Introduction
Online banking fraud in Turkey has become one of the most common and financially damaging forms of cybercrime. As individuals and companies increasingly use mobile banking, internet banking, digital wallets, payment institutions, electronic money services and online investment platforms, criminals use more sophisticated methods to obtain banking credentials, manipulate victims, bypass verification processes and transfer money without lawful authorization.
Unauthorized money transfers may occur through phishing links, fake bank messages, SIM swap schemes, malware, remote access applications, business e-mail compromise, stolen passwords, fake customer service calls, social engineering, compromised mobile devices, mule bank accounts or fraudulent payment instructions. In many cases, the victim discovers the fraud only after money has already left the account and moved through several recipient accounts.
Under Turkish law, online banking fraud may involve several criminal provisions at the same time. The most important are qualified fraud under Turkish Penal Code Article 158/1-f, unauthorized access to information systems under Article 243, system interference and data transfer under Article 244, and misuse of bank or credit cards under Article 245. The Council of Europe identifies Article 158/1-f as computer and communications fraud and Articles 243, 244, 245 and 245/A as core cybercrime provisions under Turkish law.
This article explains online banking fraud in Turkey from a practical legal perspective. It covers criminal liability, bank objections, victim remedies, digital evidence, urgent steps after unauthorized transfers, compensation claims, corporate online banking fraud, data protection obligations and defence strategies.
1. What Is Online Banking Fraud?
Online banking fraud is a deceptive or unauthorized act involving digital banking channels. The offender may directly access the victim’s bank account, deceive the victim into approving a transaction, use stolen credentials, manipulate the victim into sharing verification codes, or redirect payments through fraudulent instructions.
Common examples include:
Phishing messages imitating banks.
Fake bank security calls.
Malicious mobile applications.
Remote access software installed on the victim’s phone.
SIM swap attacks used to receive SMS verification codes.
Business e-mail compromise and fake invoice payment instructions.
Unauthorized EFT, FAST or wire transfers.
Fraudulent credit card or debit card transactions.
Fake investment platforms requesting bank transfers.
Money mule accounts receiving fraud proceeds.
Corporate payment redirection through manipulated e-mails.
The key legal issue is whether the transfer was made through deception, unauthorized access, misuse of bank data, or manipulation of information systems. The correct legal classification depends on the exact method used.
2. Qualified Fraud Through Information Systems and Banks
In many online banking fraud cases, the central offence is qualified fraud. Article 158/1-f of the Turkish Penal Code concerns fraud committed by using information systems, banks or credit institutions as instruments. Legal commentary on cyber fraud in Turkey states that cyber fraud committed through software systems, banks or credit institutions is treated as an aggravated form of fraud and may be punishable by imprisonment from four to ten years and a judicial fine up to five thousand days, not less than twice the benefit obtained from the offence.
Online banking fraud commonly falls within this aggravated structure because the offender uses digital systems and banking channels to deceive the victim and obtain unlawful benefit. For example, if a fraudster sends a fake bank SMS and the victim enters credentials into a fake website, the deception is carried out through information systems. If the fraudster then transfers money through banking channels, banks and payment infrastructure become part of the offence mechanism.
Qualified fraud may arise where:
The victim is deceived by a fake bank website.
The victim is persuaded to transfer money to a fraudulent account.
The fraudster impersonates bank personnel.
Fake security warnings lead the victim to approve a transaction.
A company pays a fake invoice due to manipulated e-mail correspondence.
A fake investment platform causes the victim to make bank transfers.
For a strong criminal complaint, the victim should clearly explain the deception: what message was received, what link was clicked, who called, what representation was made, what transaction followed, and which account received the money.
3. Unauthorized Access to Online Banking Accounts
Some online banking fraud cases involve direct unauthorized access. If the offender uses stolen credentials, phishing data, malware, SIM swap information or remote control tools to enter the victim’s mobile or internet banking account, Article 243 of the Turkish Penal Code may apply.
