Cyber Fraud in Turkey: Online Scams, Phishing and Criminal Liability

Introduction

Cyber fraud in Turkey has become one of the most common and financially damaging forms of modern criminal activity. As banking, shopping, investment, communication, public services and business transactions increasingly move online, fraudsters use digital tools to deceive individuals and companies. These schemes may involve fake websites, phishing messages, social media scams, fake investment platforms, online marketplace fraud, business e-mail compromise, impersonation of banks or public authorities, fake cargo links, fake lawyer messages, cryptocurrency scams and unauthorized banking transactions.

Under Turkish law, cyber fraud is not limited to one single article. Depending on the facts, the conduct may fall under fraud, qualified fraud, unauthorized access to information systems, system interference, misuse of bank or credit cards, unlawful acquisition of personal data, blackmail, forgery or money laundering. The most important provisions are found in the Turkish Penal Code No. 5237, especially Articles 157, 158, 243, 244 and 245.

The basic fraud offence under Article 157 of the Turkish Penal Code punishes a person who deceives another through fraudulent acts and obtains benefit by causing damage to the victim or another person, with imprisonment from one to five years and a judicial fine up to five thousand days. Where fraud is committed by using information systems, banks or credit institutions as instruments, Article 158/1-f becomes relevant, and the offence becomes qualified fraud with heavier penalties.

This article explains cyber fraud in Turkey from a legal and practical perspective. It covers online scams, phishing, business e-mail compromise, criminal liability, penalties, evidence collection, victim remedies, corporate risks and defence strategies.

1. What Is Cyber Fraud Under Turkish Law?

Cyber fraud is generally a fraud scheme committed through digital tools. The core of the offence is deception. The perpetrator uses misleading digital conduct to induce the victim to transfer money, disclose banking information, share credentials, deliver goods, approve a transaction or take another action that causes financial loss.

The digital method may vary. A fraudster may create a fake bank website, send a fake SMS message, impersonate a cargo company, use a social media profile to sell non-existent goods, create a fake investment platform, manipulate an e-mail conversation between companies or pretend to be a public officer. The legal classification depends on how the deception was committed and what result was obtained.

Cyber fraud differs from simple hacking. Hacking usually involves unauthorized access to a system. Cyber fraud usually involves deceiving a person. However, the two often overlap. For example, a fraudster may first hack into a company e-mail account and then send fake payment instructions to a customer. In that situation, both unauthorized access and qualified fraud may be considered.

2. Basic Fraud and Qualified Cyber Fraud

Article 157 of the Turkish Penal Code defines the basic form of fraud. The essential elements are fraudulent conduct, deception of the victim, financial loss and unlawful benefit. In cyber fraud cases, fraudulent conduct may be created through websites, e-mails, SMS messages, fake advertisements, fake invoices, social media accounts, mobile applications or online payment screens.

Article 158 regulates qualified forms of fraud. One of the most important provisions for cyber fraud is Article 158/1-f, which covers fraud committed by using information systems, banks or credit institutions as instruments. The current text provides imprisonment from three to ten years and a judicial fine up to five thousand days for qualified fraud; however, for the forms listed in subparagraphs including 158/1-f, the lower limit of imprisonment cannot be less than four years and the judicial fine cannot be less than twice the benefit obtained from the crime.

This provision is particularly relevant to phishing, fake online banking pages, e-commerce scams, fake payment links, fraudulent investment platforms, business e-mail compromise and scams involving bank transfers. The rationale is clear: information systems and banking institutions provide speed, anonymity, scale and credibility to fraud schemes. This makes digital fraud more dangerous than many traditional forms of deception.

3. Phishing in Turkey

Phishing is one of the most common cyber fraud methods in Turkey. In a phishing scheme, the victim is deceived into sharing confidential information such as passwords, credit card details, internet banking credentials, identity numbers, verification codes or personal data. The fraudster may send a fake bank message, cargo notification, social media verification warning, tax refund message, court notification, fake e-government link or fake company invoice.

Phishing may be committed through SMS, e-mail, WhatsApp, Telegram, social media messages, fake websites or malicious links. The victim may believe that the message comes from a bank, cargo company, public authority, lawyer, employer, marketplace platform or known business partner.

Under Turkish law, phishing usually constitutes qualified fraud if the deceptive conduct causes the victim to suffer financial loss and allows the perpetrator to obtain unlawful benefit through information systems or banking channels. If the fraudster also accesses the victim’s account, Article 243 on unauthorized access may apply. If data is deleted, changed, transferred or made inaccessible, Article 244 may also become relevant. Turkish cybercrime practice recognizes that phishing, ransomware and business e-mail compromise are common cybercrime methods, and fraud involving information systems, banks or credit institutions may lead to four to ten years of imprisonment and a judicial fine that cannot be less than twice the unlawful benefit.

