoice payment.
In Turkey’s digital business environment, a single fraudulent email can redirect a major payment within minutes. Effective legal protection depends on speed, technical evidence, correct criminal classification and strong corporate controls. Companies should treat BEC not as an ordinary accounting mistake, but as a combined cybercrime, fraud, data protection and corporate liability risk.
Yanıt yok