Introduction
Telecom fraud in Turkey has become one of the most serious legal and practical risks for consumers, companies, banks, telecom operators, mobile virtual network operators, fintech platforms, e-commerce businesses and digital service providers. Mobile numbers are no longer used only for calls and SMS. They are now connected to banking applications, e-Government accounts, social media profiles, crypto platforms, online marketplaces, e-mail accounts, payment systems, delivery applications, cloud services and two-factor authentication processes.
For this reason, a fraudulent telecom transaction may quickly turn into a broader financial and identity crime. A SIM swap attack may allow a fraudster to receive SMS verification codes. A phishing link may capture online banking credentials. A fake customer service call may trick a victim into sharing one-time passwords. An unauthorized mobile line opened with another person’s identity may be used for fraud, harassment, illegal betting, spam or cybercrime. A data leak may expose identity information that is later used to open telecom subscriptions or reset digital accounts.
Turkish law provides several remedies against telecom fraud. These remedies may include criminal complaints, urgent requests to banks and telecom operators, BTK complaints, KVKK applications, consumer arbitration, consumer court claims, civil compensation actions, injunction requests, evidence preservation and administrative complaints. The correct legal strategy depends on the type of fraud, the amount of damage, the parties involved, the available evidence and the urgency of stopping further harm.
Telecom fraud cases usually require rapid action. The victim should immediately block the affected SIM or eSIM, notify the bank, change passwords, preserve evidence, request transaction logs, file complaints and prevent further account takeover. Delays may allow fraudsters to move money, delete traces, open additional lines, transfer crypto assets or use the victim’s identity in new crimes.
What Is Telecom Fraud?
Telecom fraud refers to fraudulent conduct involving electronic communications services, mobile lines, SIM cards, eSIM profiles, phone numbers, SMS verification, subscriber records, call services, internet access or telecom customer data. It can be committed by external criminals, organized fraud groups, dishonest dealers, fake call center operators, phishing actors, malware operators, identity thieves or insiders.
Common forms of telecom fraud include:
SIM swap fraud.
Unauthorized SIM or eSIM replacement.
Opening mobile lines with another person’s identity.
Phishing through SMS, e-mail or fake websites.
Fake bank or operator customer service calls.
Mobile number takeover.
Unauthorized number portability.
Identity misuse in telecom subscriptions.
Use of telecom accounts for bank account takeover.
Fraudulent value-added service subscriptions.
Premium SMS or call abuse.
Unauthorized mobile payment charges.
Corporate line misuse.
Dealer-based subscription fraud.
Fraud through stolen identity documents.
Telecom fraud is often multi-layered. For example, a fraudster may first obtain identity information through a data leak, then call a mobile operator’s dealer, request a SIM replacement, receive the victim’s bank SMS codes, access the victim’s online banking account and transfer money to mule accounts. In such a case, the legal analysis may involve telecom law, criminal law, banking law, personal data protection law and civil liability at the same time.
SIM Swap Fraud in Turkey
SIM swap fraud is one of the most dangerous telecom fraud methods. It occurs when a fraudster obtains control of a victim’s mobile number by causing the telecom operator, dealer or system to issue a replacement SIM or eSIM profile. Once the victim’s number is transferred to the fraudster’s SIM or eSIM, the victim’s phone may lose signal. The fraudster may then receive SMS codes and reset passwords or approve banking transactions.
SIM swap fraud is especially dangerous because many digital services still rely on SMS-based verification. Banks, e-commerce platforms, e-mail providers, social media platforms and crypto exchanges may send one-time passwords to the registered phone number. If the fraudster controls that number, the victim’s digital identity becomes vulnerable.
In Turkey, identity verification for telecom subscription and SIM-related transactions has become stricter. BTK’s 2026 framework provides that subscription contracts may be established in written or electronic form only after the applicant’s identity is verified through recognized methods, and it includes detailed rules for electronic identity verification, foreign applicants and corporate subscribers.
This is important for SIM swap disputes. If a victim claims that a SIM replacement, eSIM activation or line transaction was performed without authorization, the operator should be able to prove how identity was verified, who requested the transaction, which documents were used, which dealer or channel processed it and whether transaction-specific approval was obtained.
Phishing and Fake Customer Service Fraud
Phishing is another common telecom-related fraud method. Fraudsters may send SMS messages pretending to be banks, courier companies, telecom operators, tax offices, e-Government services, enforcement offices, prosecutors, marketplaces or payment platforms. These messages often contain links to fake websites designed to capture credentials, credit card information, one-time passwords or identity data.
