Introduction
Bank and credit card misuse crimes are among the most common financial cybercrime offences in Turkey. As online banking, e-commerce, mobile payments, subscription platforms, digital wallets and contactless payment systems become part of everyday life, criminal misuse of bank cards and credit cards has become a serious legal problem for individuals, companies, banks and payment service providers.
Under Turkish law, the main provision regulating bank and credit card misuse is Article 245 of the Turkish Penal Code No. 5237. This article covers three major categories of conduct: unauthorized use of another person’s genuine bank or credit card, production or circulation of counterfeit bank or credit cards linked to another person’s bank account, and use of a counterfeit or falsified bank or credit card to obtain benefit. The Council of Europe’s cybercrime profile for Turkey also lists Article 245 as one of the core cybercrime provisions of the Turkish Penal Code, together with Articles 243, 244, 245/A and 246.
Although Article 245 is often referred to in practice as “credit card fraud,” it is not limited to traditional card theft. It may apply to online card-not-present transactions, stolen card data, fake payment pages, phishing, card cloning, ATM skimming, unauthorized POS transactions, use of a lost card, use of another person’s card with expired consent, and digital payment schemes involving card credentials.
This article explains bank and credit card misuse crimes under Turkish Penal Code Article 245 from a practical legal perspective. It covers the legal elements, penalties, digital evidence, victim rights, corporate risks, relationship with other cybercrimes and defence strategies in Turkish criminal proceedings.
1. Legal Framework of Turkish Penal Code Article 245
Article 245 is located in the section of the Turkish Penal Code concerning offences in the field of information systems. The provision is designed to protect both individual property interests and the reliability of the banking and card payment system. Legal commentary and the legislative rationale explain that the purpose of the article is to prevent banks, credit institutions, cardholders and card owners from being harmed through unlawful card use and to punish persons who obtain unlawful benefit through such conduct.
The article contains different offences in separate paragraphs. Article 245/1 punishes using or causing another person’s genuine bank or credit card to be used without consent in order to obtain benefit. Article 245/2 punishes producing, selling, transferring, purchasing or accepting counterfeit bank or credit cards linked to another person’s bank account. Article 245/3 punishes obtaining benefit by using a counterfeit or falsified bank or credit card, provided that the conduct does not constitute a separate offence requiring a heavier penalty.
This structure shows that Turkish law does not only punish the final fraudulent payment. It also punishes preparatory and circulation-related conduct involving counterfeit cards. In particular, Article 245/2 is important because the offence may be completed even before a financial benefit is obtained.
2. Unauthorized Use of a Genuine Bank or Credit Card: Article 245/1
Article 245/1 applies where a person acquires or holds another person’s bank or credit card by any means and, without the consent of the cardholder or the person to whom the card should be delivered, uses it or allows it to be used in a way that provides benefit to himself or another person. The statutory penalty is imprisonment from three to six years and a judicial fine up to five thousand days.
The offence has several key elements. First, the card must belong to another person. Second, the offender must acquire or hold the card, regardless of how this happened. Third, the card must be used or caused to be used without valid consent. Fourth, the use must provide benefit to the offender or another person.
The expression “by any means” is important. The card may have been stolen, found, borrowed, mistakenly delivered, retained after a transaction, received through deception or obtained through a relationship of trust. The decisive issue is not always how the card came into the offender’s hands. Even if the card was initially obtained lawfully, criminal liability may arise if it is later used without consent and benefit is obtained. Turkish Court of Cassation reasoning summarized in legal sources emphasizes that the legal or illegal manner of acquiring or holding the card is not decisive for Article 245/1 once the other statutory conditions exist.
For example, if a person finds a lost bank card and uses it for contactless purchases, Article 245/1 may apply. If a courier, employee or bank officer receives a card that should have been delivered to the rightful cardholder and uses it for personal benefit, Article 245/1 may apply. If a person was temporarily allowed to use a card for a specific transaction but then uses it for additional unauthorized purchases, the scope of consent becomes central.