Article 243 is identified in Turkey’s cybercrime framework as illegal access to a computer network system. It may be relevant even before money is transferred. The offence focuses on unlawful entry into an information system or remaining there without authorization.
For example, if a fraudster obtains a victim’s mobile banking password and logs into the account, Article 243 may be discussed. If the fraudster changes settings, transfers data, deletes notifications, adds a new recipient, or executes unauthorized transactions, Article 244 may also become relevant.
Evidence of unauthorized access may include:
Bank login records.
IP addresses.
Device identifiers.
Mobile banking session logs.
Password reset records.
SMS verification records.
SIM replacement records.
Bank security notifications.
App installation records.
Remote access application logs.
A criminal complaint should request these records urgently because logs may be retained for limited periods and may be essential for identifying the perpetrator.
4. System Interference, Data Transfer and Article 244
Article 244 of the Turkish Penal Code covers more serious interference with information systems and data. The official English text provides that a person who deletes, alters, corrupts or bars access to data, installs data into a system or sends existing data elsewhere may be punished with imprisonment from six months to three years; where the offence is committed in relation to a bank or credit institution’s system, the penalty is increased by one half.
In online banking fraud cases, Article 244 may become relevant where the offender manipulates digital banking data, changes recipient information, transfers account data, prevents access, installs malicious software or interferes with banking system operation.
Examples include:
Changing registered phone numbers or e-mail addresses.
Adding fraudulent recipients.
Deleting bank notifications.
Using malware to intercept banking credentials.
Transferring account data to another person.
Manipulating transaction records.
Preventing the victim from accessing the account.
Installing unauthorized software to control mobile banking.
The distinction between Article 243 and Article 244 is important. Article 243 concerns unauthorized access. Article 244 concerns interference with data or system functionality. If the offender only enters the account, Article 243 may be the main offence. If the offender manipulates data or executes transfers through system interference, Article 244 may also apply.
5. Misuse of Bank or Credit Cards Under Article 245
If the online banking fraud involves bank cards, debit cards, credit cards or card credentials, Article 245 of the Turkish Penal Code may apply. The official English text states that a person who acquires or retains another person’s bank or credit card and uses it without the consent of the cardholder, or secures benefit by allowing it to be used by others, is punishable by imprisonment from three to six years and a judicial fine.
The Venice Commission’s English text of the Turkish Penal Code also states that producing, selling, transferring, purchasing or receiving counterfeit bank or credit cards linked to another person’s bank account is punishable by three to seven years of imprisonment and a judicial fine up to ten thousand days; using a counterfeit or falsified bank or credit card to secure benefit is punishable by four to eight years and a judicial fine up to five thousand days, provided the act does not constitute another offence.
Article 245 may be relevant in online banking fraud where:
Card data is stolen through phishing.
Debit card information is used for online purchases.
Credit card details are entered into a fake payment page.
3D Secure codes are obtained by deception.
Card credentials are used without consent.
Counterfeit card data is used digitally.
Card data is stored and sold to others.
Not every unauthorized transfer is a card misuse case. If the money is transferred directly from a bank account by EFT or FAST, qualified fraud and cybercrime provisions may be more central. If card data is used, Article 245 should be evaluated.
6. Phishing and Fake Bank Messages
Phishing is one of the most common methods of online banking fraud in Turkey. The victim may receive a fake SMS, e-mail, WhatsApp message or social media message that appears to come from a bank. The message may claim that the account is blocked, a suspicious transaction occurred, a security update is required, or a refund is waiting. The link then directs the victim to a fake bank page.
The victim may enter:
Customer number.
Internet banking password.
Mobile banking password.
Credit card details.
SMS verification code.
Identity number.
Phone number.
Two-factor authentication data.
Once this information is obtained, the offender may access the account and transfer money. The legal classification may include qualified fraud, unauthorized access, system interference, personal data offences and bank card misuse depending on what happened after the phishing.