Phishing may also occur through calls. Fraudsters may pretend to be bank officers, telecom employees, police officers, prosecutors or technical support representatives. They may say that the victim’s account is under attack, that a suspicious transaction must be stopped, that a SIM card must be updated, that a campaign must be approved or that a legal file exists. The purpose is to make the victim act quickly and share confidential information.
From a legal perspective, phishing may constitute fraud, qualified fraud through information systems or banks, unlawful access to information systems, personal data offences and misuse of bank or credit cards depending on the facts. The Turkish Criminal Code includes cyber-related offences such as unlawful access to information systems and interference with systems or data, and BTK’s public internet law materials identify TCK Articles 243 and 244 as core cybercrime provisions.
Where phishing is used to obtain bank card information or to make unauthorized card transactions, the offence may also intersect with the crime of misuse of bank or credit cards. Legal commentary on TCK Article 245 explains that this offence aims to prevent unlawful use of bank and credit cards and the obtaining of benefit through such use.
Identity Misuse in Telecom Subscriptions
Identity misuse occurs when a mobile line, internet subscription, SIM card, eSIM profile, device installment plan or telecom account is opened or changed using another person’s identity information without consent. This may happen through stolen identity cards, copied documents, leaked personal data, forged signatures, fake powers of attorney, dealer misconduct or weak remote verification.
Identity misuse creates serious problems. The victim may receive invoices for services they never used. Their name may appear in criminal investigations because the line was used for fraud or harassment. Debt collection proceedings may be initiated. Their creditworthiness may be affected. Their personal data may be processed unlawfully.
The victim should first request from the operator all subscription documents, identity verification records, dealer information, activation date, SIM change logs, device purchase documents, number portability records and invoice details. If the operator does not resolve the issue, a complaint may be filed through BTK’s Consumer Complaint Notification System on e-Government, which requires identity verification through accepted methods such as e-Government password, mobile signature, electronic signature, Turkish ID card or internet banking.
Criminal Law Remedies
Telecom fraud usually requires a criminal complaint. The complaint may be filed with the public prosecutor’s office or law enforcement units. In urgent cases, the victim should request immediate preservation of digital evidence and bank transaction traces.
Depending on the facts, the complaint may refer to several offences. These may include fraud, qualified fraud through use of information systems or banks, unlawful access to information systems, interference with systems or data, misuse of bank or credit cards, unlawful acquisition or dissemination of personal data, forgery, threats, harassment or membership in an organized criminal group.
The legal qualification should be made according to the facts. A simple phishing case may involve qualified fraud. A SIM swap followed by unauthorized bank transfers may involve both telecom-related misconduct and banking fraud. A fake line opened with stolen identity may involve personal data offences, forgery and fraud. A fraudster who accesses online banking after obtaining SMS codes may also commit cybercrime-related offences.
A strong criminal complaint should include a clear timeline. The victim should explain when the mobile signal disappeared, when suspicious SMS messages were received, which bank transactions occurred, which phone numbers called, which links were clicked, which operator branch processed the SIM change, which accounts were accessed and what damage occurred.
Civil Compensation Claims
Criminal proceedings may punish offenders, but they do not always fully compensate the victim. Therefore, civil compensation claims may also be necessary. A victim may claim pecuniary damages for stolen money, unauthorized invoices, device debts, bank losses, legal expenses and other measurable losses. In serious cases, non-pecuniary damages may also be considered, especially where identity misuse caused reputational harm, distress, legal pressure or exposure to criminal suspicion.
Potential defendants may include the actual fraudster, mule account holders, persons who used the victim’s identity, negligent telecom dealers, telecom operators, banks or other service providers depending on fault, causation and legal duties. Liability analysis must be conducted carefully. Not every fraud automatically creates operator or bank liability, but weak identity verification, delayed response, failure to block suspicious transactions, poor data security or ignoring complaints may support liability arguments.
Civil claims require evidence. The victim should preserve bank statements, operator records, complaint numbers, screenshots, call logs, SMS messages, e-mails, IP logs, police reports, prosecutor complaint copies, BTK complaint records and correspondence with all institutions.
Telecom Operator Liability
Telecom operators and MVNOs have a central role in preventing telecom fraud. They control subscriber records, SIM activation, eSIM activation, SIM replacement, number portability, customer identity verification, dealer systems and customer service channels.
If a SIM swap or unauthorized line activation occurs because the operator or dealer failed to verify identity properly, the operator may face regulatory complaints and civil liability. BTK’s 2026 identity verification framework places strong emphasis on verifying the applicant’s identity during subscription contract formation, including electronic contracts, temporary identity documents, foreign applicants and corporate subscribers.
In a SIM swap case, key questions include:
Who requested the SIM replacement?