3. The Meaning of Consent in Card Misuse Cases
Consent is one of the most important issues in Article 245/1 cases. The cardholder’s valid consent may exclude criminal liability for authorized use. However, consent must be real, specific and limited to the purpose for which it was given.
A common defence argument is that the cardholder voluntarily gave the card or shared the card information. This may be relevant, but it is not always sufficient. Consent to use a card once does not mean consent to use it repeatedly. Consent to withdraw a specific amount does not authorize a larger withdrawal. Consent to purchase one item does not authorize unrelated purchases. Consent given for business purposes does not necessarily permit private spending.
In practice, courts examine the relationship between the parties, prior card use, messages, bank notifications, transaction amounts, timing, merchant type and whether the cardholder objected immediately. The prosecution must prove that the use was outside the cardholder’s consent and that the accused acted intentionally.
4. Counterfeit Card Production and Circulation: Article 245/2
Article 245/2 punishes producing, selling, transferring, purchasing or accepting counterfeit bank or credit cards linked to another person’s bank account. The penalty is imprisonment from three to seven years and a judicial fine up to ten thousand days.
This paragraph is different from Article 245/1 because it does not require actual use of the card or financial benefit. It targets the creation and circulation of counterfeit cards. The protected legal interest is broader than a single cardholder’s property. It also protects trust in the banking system, payment infrastructure and card-based commercial life.
Examples may include producing cloned cards using stolen magnetic stripe data, selling counterfeit cards, purchasing cards created with another person’s account information, accepting fake cards for later use, or transferring counterfeit cards to other members of a criminal network.
Article 245/2 is often relevant in organized carding schemes. The investigation may involve blank card stock, magnetic stripe readers and writers, POS terminal records, ATM footage, card embossing equipment, stolen card datasets, skimming devices and digital files containing card credentials. Even if no purchase is successfully made, possession or transfer of counterfeit cards may create serious criminal exposure if the statutory elements are proven.
5. Using a Counterfeit or Falsified Card: Article 245/3
Article 245/3 punishes obtaining benefit by using a counterfeit or falsified bank or credit card. The penalty is imprisonment from four to eight years and a judicial fine up to five thousand days, provided that the act does not constitute another offence requiring a heavier penalty.
This provision is relevant where the offender uses a fake, cloned, altered or manipulated card to make purchases, withdraw money, obtain services or create another financial benefit. Unlike Article 245/2, Article 245/3 requires benefit. If the offender attempts to use a counterfeit card but the transaction is rejected before any benefit is obtained, attempt provisions may be discussed depending on the concrete facts.
Article 245/3 may overlap with forgery, fraud, unauthorized access, system interference or money laundering. The phrase “provided that the act does not constitute another offence” requires careful legal classification. In complex cases, the court must determine whether Article 245/3 alone applies or whether another offence with a heavier penalty should be considered.
6. Penalties Under Article 245
The penalty framework under Article 245 is severe. Unauthorized use of another person’s genuine card under Article 245/1 is punishable by three to six years of imprisonment and a judicial fine up to five thousand days. Counterfeit card production or circulation under Article 245/2 is punishable by three to seven years of imprisonment and a judicial fine up to ten thousand days. Use of a counterfeit or falsified card to obtain benefit under Article 245/3 is punishable by four to eight years of imprisonment and a judicial fine up to five thousand days.
These penalty ranges show that Turkish law treats card misuse as a serious offence. The reason is that bank and credit card misuse does not only harm the direct victim. It also undermines confidence in payment systems, banking transactions, e-commerce and digital financial services.
The amount of unlawful benefit, number of transactions, number of victims, use of counterfeit cards, organized conduct, use of phishing or malware, and connection with other offences may all affect the practical seriousness of the case.
7. Personal Non-Punishment Grounds and Effective Remorse
Article 245 contains specific rules for certain close family relationships, but these rules apply only to the first paragraph. No penalty is imposed where the Article 245/1 offence is committed to the detriment of a spouse where no legal separation decree exists, a direct ancestor or descendant, a direct in-law, adoptive parent or adopted child, or a sibling living in the same dwelling.