Victims should preserve the original phishing message, the URL, screenshots of the fake page, SMS verification records, bank notifications, transaction records and any suspicious phone numbers. Deleting the message may weaken the investigation.
7. Fake Bank Calls and Social Engineering
Online banking fraud is not always fully automated. Many cases involve social engineering. A fraudster may call the victim pretending to be a bank officer, police officer, prosecutor, cargo employee, investment advisor or fraud prevention specialist. The victim may be told that their account is at risk and that they must transfer money to a “safe account,” share verification codes or install an application.
These cases are usually strong candidates for qualified fraud because the victim is deceived through false representations. If the fraudster also accesses online banking systems or uses digital credentials, cybercrime provisions may be added.
Victims should preserve:
Caller phone numbers.
Call logs.
Voice recordings, if lawfully available.
SMS messages.
Bank transaction receipts.
Names or titles used by the caller.
Instructions given during the call.
Remote access app records.
Any screen-sharing evidence.
The complaint should explain the psychological pressure and deception. Many fraudsters use urgency, fear and authority to overcome the victim’s caution.
8. Remote Access Applications and Mobile Banking Fraud
A growing form of online banking fraud involves remote access applications. The victim may be persuaded to install software that allows the fraudster to see or control the phone screen. The fraudster may then guide the victim through banking screens, obtain verification codes, initiate transfers or approve transactions.
This method may raise complex legal issues. The victim may physically press buttons, but the will of the victim is manipulated by fraud. The fact that the victim interacted with the device does not automatically make the transaction lawful. The legal question is whether consent was obtained through deception and whether the transaction reflects a valid banking instruction.
Evidence may include:
App installation records.
Screen-sharing session records.
Bank transaction timing.
Call records.
Messages instructing installation.
Device security alerts.
SMS verification logs.
Bank fraud warnings.
In such cases, victims should stop using the compromised device until it is checked, change passwords from a secure device, notify the bank and preserve evidence.
9. SIM Swap and SMS Verification Fraud
SIM swap fraud occurs when criminals obtain control over the victim’s phone number. This may be done through fake identity documents, social engineering, telecom vulnerabilities or insider misconduct. Once the fraudster controls the SIM card, they may receive SMS verification codes and access online banking accounts.
Legal analysis may involve fraud, personal data offences, forgery, unauthorized access and bank-related offences. Evidence may include telecom operator records, SIM replacement documents, store camera footage, identity documents used, bank SMS logs and transaction records.
Victims should immediately contact the telecom operator and request records showing whether a SIM replacement or number transfer occurred. The criminal complaint should request both bank and telecom records.
10. Money Mule Accounts
Online banking fraud often uses money mule accounts. A mule account is a bank account used to receive and move fraud proceeds. Some account holders knowingly participate in the offence. Others may be deceived by fake job offers, commission promises or requests to “receive money temporarily.”
For victims, identifying the recipient account is the first step. The complaint should request all account movements after receipt of the fraudulent transfer, including cash withdrawals, EFTs to other accounts, ATM footage, branch records, mobile banking login records and linked phone numbers.
For suspects, being the account holder is not always enough for conviction. The prosecution must prove intent and participation. A defence may argue that the account was used by another person or that the account holder was deceived. However, allowing unknown persons to use one’s bank account creates serious legal risk.
11. Immediate Steps After Unauthorized Money Transfers
Victims must act quickly. The first hours may determine whether the money can be frozen before it is withdrawn or transferred.
A victim should immediately:
Contact the bank’s fraud department.
Request blocking or recall of the transaction.
File a written transaction objection.
Block cards and online banking access.
Change passwords from a secure device.
Preserve SMS and e-mail notifications.
Save transaction receipts.
Preserve phishing links and messages.
File a criminal complaint.
Request urgent investigation of the recipient account.
Check whether remote access software was installed.