Was the request made at a dealer, call center, online channel or mobile application?
Which identity document was used?
Was biometric, electronic identity, SMS, video or e-Government approval used?
Was the old SIM notified before replacement?
Was there any suspicious activity?
Were there repeated failed attempts?
Was the dealer previously involved in complaints?
Did the operator respond quickly after the victim complained?
Operators should maintain audit-ready records. If the operator cannot prove lawful identity verification, the victim’s compensation claim becomes stronger.
Dealer Liability
Many telecom fraud cases involve dealers. A dealer may be negligent or complicit. For example, a dealer may accept a photocopy instead of an original identity document, ignore obvious inconsistencies, process a SIM replacement without the subscriber, activate lines under fake identities or assist fraudsters in exchange for money.
The operator may argue that the dealer acted outside authority. However, from the victim’s perspective, the dealer often appears as the operator’s authorized sales channel. Therefore, dealer agreements, authorization scope, audit records and transaction logs become important.
A victim should request identification of the dealer or channel that processed the fraudulent transaction. In criminal complaints, the victim should ask prosecutors to obtain CCTV footage, dealer transaction records, employee login records, identity verification files and system logs before they are deleted.
Bank Liability and Unauthorized Transactions
Telecom fraud often ends with bank account takeover. After gaining control of a mobile number or credentials, fraudsters may transfer money, take loans, increase limits, create virtual cards, withdraw funds, buy crypto assets or make card payments.
The victim should immediately notify the bank and request blocking of accounts, reversal of pending transfers, chargeback where applicable, investigation of suspicious transactions, preservation of IP logs and recipient account information. The bank should be asked to provide written confirmation of the complaint.
Bank liability depends on the facts. Courts may examine whether the bank used adequate security measures, whether the transaction was unusual, whether the customer shared credentials, whether the bank warned the customer, whether SMS-only authentication was sufficient, whether the bank delayed blocking, and whether the fraud could have been detected. The telecom operator’s role and bank’s role should be analyzed together because the fraud chain may involve both weak SIM verification and weak financial transaction monitoring.
If the amount is within the 2026 consumer arbitration threshold, some consumer-related disputes may be brought before consumer arbitration committees; the Ministry of Trade announced that, for 2026, consumer disputes below TRY 186,000 may be brought before provincial or district consumer arbitration committees.
KVKK Remedies and Personal Data Violations
Telecom fraud often involves personal data. Fraudsters may use identity numbers, passport data, phone numbers, addresses, bank information, SIM records, IP addresses, device identifiers, call logs or images of identity documents. If a telecom operator, bank, dealer, platform or other data controller failed to protect personal data, KVKK remedies may be relevant.
Under KVKK practice, data breaches must be notified to the Personal Data Protection Board within the shortest time; the Board interprets this as no later than 72 hours after the data controller becomes aware of the breach, and affected persons must also be notified within a reasonable time.
A victim may apply to the relevant data controller and request information about whether personal data was processed, whether it was transferred, whether unauthorized access occurred, and what security measures were taken. If the response is insufficient or no response is provided within the statutory framework, a complaint to the Personal Data Protection Authority may be considered.
KVKK claims are especially important where the fraud was made possible by leaked identity documents, unauthorized dealer access, insecure customer panels, insider misuse, poor access controls or unlawful sharing of subscriber data.
BTK Complaint Route
BTK complaints are important where the dispute concerns a telecom operator’s conduct. The victim may complain about unauthorized SIM change, unauthorized line activation, failure to cancel fraudulent lines, improper billing, dealer misconduct, number portability problems, identity misuse, value-added service fraud or operator failure to respond.
BTK’s Consumer Complaint Notification System is available through e-Government and requires identity verification before use.
A BTK complaint should be concise but evidence-based. The complainant should include:
Subscriber name and phone number.
Fraud date and time.
Description of SIM loss or unauthorized transaction.
Operator complaint number.
Dealer information, if known.
Invoice or debt information.
Bank fraud connection, if any.
Criminal complaint reference, if available.
Requested remedy.
The victim should request cancellation of unauthorized transactions, correction of subscriber records, removal of debt, investigation of dealer misconduct, preservation of logs and written response.
Evidence Collection in Telecom Fraud Cases
Evidence collection is critical. Telecom fraud can move quickly, and digital evidence may disappear. The victim should preserve all relevant materials immediately.
Important evidence includes:
SMS messages.
Phishing links.
Screenshots of fake websites.
Caller phone numbers.
Call logs.
Bank transaction screenshots.
Mobile signal loss time.
Operator notifications.
SIM replacement messages.
eSIM activation e-mails or QR records.