This rule is a personal non-punishment ground. It does not mean that the act is lawful; rather, the law chooses not to impose punishment in the listed family situations. Legal sources also emphasize that this ground applies to Article 245/1 and not to the other paragraphs concerning counterfeit card production, circulation or use.
Article 245/5 provides that effective remorse provisions relating to property offences apply to acts within the scope of Article 245/1. In practical terms, compensation of the damage or return of the benefit may have an impact on the sentence if the statutory conditions are met.
8. Online Card Fraud and Card-Not-Present Transactions
Modern Article 245 cases frequently involve online transactions rather than physical card use. A person may obtain card information through phishing, fake payment pages, data breaches, malware, social engineering, stolen databases or unauthorized screenshots. The card itself may never be physically possessed, but the card number, expiry date, CVV code or authentication information may be used for online purchases.
In Turkish criminal law practice, use of card credentials without consent may still be evaluated under Article 245 where the act corresponds to misuse of a bank or credit card. Online purchases, digital subscriptions, food delivery orders, marketplace transactions, hotel reservations, flight tickets and gaming credits may all become evidence in a card misuse investigation.
The investigation usually focuses on transaction details: merchant records, IP addresses, device identifiers, delivery addresses, phone numbers, e-mail addresses, bank logs, SMS verification records and whether the suspect benefited from the transaction. If goods were delivered, cargo records and camera footage may become highly important.
9. Relationship Between Article 245 and Phishing
Phishing is often the method used to obtain card data. A victim may receive a fake bank SMS, cargo message, e-commerce payment link, social media advertisement, public authority notification or fake customer service message. After entering card details into a fake page, the victim’s information may be used for unauthorized transactions.
Phishing may trigger multiple offences. If the victim is deceived into sharing information or transferring money, fraud or qualified fraud may be considered. If the offender enters the victim’s online banking account, Article 243 on unlawful access may arise. If data is transferred or altered, Article 244 may become relevant. If the offender uses the victim’s bank or credit card information to obtain benefit, Article 245 may apply.
Therefore, a well-prepared complaint should not merely state that “my card was used.” It should explain how the card information was obtained, whether the victim entered data into a fake page, whether online banking was accessed, whether SMS approval was manipulated and whether any other accounts were compromised.
10. Relationship Between Article 245 and Fraud
Bank and credit card misuse is closely related to fraud, but the offences are not identical. Fraud focuses on deception and inducement of the victim. Article 245 focuses on misuse of a bank or credit card.
For example, if a person deceives a victim into transferring money by pretending to be a bank officer, the main offence may be fraud or qualified fraud. If the same person then uses the victim’s card information to make purchases, Article 245 may also be relevant. If the card was physically stolen and used without any deception of the cardholder, Article 245 may be the central offence.
Turkish legal sources discussing Court of Cassation reasoning note that Article 245/1 is not treated as a compound offence that absorbs all other crimes. Where the card is obtained through acts such as theft, robbery or fraud, those offences may be separately considered together with Article 245 if their elements are met.
This is important for both prosecution and defence. The prosecution may allege multiple offences arising from the same incident. The defence should examine whether each alleged offence has independent elements and whether the rules on concurrence have been correctly applied.
11. Digital Evidence in Article 245 Cases
Digital and financial evidence is usually decisive in bank and credit card misuse cases. The most important evidence may include bank transaction records, card authorization logs, POS records, ATM footage, merchant data, IP addresses, delivery addresses, phone numbers, device identifiers, SMS verification records, e-mail accounts, cargo records, CCTV footage, marketplace profiles and payment gateway logs.
In online transactions, merchant records may show the order date, delivery address, recipient name, phone number, IP address, e-mail address and device data. Bank records may show whether 3D Secure authentication was used, whether SMS verification was sent, which phone number was registered, and whether the transaction was approved or flagged as suspicious.