4. Business E-Mail Compromise and Fake Invoice Fraud

Business e-mail compromise is a highly dangerous form of cyber fraud targeting companies. In these cases, the fraudster may hack or imitate a company e-mail address, monitor correspondence and then send fraudulent payment instructions. The message often appears to come from a supplier, customer, director, accountant, shipping company or business partner.

A common scenario is fake invoice fraud. The fraudster changes the bank account details on an invoice and convinces the company to transfer money to the wrong account. Another scenario involves impersonating a company executive and requesting an urgent payment. These scams are effective because they exploit existing business trust and time pressure.

Under Turkish criminal law, business e-mail compromise may involve several offences at the same time. If the perpetrator hacked into an e-mail account, Article 243 may apply. If correspondence or data was altered, Article 244 may apply. If the victim was deceived into transferring money, Article 158/1-f qualified fraud may apply. If personal data or trade secrets were obtained, additional offences may also arise.

For companies, the most important practical step is speed. The sending bank and receiving bank should be notified immediately. A criminal complaint should be filed quickly. The prosecutor may request banking records and, where legal conditions are met, freezing or seizure measures may be considered. Early action may prevent the money from being withdrawn or transferred through multiple accounts.

5. Fake Online Shopping and Marketplace Scams

Online marketplace fraud is another common form of cyber fraud in Turkey. Fraudsters may advertise non-existent phones, computers, vehicles, furniture, rental homes, electronics or luxury goods. They may request advance payment, deposit or shipping fees and then disappear. Sometimes they use stolen photos, fake invoices, fake cargo receipts or copied business identities.

In such cases, the legal issue is whether the conduct is merely a civil dispute or criminal fraud. Not every failure to deliver goods is automatically fraud. A criminal offence requires deceptive conduct existing at or before the transaction. If the seller never intended to deliver the product and used fake identity, fake documents, false advertisements or systematic deception, criminal fraud may arise. If the dispute is only about defective performance or delayed delivery in a genuine commercial relationship, civil or consumer law remedies may be more appropriate.

The distinction is critical. Prosecutors and courts examine the seller’s identity, prior complaints, whether the product existed, whether the advertisement was fake, whether the bank account belongs to the seller, whether communication was deceptive and whether there was a pattern of similar conduct.

6. Fake Investment and Cryptocurrency Scams

Fake investment platforms and cryptocurrency scams have increased significantly in recent years. Fraudsters may create professional-looking websites, mobile applications or social media pages promising high returns from cryptocurrency, forex, artificial intelligence trading, gold, foreign exchange or stock investments. Victims are often shown fake profit screens to encourage further deposits. When the victim requests withdrawal, the platform may demand additional taxes, commissions or verification fees.

These cases may involve qualified fraud under Article 158/1-f because information systems and banking channels are used as instruments of deception and money transfer. If the platform collects personal data, identity documents, wallet information or banking credentials, personal data offences may also be relevant. If the scheme is organized and targets many victims, criminal organization allegations may arise depending on the structure.

For victims, preserving evidence is essential. Screenshots of the platform, payment receipts, wallet addresses, bank transfer records, correspondence, phone numbers, domain information and identity documents shared with the platform should be collected. Delay may make tracing funds more difficult, especially where cryptocurrency wallets or foreign accounts are involved.

7. Online Banking Fraud and Unauthorized Transfers

Online banking fraud may occur when a fraudster obtains the victim’s credentials, SIM card access, verification codes or device access and transfers money from the victim’s account. These cases may include phishing, malware, social engineering, fake bank calls, fake customer service numbers or remote access applications.

The legal classification may vary. If the victim was deceived into sharing credentials or approving a transfer, qualified fraud may apply. If the perpetrator used the victim’s bank or credit card without consent, Article 245 may be relevant. If the perpetrator unlawfully entered an online banking system or account, Article 243 may also be considered. If data was altered or transferred, Article 244 may arise.

The Council of Europe’s cybercrime profile for Turkey notes that the National Cybercrime Department of the Turkish National Police investigates cybercrime offences and provides forensic expertise where technology is a significant factor in crime or evidence. It also notes that criminal investigations are directed by the prosecution service with technical support from police authorities.

8. Relationship Between Cyber Fraud and Unauthorized Access

Cyber fraud and unauthorized access often appear together, but they are legally distinct. Fraud focuses on deception and unlawful benefit. Unauthorized access focuses on entering or remaining in an information system without permission.

For example, if a fraudster creates a fake cargo website and deceives the victim into paying a fake fee, the main offence may be qualified fraud. If the fraudster also obtains the victim’s e-mail password and enters the account, Article 243 may be added. If the fraudster changes passwords, deletes messages, transfers data or blocks access, Article 244 may also become relevant.