Bank complaint numbers.
Operator complaint numbers.
IP logs requested from platforms.
Device information.
CCTV requests for dealer locations.
Cargo or delivery records for SIM or device.
E-mails from platforms.
Social media login alerts.
Criminal complaint copy.
BTK complaint record.
KVKK application copy.
The victim should not delete suspicious messages after taking screenshots. The original message may contain sender data, link structure or timing evidence. If possible, the phone should be examined by a technical expert in serious cases.
Emergency Steps for Victims
A victim of telecom fraud should act immediately. The following steps are usually urgent:
Call the mobile operator and block the SIM.
Request blocking of any recent SIM or eSIM replacement.
Call the bank and block accounts, cards and mobile banking.
Change e-mail and banking passwords from a secure device.
Disable SMS-based verification where possible and use stronger authentication.
Notify crypto exchanges and digital platforms.
Request written complaint numbers from the operator and bank.
File a criminal complaint.
File a BTK complaint if the operator is involved.
Send a written request to the operator for logs and documents.
Send a written request to the bank for transaction records.
File KVKK applications where personal data misuse is suspected.
Time is crucial. Fraudsters may move funds through multiple accounts quickly. Early bank notification may help freeze pending transactions or identify recipient accounts.
Legal Strategy for SIM Swap Cases
A SIM swap case should be built around three questions: how the SIM was changed, how the fraudster used the number and who failed to prevent the harm.
The complaint should request investigation of the operator’s transaction records, dealer records, employee login logs, CCTV footage, identity verification files, bank transaction logs, IP addresses, device fingerprints, recipient accounts and money transfer chain.
The victim should also request from the operator a written explanation of the SIM replacement process. If the operator refuses to disclose documents, this refusal should be documented. In litigation, the court may request these records directly.
Where bank losses occurred, the case should not be framed only as a telecom dispute. It should also include bank security, transaction monitoring and unauthorized transfer issues.
Legal Strategy for Phishing Cases
A phishing case should focus on the fake communication channel, the deception method, the captured data, the financial transactions and the technical traces.
The victim should preserve the phishing SMS, e-mail header, URL, website screenshots, domain information, call numbers, bank transaction records and device alerts. The criminal complaint should request identification of domain owners, hosting providers, IP addresses, bank recipient accounts, mule account holders and telecom subscriber records linked to fraudulent numbers.
If the phishing message used the name of a bank, courier, telecom operator or public institution, the victim should notify that institution. If a brand failed to warn users after widespread phishing campaigns, this may be relevant in a broader consumer or regulatory context, but liability depends on facts.
Legal Strategy for Unauthorized Lines
Where a line is opened in the victim’s name without consent, the victim should request immediate cancellation and correction of records. The victim should not simply ignore invoices. Written objection is important.
The request to the operator should include:
A statement that the line was not opened by the victim.
A demand for cancellation of the line.
A demand for cancellation of all invoices and debts.
A demand for subscription documents.
A demand for identity verification records.
A demand for dealer/channel information.
A demand for preservation of all logs.
A demand for written response.
If the operator does not resolve the issue, the victim may file a BTK complaint, consumer application and criminal complaint. If a debt collection proceeding has started, separate legal objection may be necessary within the applicable deadline.
Corporate Telecom Fraud
Companies may also suffer telecom fraud. Fraudsters may obtain corporate SIM cards, port corporate numbers, access company e-mails through SMS reset, impersonate managers, redirect customer calls, abuse call center systems or obtain IoT SIMs.
Corporate victims should review internal authorization procedures. Who can request new lines? Who can request SIM replacement? Are former employees’ lines cancelled? Are corporate numbers tied to banking approvals? Are SIM cards used for system authentication? Are dealer requests approved by authorized signatories?
Corporate telecom fraud may involve employment law, trade secrets, cybercrime, data protection, banking law and contractual liability. Companies should have a written telecom asset policy and immediate offboarding procedures.
Preventive Measures for Consumers
Consumers can reduce telecom fraud risk by taking several precautions:
Do not share one-time passwords.
Do not click suspicious SMS links.
Do not approve unknown e-Government or operator transactions.
Use app-based authentication instead of SMS where possible.
Set strong passwords for e-mail and banking.
Enable transaction notifications.
Check whether unknown lines exist in your name.
Do not leave identity documents with unauthorized dealers.
React immediately if your phone suddenly loses signal.
Keep operator and bank hotline numbers saved.
Use separate e-mail addresses for banking and ordinary registrations.
No measure eliminates all risk, but layered protection reduces the likelihood and impact of fraud.