For physical card use, camera footage may be essential. ATM withdrawals, POS transactions, contactless payments and store purchases may be supported by CCTV. Time synchronization between transaction records and footage must be carefully checked.
Forensic examination of phones and computers may also be relevant. Investigators may search for saved card numbers, screenshots of card information, phishing panels, fake payment pages, order confirmations, delivery messages, bank notifications or communication with other suspects.
12. Victim Rights in Bank and Credit Card Misuse Cases
Victims should act immediately after discovering unauthorized card use. The first step is to notify the bank and block the card. The victim should object to unauthorized transactions, request written transaction details and preserve SMS messages, e-mails, bank notifications and screenshots.
A criminal complaint should be filed with the public prosecutor’s office. The complaint should include the cardholder’s identity, the card type, transaction dates, merchant names, transaction amounts, suspected persons if any, bank objection records and all available digital evidence.
A strong complaint should request collection of bank records, merchant records, IP logs, delivery records, phone registration information, camera footage and device evidence. If goods were purchased online, the prosecutor should be asked to identify the delivery address and recipient. If money was withdrawn from an ATM, CCTV should be requested quickly before it is deleted.
Speed is critical because some evidence is retained only for limited periods. Camera footage may be overwritten, platform logs may become unavailable, and goods may be moved or resold.
13. Corporate and Banking Risks
Companies may become victims of Article 245-related conduct when corporate cards are misused by employees, contractors, former employees or third parties. Corporate cards may be used outside authorization, for personal purchases, after employment termination or through stolen card credentials.
Banks, payment institutions and e-commerce companies may also be involved as evidence holders. Their transaction logs, fraud detection reports, chargeback records, device fingerprinting data and merchant records may determine the outcome of the case.
Companies should implement internal policies for corporate card use. These policies should define authorized expenses, approval limits, documentation duties, prohibited transactions, reporting obligations and consequences of misuse. Employee termination procedures should include cancellation or return of corporate cards and review of recent transactions.
E-commerce businesses should also maintain reliable transaction records. In fraud investigations, merchant-side evidence may be essential for proving delivery, device information, customer communication and payment authorization.
14. Personal Data and Card Misuse
Bank and credit card misuse cases often involve personal data. Card numbers, account details, phone numbers, identity information, addresses, transaction history, e-mail addresses and device information may all constitute personal data depending on the context.
If card data is obtained through a data breach affecting a company, the matter may also trigger obligations under Turkish personal data protection law. The Personal Data Protection Board’s Decision No. 2019/10 interprets the “shortest time” notification requirement for data breaches as requiring notification to the Board without delay and no later than 72 hours after becoming aware of the breach.
Therefore, a card misuse incident may require parallel action: criminal complaint against the perpetrator, bank transaction objection, internal forensic investigation, data breach assessment and possible notification procedures if personal data held by a data controller was unlawfully obtained.
15. Defence Strategies in Article 245 Cases
Defence in Article 245 cases must address both legal elements and evidence. Since card misuse cases often rely on bank records, phone data, delivery addresses and IP logs, technical and factual analysis is essential.
Common defence arguments include lack of consent being unproven, the accused not being the person who used the card, the cardholder having authorized the transaction, the bank account or delivery address being used by another person, the phone number being registered but not actually controlled by the accused, the accused being a money mule without knowledge, lack of benefit, incomplete merchant records, unreliable IP attribution, or incorrect legal classification.
For Article 245/1, the prosecution must prove unauthorized use and benefit. For Article 245/2, the prosecution must prove that the accused produced, sold, transferred, purchased or accepted a counterfeit card linked to another person’s bank account. For Article 245/3, the prosecution must prove use of a counterfeit or falsified card and actual benefit.
If goods were delivered to an address connected to the accused, the defence should examine who lived there, who received the package, whether identity was checked, whether camera footage exists and whether the accused actually ordered the goods. If the allegation relies on an IP address, the defence should examine whether the network was shared, whether VPN was used, whether the device was identified and whether timestamps are consistent.