Article 243 of the Turkish Penal Code punishes unlawful access to an information system or remaining there with imprisonment up to one year or a judicial fine, while Article 244 punishes preventing system operation, deleting, altering, corrupting, making data inaccessible, inserting data or transferring data elsewhere with heavier penalties depending on the act and target system.

This distinction matters in criminal complaints and defence petitions. A properly prepared complaint should not simply state “I was defrauded.” It should explain whether there was deception, unauthorized access, data transfer, account takeover, bank card misuse or personal data violation.

9. Personal Data and Cyber Fraud

Cyber fraud usually involves personal data. Fraudsters may collect names, identity numbers, phone numbers, addresses, credit card details, passwords, bank account numbers, signatures, passport copies or biometric information. Personal data may be used to open accounts, create fake profiles, pass verification checks or commit further fraud.

The Personal Data Protection Law No. 6698 was enacted to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing. The official English translation of the law confirms that it was published in the Official Gazette on 7 April 2016. Where processed personal data is obtained by others through unlawful means, data controllers may have notification and security obligations under KVKK.

For companies, this means a cyber fraud incident may not be only a criminal matter. If customer or employee data is compromised, the company may need to assess whether a personal data breach occurred. It may also need to preserve logs, conduct forensic review, notify relevant persons and evaluate whether notification to the Personal Data Protection Board is required.

10. Law No. 5651 and Fraudulent Online Content

Some cyber fraud schemes operate through websites, fake advertisements, fake social media pages or fraudulent online content. In such cases, Law No. 5651 may become important for content removal, access blocking and provider-related obligations.

Law No. 5651 regulates internet actors such as content providers, hosting providers, access providers and public use providers. Hosting providers may be required to remove unlawful content after being informed under the relevant procedures, and access providers have obligations concerning blocking access and retaining traffic information.

For victims, this means that a criminal complaint may not be enough. If a fake website continues to deceive people, urgent steps may be needed to remove content, block access, notify platforms, contact domain registrars or request preservation of traffic records.

11. Cybersecurity Law and Corporate Compliance

Cyber fraud is also a corporate compliance issue. The Cybersecurity Law No. 7545 entered into force following its publication in the Official Gazette on 19 March 2025 and aims to protect public institutions, individuals and private sector entities from cyber threats while establishing broader cybersecurity policies and strategies.

Although traditional criminal liability for fraud remains under the Turkish Penal Code, companies now operate in a more regulated cybersecurity environment. Businesses that provide services through information systems should treat fraud prevention, incident response, log management, employee training, authentication controls, payment approval procedures and vendor security as legal risk management.

A company that fails to implement basic controls may suffer not only financial loss but also regulatory, contractual and reputational consequences. This is especially important for banks, payment institutions, e-commerce platforms, logistics companies, technology providers, law firms, healthcare providers and companies processing large volumes of personal data.

12. Digital Evidence in Cyber Fraud Cases

Digital evidence is the backbone of cyber fraud investigations. The most important evidence may include:

• bank transfer receipts;
• IBAN and account holder information;
• e-mail headers;
• SMS messages;
• WhatsApp and Telegram correspondence;
• screenshots of fake websites;
• domain registration information;
• IP logs;
• device records;
• phone numbers;
• call records;
• cargo receipts;
• marketplace advertisements;
• payment page screenshots;
• cryptocurrency wallet addresses;
• platform account records;
• security camera footage;
• internal company approval records.

However, screenshots alone may be insufficient. They should be supported by metadata, bank records, platform responses, e-mail headers, server logs, notarial determinations where appropriate and expert reports. In corporate cases, forensic imaging of affected devices and preservation of logs may be critical.

Timing is extremely important. Fraudsters often move funds quickly through multiple accounts. Websites may disappear. Domain records may change. Messages may be deleted. Bank accounts may be emptied. Therefore, victims should act immediately after discovering the fraud.

13. Victim Rights in Cyber Fraud Cases

A victim of cyber fraud in Turkey may file a criminal complaint before the public prosecutor’s office. The complaint should be detailed, chronological and evidence-based. It should identify the fraudulent act, explain how the victim was deceived, show the financial loss, identify bank accounts or phone numbers used by the perpetrator and request urgent evidence collection.

A strong criminal complaint should request:

1. Identification of the account holder receiving the funds.
2. Collection of bank records and transaction history.
3. Preservation of IP logs and traffic records.
4. Examination of phone numbers, e-mail addresses and devices.
5. Identification of domain owners, hosting providers and platform accounts.
6. Freezing or seizure of suspicious funds where legal conditions exist.
7. Digital forensic examination.
8. Investigation of qualified fraud, unauthorized access, bank card misuse and personal data offences where applicable.

Victims should also notify their bank immediately, file transaction objections, block cards, change passwords, enable two-factor authentication and preserve all communications.

