Introduction
Cybercrime in e-commerce in Turkey has become a major legal risk for online sellers, marketplaces, payment institutions, consumers, logistics providers and digital platforms. As online shopping grows, criminals increasingly use fake orders, stolen card data, phishing pages, fake delivery messages, account takeover, chargeback abuse, refund fraud, business e-mail compromise, fake marketplace stores and personal data theft to obtain unlawful benefits.
E-commerce fraud is legally complex because it combines several areas of law. A single incident may involve qualified fraud under the Turkish Penal Code, unauthorized access to information systems, bank or credit card misuse, personal data offences, consumer protection rules, payment service regulations, KVKK data breach duties, platform liability, civil compensation claims and criminal complaint procedures.
Turkey’s e-commerce framework is mainly based on Law No. 6563 on the Regulation of Electronic Commerce and its secondary legislation. The framework has been significantly amended in recent years, especially with Law No. 7416 and subsequent regulations affecting e-commerce service providers and intermediary service providers. Legal updates note that these amendments introduced important obligations and restrictions for e-commerce actors, particularly to regulate market behaviour and competition in the digital economy.
This article explains cybercrime in e-commerce in Turkey from a practical legal perspective. It focuses on fake orders, payment fraud, consumer risks, criminal liability, evidence preservation, platform obligations, KVKK issues, civil remedies and defence strategies.
1. What Is E-Commerce Cybercrime?
E-commerce cybercrime refers to criminal or unlawful digital conduct connected to online buying, selling, payment, delivery or marketplace activity. It may target consumers, sellers, platforms, banks, cargo companies or payment institutions.
Common examples include:
Fake orders placed with stolen card data.
Fraudulent refund requests.
Account takeover of customer or seller accounts.
Phishing pages imitating e-commerce platforms.
Fake cargo SMS messages.
Fraudulent marketplace stores.
Payment redirection through fake invoices.
Chargeback abuse.
Use of mule accounts for fraud proceeds.
Misuse of consumer personal data.
Fake customer support scams.
Unauthorized access to seller panels.
Bot-based coupon abuse.
Identity theft for online purchases.
The key legal question is whether the conduct involves deception, unauthorized access, unlawful benefit, misuse of payment instruments or unlawful processing of personal data.
2. Fake Orders in Turkish E-Commerce
Fake orders may occur in different ways. A fraudster may place an order using stolen credit card information. A person may order goods with false identity information and then claim non-delivery. A buyer may receive goods and file a false chargeback. A fraud ring may use multiple accounts, fake addresses and mule recipients. A competitor may place false orders to harm a seller’s inventory, logistics process or marketplace rating.
Not every cancelled or suspicious order is a crime. E-commerce businesses must distinguish between ordinary consumer disputes and fraudulent conduct. Criminal liability becomes more likely when there is deception, false identity, stolen payment data, organized repetition, unlawful benefit or intentional damage to the seller.
For sellers, fake order cases should be documented carefully. Evidence may include order records, IP logs, delivery receipts, cargo records, customer communication, card transaction details, account creation information, device data, marketplace messages and refund/chargeback records.
3. Payment Fraud and Qualified Fraud Under Turkish Penal Code Article 158
The main criminal provision in many e-commerce fraud cases is qualified fraud under Article 158 of the Turkish Penal Code. Article 158/1-f is particularly relevant because it covers fraud committed by using information systems, banks or credit institutions as instruments. UNODC’s English materials identify this form as fraud committed by using information systems, banks or credit institutions as tools.
In e-commerce, Article 158/1-f may apply where a perpetrator uses a website, marketplace account, fake payment page, online banking channel, credit card system or digital platform to deceive the victim and obtain unlawful benefit.
Examples include:
Creating a fake online store and collecting payments without delivering goods.
Using a fake cargo payment page to obtain card data.
Imitating a marketplace seller to collect money outside the platform.
Sending fake payment confirmation screenshots to obtain goods.
Manipulating online payment systems to receive refunds.
Using information systems to deceive consumers into transferring money.
The complaint should show the fraudulent act clearly. It should explain what representation was false, how the victim was deceived, what payment or delivery occurred, and who obtained the unlawful benefit.
4. Misuse of Bank or Credit Cards in Online Shopping
Many e-commerce fraud cases involve stolen or unlawfully obtained card data. Turkish Penal Code Article 245 regulates misuse of bank or credit cards. It may apply where a person uses another person’s card without consent or secures benefit by allowing such use. The official English text of the Turkish Penal Code includes criminal provisions on bank and credit card misuse, counterfeit cards and obtaining benefit through such cards.
In online shopping, Article 245 may become relevant where:
Stolen card data is used to buy goods.
Card information is obtained through phishing.