Preventive Measures for Operators and Banks
Telecom operators and banks should treat telecom fraud as a joint ecosystem risk. Operators should strengthen SIM replacement and eSIM activation controls. Banks should not rely exclusively on SMS where risk is high. Both sectors should monitor unusual patterns.
Operators should implement:
Enhanced verification for SIM replacement.
Notifications to the existing SIM before replacement.
Cooling periods for high-risk transactions.
Dealer fraud scoring.
CCTV and transaction audit requirements.
Immediate fraud hotline.
eSIM QR code security.
Subscriber alerts for changes.
Banks should implement:
Risk-based authentication.
Transaction anomaly detection.
Delayed execution for suspicious transfers.
Device binding.
Call-back verification for high-risk actions.
Strong fraud reporting channels.
Rapid freezing procedures.
SMS-based authentication alone may not be sufficient against SIM swap attacks.
Conclusion
Telecom fraud in Turkey is a complex legal problem involving telecom operators, banks, digital platforms, dealers, data controllers and criminal actors. SIM swap, phishing and identity misuse can quickly lead to bank account takeover, unauthorized lines, digital identity theft, personal data violations and serious financial loss.
Victims should act immediately: block the SIM, notify the bank, preserve evidence, file criminal complaints, submit BTK complaints, make KVKK applications where personal data misuse is involved and consider civil compensation claims. The legal strategy should be evidence-based and should identify the exact failure point in the fraud chain.
Turkish law provides multiple remedies. Criminal law addresses fraud, cybercrime, card misuse and personal data offences. BTK complaints address telecom operator conduct. KVKK complaints address personal data security failures. Consumer arbitration and courts may provide financial remedies depending on the dispute value and legal relationship. Civil courts may award compensation where fault and causation are established.
The most important legal principle is speed combined with proof. In telecom fraud cases, the victim must move quickly, but also preserve every document, screenshot, log, complaint number and transaction record. Operators and banks must also be able to prove that they used adequate verification, security and response procedures.
As mobile numbers continue to function as digital identity tools, telecom fraud will remain a major legal risk in Turkey. Strong identity verification, secure SIM procedures, better authentication methods, careful dealer auditing, effective bank monitoring and clear legal remedies are essential to protect consumers and businesses.
Frequently Asked Questions
What is SIM swap fraud?
SIM swap fraud occurs when a fraudster obtains control of a victim’s mobile number by causing a replacement SIM or eSIM profile to be issued. The fraudster may then receive SMS verification codes and access bank accounts, e-mails or digital platforms.
What should I do first if my phone suddenly loses signal?
You should immediately call your mobile operator from another phone, ask whether a SIM or eSIM replacement occurred, block the line, notify your bank, block mobile banking and preserve all evidence.
Can I file a BTK complaint for SIM swap fraud?
Yes. If the issue involves a telecom operator, unauthorized SIM change, identity misuse, line activation or operator response failure, a BTK complaint may be filed through the e-Government Consumer Complaint Notification System.
Can telecom fraud be a criminal offence in Turkey?
Yes. Depending on the facts, telecom fraud may involve fraud, qualified fraud through information systems or banks, unlawful access to information systems, interference with data, misuse of bank or credit cards, forgery or personal data offences.
Does phishing fall under cybercrime?
Phishing may involve cybercrime, fraud and personal data offences depending on how it is committed. TCK Articles 243 and 244 are among the core cybercrime provisions concerning unlawful access to information systems and interference with systems or data.
Can I claim compensation from the telecom operator?
You may claim compensation if the operator or its dealer failed to verify identity properly, processed an unauthorized SIM change, ignored suspicious activity or failed to respond after notice. Liability depends on evidence, fault and causation.
Can I claim compensation from the bank?
A claim against the bank may be possible if the bank failed to use adequate security, ignored unusual transactions, delayed blocking or did not respond properly to a fraud notification. Each case requires separate legal analysis.
Does KVKK apply to telecom fraud?
Yes. Telecom fraud often involves personal data such as identity numbers, phone numbers, SIM records, IP data and identity documents. If personal data was unlawfully accessed or inadequately protected, KVKK remedies may be relevant.
How quickly must data breaches be notified to KVKK?
The Personal Data Protection Board interprets “as soon as possible” as no later than 72 hours after the data controller becomes aware of the breach, and affected persons must also be notified within a reasonable time.
What evidence is most important in telecom fraud cases?
The most important evidence includes SIM replacement records, operator complaint records, bank transaction logs, SMS messages, call logs, phishing links, screenshots, e-mails, IP logs, identity verification records, dealer information, criminal complaint copies and BTK/KVKK applications.
Yanıt yok