14. Can Victims Recover Their Money?

Money recovery depends on speed, evidence and whether funds can be traced. In many cases, fraudsters withdraw or transfer money shortly after receiving it. If the receiving account is identified quickly, banks and prosecution authorities may take steps to block or seize funds where legal conditions are met.

Civil remedies may also be considered. Victims may file compensation claims against perpetrators. In some cases, claims may also arise against intermediaries, companies or service providers if there is a legal basis for responsibility. However, liability of banks or platforms must be evaluated carefully according to the facts, security measures, transaction approval process, victim conduct and applicable regulations.

The most practical advice is simple: the first hours matter. Immediate bank notification and criminal complaint may increase the chance of freezing funds before they disappear.

15. Defence Strategies in Cyber Fraud Allegations

Cyber fraud defence requires careful analysis of both criminal law and technical evidence. A person may be accused because money entered their bank account, because a phone number was registered in their name, because an IP address appears in logs or because they communicated with the victim. These facts may be important, but they do not automatically prove criminal intent.

Common defence arguments include:

• lack of fraudulent intent;
• the accused did not create or control the fake account;
• the bank account was used by another person;
• the accused was also deceived as a money mule;
• no deceptive conduct was committed by the accused;
• the dispute is civil or commercial, not criminal;
• the victim’s transfer was based on a genuine transaction;
• digital evidence does not prove personal participation;
• IP or device records are inconclusive;
• there is no causal link between the accused and the loss;
• the legal classification is incorrect.

In cyber fraud cases, the prosecution must prove deception, causation, benefit, damage and intent. The defence should examine whether these elements are actually established.

16. Money Mules and Bank Account Use

Many cyber fraud schemes use “money mule” accounts. A money mule is a person whose bank account is used to receive and transfer criminal proceeds. Some money mules knowingly participate in fraud. Others may be deceived by fake job offers, commission promises or “payment agent” schemes.

Under Turkish law, the use of a person’s bank account in a fraud scheme is a serious risk. If the person knowingly allowed the account to be used, criminal liability may arise. If the person was deceived and did not know the criminal purpose, the defence must show lack of intent and lack of participation.

Evidence such as messages with the real organizer, bank movements, commission payments, withdrawal records, ATM footage, account opening details and phone records may become decisive.

17. Corporate Prevention Measures Against Cyber Fraud

Companies should implement strong internal controls against cyber fraud. Recommended measures include:

• two-person approval for large payments;
• phone verification of changed bank account details;
• strict vendor onboarding procedures;
• employee training on phishing;
• domain monitoring;
• multi-factor authentication;
• e-mail security tools;
• clear payment authorization policies;
• regular password updates;
• incident response plans;
• legal review of suspicious transactions;
• preservation of logs;
• cyber insurance review.

A company should never change supplier bank details based only on an e-mail. Payment changes should be confirmed through a trusted phone number already in company records, not through the number stated in the suspicious e-mail.

18. Why Legal Assistance Is Important

Cyber fraud cases move quickly and require coordinated legal and technical action. A victim may lose the opportunity to freeze funds if the complaint is delayed or incomplete. A company may destroy digital evidence during an internal investigation. A suspect may face serious criminal charges because their bank account or phone number was used by others.

A Turkish cyber fraud lawyer can assist with criminal complaints, urgent bank communication, evidence preservation, digital forensic coordination, compensation claims, defence petitions, expert objections, KVKK assessment and content removal requests.

The most effective strategy is usually interdisciplinary. Criminal law, banking records, digital forensics, cybersecurity, data protection and civil compensation must be evaluated together.

Conclusion

Cyber fraud in Turkey is a serious criminal law issue involving online scams, phishing, fake investment platforms, business e-mail compromise, online banking fraud, fake shopping pages and identity-based deception. The core offence is fraud under Article 157 of the Turkish Penal Code, while many digital schemes fall under qualified fraud under Article 158/1-f because information systems, banks or credit institutions are used as instruments.

Depending on the facts, cyber fraud may also involve unauthorized access under Article 243, system interference under Article 244, misuse of bank or credit cards under Article 245, personal data offences, Law No. 5651 remedies, KVKK obligations and corporate cybersecurity responsibilities.

For victims, speed and evidence are critical. Bank notification, criminal complaint, log preservation, screenshots, transaction records and platform data should be collected immediately. For companies, cyber fraud prevention must be part of corporate governance. For suspects, defence must focus on intent, participation, digital attribution and correct legal classification.

In the digital economy, fraud is no longer limited to face-to-face deception. A fake link, a manipulated invoice, a cloned website or a single phishing message can cause serious financial harm. Turkish law provides strong criminal remedies, but effective results depend on fast action, precise evidence and a carefully structured legal strategy.