A fake payment page captures card details.
A person uses another person’s card without permission.
Counterfeit or unlawfully obtained card information is used online.
Fraudsters use card data to purchase resalable goods.
For victims, quick bank notification is critical. For sellers, the issue is more complicated because the seller may deliver goods before learning that the payment was unauthorized. Sellers should preserve transaction logs, delivery records, customer identity information and communication records.
5. Phishing in E-Commerce
Phishing is one of the most common e-commerce cybercrime methods. Fraudsters send messages that appear to come from online marketplaces, cargo companies, payment providers, banks or sellers. The message may say that a package is waiting, a payment failed, an account is blocked, a refund is ready or a delivery fee must be paid.
The victim clicks a link and enters card information, login credentials, SMS codes or personal data into a fake page. The fraudster then uses this information for online purchases, account takeover or unauthorized money transfers.
Phishing may involve several offences: qualified fraud, unauthorized access, bank card misuse and personal data offences. If the phishing page imitates a real e-commerce platform, the platform may also need to act quickly to protect users and preserve evidence.
Victims should preserve the SMS, e-mail, URL, screenshots, payment records and bank notifications. Deleting the original message may make investigation harder.
6. Account Takeover of Customer and Seller Accounts
Account takeover occurs when a fraudster gains unauthorized access to a customer account, seller account, marketplace account, payment account or e-commerce admin panel. The fraudster may place orders, change delivery addresses, use saved payment methods, withdraw seller balances, alter product listings or steal customer data.
Turkish Penal Code Article 243 may apply where the offender unlawfully enters or remains in an information system. Article 244 may apply where the offender deletes, alters, transfers or makes data inaccessible. The Council of Europe identifies Articles 243 and 244 as core Turkish cybercrime provisions concerning unlawful access and interference with systems or data.
For platforms and sellers, account takeover should be treated as both a fraud risk and a data security incident. Logs, IP addresses, device identifiers, password reset records, account changes, withdrawal records and order history should be preserved immediately.
7. Fake Marketplace Stores
Fake marketplace stores are another serious risk. Fraudsters may open seller accounts using false or stolen identity information, list attractive products at unrealistic prices, collect payments and disappear. In some cases, they may upload fake cargo tracking numbers or send low-value items instead of the advertised product.
Marketplace operators should have seller verification, complaint handling, suspicious transaction monitoring and user protection mechanisms. Recent e-commerce regulations in Turkey include obligations for e-commerce intermediary service providers and service providers, including duties related to information, transparency and platform conduct.
Consumers should be cautious of sellers with no reliable history, prices far below market value, requests for off-platform payment and inconsistent identity information. Sellers and platforms should preserve all seller registration records, IP logs, payment account information, customer complaints and delivery records.
8. Consumer Risks in Online Shopping
Consumers face several risks in e-commerce cybercrime:
Paying for goods that are never delivered.
Receiving counterfeit or different products.
Entering card data into fake payment pages.
Losing account access through phishing.
Being deceived by fake discount campaigns.
Having personal data misused.
Being contacted by fake customer service accounts.
Being persuaded to pay outside the marketplace.
Turkish consumer law provides important protections for distance contracts. Law No. 6502 on Consumer Protection states that consumers have a right of withdrawal from distance contracts within fourteen days without giving reasons and without paying penalties, subject to legal exceptions.
However, consumer law remedies and cybercrime remedies are not the same. If a legitimate seller delays delivery, the matter may be a consumer dispute. If a fake store was created to deceive consumers from the beginning, criminal fraud may be involved. A lawyer should classify the case correctly.
9. Distance Contracts and E-Commerce Obligations
In Turkish e-commerce, sellers and suppliers must comply with distance contract rules. Consumers must receive clear information before concluding the contract, including the seller’s identity, product characteristics, total price, delivery terms and withdrawal rights. Law No. 6502 regulates distance contracts and requires clear pre-contractual information before the consumer accepts the offer.
This matters in fraud cases because fake sellers often hide identity, provide false contact details, avoid formal invoices, demand off-platform payments or fail to provide legally required information. These facts may support the argument that the seller did not operate as a legitimate e-commerce trader but as part of a fraudulent scheme.
For legitimate sellers, compliance with distance contract rules also reduces disputes. Clear product descriptions, transparent pricing, proper return policies, invoice issuance and documented delivery protect sellers against false claims.
10. Chargeback Abuse and Refund Fraud
Chargeback abuse occurs when a buyer receives goods or services but falsely claims that the transaction was unauthorized, the goods were not received or the product was defective. Refund fraud may also involve returning a different item, returning an empty box, manipulating delivery records or using multiple accounts to exploit campaigns.