16. Attempt, Multiple Transactions and Participation
Article 245 cases may involve attempt, chain offences and participation. If an offender tries to use a card but the transaction is declined before benefit is obtained, attempt may be discussed. If the same card is used multiple times against the same victim under one criminal decision, chain offence rules may become relevant. If multiple cards belonging to different victims are used, separate offences may arise depending on the facts.
Participation is also common. One person may obtain the card data, another may create the fake payment page, another may place online orders, another may receive the goods, and another may withdraw or transfer money. Turkish criminal law rules on joint perpetration, aiding and abetting, and instigation may become important.
The defence should therefore carefully distinguish between direct use, assistance, knowledge, benefit and mere association. Being present in communication with a suspect is not automatically enough. The prosecution must establish the role and intent of each accused person.
17. Difference Between Civil Dispute and Criminal Misuse
Not every card-related dispute is a crime. For example, a person may claim that a family member exceeded permission, an employee used a corporate card for questionable expenses, or a business partner made disputed payments. The key issue is whether the statutory elements of Article 245 are present: unauthorized use, intent and benefit.
If a cardholder voluntarily authorized a transaction and later regrets it, criminal liability may not arise. If the dispute concerns reimbursement, expense classification or breach of internal policy, the matter may be civil, employment-related or disciplinary rather than criminal. However, if the card was used outside consent and benefit was obtained, Article 245 may be relevant.
The distinction depends on evidence: messages, expense approvals, card policies, prior practice, invoices, bank records and witness statements.
18. Practical Checklist for Victims
A victim of bank or credit card misuse in Turkey should take the following steps:
Block the card immediately.
Notify the bank in writing.
Object to unauthorized transactions.
Preserve SMS and e-mail alerts.
Take screenshots of online banking records.
Request transaction details from the bank.
Identify merchants and transaction times.
Preserve delivery or cargo information if available.
File a criminal complaint quickly.
Request bank, merchant, IP, phone and camera records.
Change passwords and enable two-factor authentication.
Check whether other accounts were compromised.
If personal data may have been leaked, assess data protection remedies.
The sooner these steps are taken, the stronger the chance of identifying the perpetrator and preserving evidence.
19. Why Legal Assistance Is Important
Article 245 cases can be technically complex. A victim may know that a card was used unlawfully but may not know how to identify the perpetrator. A bank may require a formal objection process. A merchant may hold critical delivery information. Camera footage may be deleted quickly. A suspect may be wrongly accused because goods were delivered to a shared address or because a phone number was misused.
A Turkish cybercrime lawyer can assist with criminal complaints, bank objections, evidence preservation, merchant and platform requests, compensation claims, defence petitions, expert objections and related personal data issues. In complex cases, legal strategy should be coordinated with digital forensic analysis.
Conclusion
Bank and credit card misuse crimes under Turkish Penal Code Article 245 are serious financial cybercrime offences. Article 245/1 punishes unauthorized use of another person’s genuine bank or credit card to obtain benefit. Article 245/2 punishes production, sale, transfer, purchase or acceptance of counterfeit cards linked to another person’s bank account. Article 245/3 punishes obtaining benefit through the use of counterfeit or falsified cards.
These offences may arise in many modern scenarios, including phishing, online shopping fraud, card cloning, ATM skimming, fake payment pages, unauthorized corporate card use, stolen card data, contactless purchases and digital wallet misuse. Depending on the facts, Article 245 may overlap with fraud, unauthorized access, system interference, personal data crimes and money laundering.
For victims, fast action is essential: block the card, notify the bank, preserve evidence and file a detailed criminal complaint. For suspects, the defence must focus on consent, intent, benefit, digital attribution and correct legal classification. For companies, card misuse prevention requires clear policies, transaction monitoring, secure payment systems and incident response procedures.
In Turkey’s digital financial environment, bank and credit card misuse is not merely a private banking dispute. It is a criminal law matter that can carry significant imprisonment and judicial fine risks. A careful legal strategy under Turkish Penal Code Article 245 can determine whether the case is effectively investigated, properly defended and fairly resolved.
Yanıt yok