These cases can be difficult because consumer protection rules are designed to protect genuine consumers. Sellers must avoid treating every chargeback as fraud. However, repeated, organized or deceptive conduct may justify legal action.
Evidence is crucial. Sellers should preserve:
Order confirmation.
IP and device records.
Payment confirmation.
Delivery receipt.
Cargo tracking.
Recipient signature or ID records.
Customer messages.
Product serial numbers.
Return package records.
Camera footage, if available.
Marketplace dispute records.
If fraud is clear, the seller may file a criminal complaint and pursue civil compensation.
11. Fake Delivery and Cargo Scams
E-commerce consumers are frequently targeted by fake cargo messages. These messages claim that a package is waiting, customs or delivery fees are due, or the address must be confirmed. The link leads to a fake payment page where card data is stolen.
This may constitute qualified fraud, phishing, bank card misuse and personal data offences. If a real cargo company’s name or logo is used, the company may also be a reputational victim.
Consumers should not click payment links from unknown SMS messages. Cargo companies and e-commerce platforms should warn users, monitor fake domains and file complaints where their names are misused.
12. KVKK and Personal Data in E-Commerce Fraud
E-commerce platforms process large amounts of personal data: names, addresses, phone numbers, e-mail addresses, payment-related data, order histories, invoices, customer complaints, IP addresses and device data. If this data is accessed or obtained unlawfully, the Turkish Personal Data Protection Law may be triggered.
KVKK Article 12 requires data controllers to take necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access and ensure protection of personal data. If processed personal data is obtained by others unlawfully, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.
The Personal Data Protection Board’s Decision No. 2019/10 interprets Board notification as without delay and no later than 72 hours after the controller becomes aware of the breach. If notification cannot be made within 72 hours, reasons for delay must be attached, and information may be provided gradually.
Therefore, an e-commerce fraud incident may also be a data breach if customer accounts, seller panels, order databases or payment-related records were compromised.
13. Cybersecurity Law No. 7545 and E-Commerce Platforms
Turkey’s Cybersecurity Law No. 7545 entered into force after publication in the Official Gazette on 19 March 2025. Legal updates describe the law as establishing a broader framework for protecting public institutions, private entities and individuals operating in cyberspace against cyber threats.
E-commerce platforms should treat cybersecurity as a governance issue. Depending on the platform’s size, sector, systems and risk profile, cyber incidents may require internal reporting, authority cooperation, technical measures and documentation. The law does not replace KVKK or criminal law, but it adds another layer to cyber incident management.
For e-commerce companies, this means fraud prevention, account security, payment monitoring, incident response and data protection should be managed together.
14. Digital Evidence in E-Commerce Cybercrime
Digital evidence is decisive in e-commerce fraud cases. The victim, seller or platform should preserve evidence before accounts are deleted or records are overwritten.
Important evidence includes:
Order records.
Payment records.
IP addresses.
Device identifiers.
Account creation data.
Delivery addresses.
Cargo tracking records.
Customer messages.
Seller panel logs.
Product listing records.
Bank transaction receipts.
Chargeback records.
Phishing URLs.
E-mail headers.
SMS messages.
Refund requests.
Return cargo records.
Marketplace dispute records.
For platforms, log retention and integrity are essential. For consumers, screenshots should show URL, seller name, product page, price, payment method, messages and order number. For sellers, delivery and product identity evidence may be critical.
15. Criminal Complaint Strategy
A criminal complaint for e-commerce cybercrime should be specific. It should identify the fraudulent act, payment method, digital platform, suspect accounts, bank accounts, order records and damage.
A strong complaint should include:
Victim identity.
Platform or website used.
Seller or buyer account information.
Order number and product details.
Payment date and amount.
Bank account or card transaction data.
Delivery address and cargo records.
Messages and screenshots.
Phishing URL or fake website, if any.
IP, device or account records, if available.
Description of deception.
Damage amount.
Legal qualification under Article 158, Article 243, Article 244 or Article 245 where applicable.
Requests for bank, platform, cargo, IP and telecom records.
If the complaint concerns a platform-wide fraud, the platform should also provide technical records and identify whether multiple victims exist.
16. Remedies for Consumers
Consumers affected by e-commerce fraud may pursue several remedies:
Complaint to the seller or platform.
Bank or card chargeback request.
Consumer arbitration committee or consumer court application, where appropriate.
Criminal complaint for fraud or cybercrime.
KVKK application if personal data was misused.
Civil compensation claim.
Request for removal of fake websites or impersonation accounts.
The correct route depends on whether the issue is a consumer dispute or a criminal fraud. For example, non-delivery by a legitimate seller may be handled through consumer remedies. A fake seller using stolen identity and collecting payments from many victims may require criminal complaint.
17. Remedies for Sellers and Platforms
Sellers and platforms may also be victims. Fake buyers, chargeback fraud, stolen card orders, bot abuse, fake complaints and account takeover can cause major losses.
Sellers and platforms may pursue:
Criminal complaints.
Civil compensation claims.
Bank and payment provider objections.
Marketplace dispute procedures.
Account suspension of fraudulent users.
Evidence preservation.
Claims against mule account holders.
Security improvements.
Consumer complaint defence.
Platforms should maintain fair complaint handling mechanisms. They must protect consumers from fraud while also preventing abuse against legitimate sellers.
18. Liability of Marketplaces
Marketplace liability depends on the legal relationship, platform role, knowledge of unlawful content or activity, contractual obligations and applicable e-commerce rules. Turkish e-commerce legislation distinguishes between e-commerce service providers and intermediary service providers, and secondary regulations impose various obligations on actors in the e-commerce ecosystem.
A marketplace may not automatically be liable for every seller fraud. However, risk may increase if the platform fails to verify seller information where required, ignores repeated complaints, allows obviously fraudulent listings to continue, or fails to implement reasonable fraud prevention procedures.
Platforms should maintain seller verification, complaint monitoring, suspicious transaction detection, takedown procedures and cooperation with law enforcement.
19. Defence Strategies in E-Commerce Fraud Allegations
Persons accused of e-commerce fraud may include buyers, sellers, platform users, money mule account holders, payment recipients, warehouse operators, delivery recipients or platform staff.
Possible defence arguments include:
The transaction was a civil consumer dispute, not fraud.
The product was delivered.
The refund request was legitimate.
The accused did not control the account.
The payment account was used by another person.
The accused did not know the card was stolen.
The account was compromised.
The IP address does not identify the accused.
The evidence is incomplete.
The buyer provided false delivery claims.
The seller experienced supplier or logistics problems, not fraudulent intent.
The legal classification is excessive.
Intent is crucial. Turkish criminal law requires proof of fraudulent conduct and unlawful benefit. A failed delivery or refund dispute should not automatically become a criminal conviction.
20. Practical Checklist for Consumers
Consumers should:
Use trusted platforms.
Avoid off-platform payments.
Check seller identity and reviews.
Be suspicious of prices far below market value.
Do not click cargo payment links from unknown SMS messages.
Use secure payment methods.
Preserve order and payment records.
Save seller messages.
File bank objections quickly after unauthorized transactions.
File a criminal complaint if fraud is clear.
Change passwords after suspicious activity.
Enable two-factor authentication.
Monitor card and bank statements.
21. Practical Checklist for E-Commerce Sellers
Sellers should:
Verify suspicious high-value orders.
Use fraud detection tools.
Preserve delivery records.
Record product serial numbers.
Use secure payment systems.
Avoid shipping to suspicious addresses without verification.
Monitor repeated refund or chargeback patterns.
Keep customer communication on-platform.
Preserve cargo records and return package evidence.
Train staff against fake payment confirmations.
Secure seller panel accounts.
Use multi-factor authentication.
Document consumer disputes carefully.
22. Practical Checklist for Marketplaces
Marketplaces should:
Verify seller information.
Monitor fake listings.
Detect stolen-card patterns.
Protect seller and customer accounts.
Preserve logs.
Implement account takeover alerts.
Provide complaint channels.
Cooperate with lawful authority requests.
Warn users against off-platform payments.
Monitor phishing domains using platform brand.
Apply fair dispute resolution.
Maintain KVKK breach response procedures.
Review cybersecurity obligations.
Document fraud response actions.
Conclusion
Cybercrime in e-commerce in Turkey involves fake orders, payment fraud, phishing, fake marketplace stores, account takeover, chargeback abuse, cargo scams and consumer data misuse. The main legal provisions may include Turkish Penal Code Article 158/1-f on qualified fraud, Article 243 on unauthorized access, Article 244 on system interference and Article 245 on bank or credit card misuse. Consumer law, e-commerce legislation, KVKK and cybersecurity rules may also become relevant depending on the facts.
For consumers, the strongest protection is cautious online behaviour, secure payment methods, evidence preservation and fast bank notification. For sellers, the key issues are fraud detection, delivery evidence, payment verification and defence against abusive refund claims. For marketplaces, the challenge is balancing consumer protection, seller fairness, platform compliance and cybercrime prevention.
E-commerce fraud should not be treated as a simple online shopping inconvenience. It may involve organized cybercrime, stolen payment data, identity theft, personal data breaches and large financial losses. Effective legal action in Turkey requires fast evidence preservation, correct criminal classification, coordinated platform-bank-cargo records and careful use of consumer, civil, criminal and data protection remedies.
Yanıt yok