Contact the telecom operator if SIM swap is suspected.
Document every communication with the bank.
Delay may allow the money to move through multiple accounts or be withdrawn in cash. A fast bank notification and criminal complaint may increase the chance of asset tracing and recovery.
12. Bank Objection and Internal Complaint Process
The victim should not rely only on a criminal complaint. The bank must also be notified immediately. The victim should file a written objection to the unauthorized transaction, request transaction details and demand investigation of the suspicious activity.
The objection should include:
Account holder identity.
Date and time of the unauthorized transfer.
Amount.
Recipient account information, if visible.
Explanation of why the transfer was unauthorized.
Evidence of phishing, phone fraud or device compromise.
Request for blocking, recall or investigation.
Request for written response.
Request for preservation of logs.
The bank’s response may later become evidence in civil litigation or criminal proceedings. Therefore, the objection should be made in writing and preserved.
13. Criminal Complaint Strategy
A criminal complaint for online banking fraud should be detailed and chronological. A generic complaint saying “money was stolen from my account” may not be enough to guide the investigation.
A strong complaint should include:
The victim’s identity and bank account information.
Date and time of the suspicious transaction.
Amount and recipient account details.
Method of fraud, if known.
Phishing message, fake URL or caller number.
Bank SMS and e-mail notifications.
Whether remote access software was installed.
Whether SIM swap is suspected.
Whether online banking was accessed.
Any IP, device or location information shown by the bank.
Written bank objection.
Request for investigation of recipient accounts.
Request for bank, telecom, platform and IP records.
Legal qualification under Article 158/1-f, 243, 244, 245 and other applicable provisions.
If the money passed through multiple accounts, each subsequent account should be investigated. The complaint should request account movements, account opening documents, KYC data, device records and camera footage.
14. Digital Evidence in Online Banking Fraud Cases
Digital evidence is essential. The most important evidence may include:
Bank transaction records.
Mobile banking login records.
IP addresses.
Device identifiers.
SMS verification logs.
E-mail alerts.
Phishing URLs.
Fake bank page screenshots.
Remote access application records.
Call logs.
Telecom SIM replacement records.
ATM camera footage.
Recipient account movements.
Bank account opening documents.
WhatsApp and Telegram messages.
E-mail headers.
Browser history.
Phone forensic records.
Screenshots are useful, but original records are stronger. Victims should preserve original SMS messages, e-mails, links, bank notifications and phone records. If the device is compromised, forensic examination may be necessary.
15. Can Victims Recover Their Money?
Recovery depends on speed, traceability and whether funds remain in the banking system. If the victim contacts the bank immediately and funds have not yet been withdrawn or transferred, blocking or recall may be possible. If the funds have moved through multiple accounts or been withdrawn in cash, recovery becomes harder.
Legal remedies may include:
Bank objection.
Criminal complaint.
Investigation of recipient account holders.
Asset freezing or seizure where legal conditions exist.
Civil compensation claims.
Claims against perpetrators or money mules.
Claims against banks or service providers where legal responsibility can be established.
No result can be guaranteed. However, fast action significantly improves the victim’s position.
16. Civil Claims Against Perpetrators and Account Holders
Victims may pursue civil compensation claims against the persons who received or benefited from the unauthorized transfer. If the recipient account holder knowingly participated in fraud, liability may be clearer. If the account holder claims to be a mule without knowledge, the court will examine the facts.
Civil claims may be based on tort, unjust enrichment or other legal grounds depending on the facts. Evidence from the criminal file, bank records, account movements, ATM footage and communications may support the civil claim.
The victim should document the loss, bank objection, criminal complaint, recipient account information and all related costs.
17. Potential Bank Liability
Victims often ask whether the bank can be held responsible. The answer depends on the facts. Banks are expected to maintain secure systems, transaction monitoring, authentication processes and fraud response procedures. However, if a transaction was approved through valid credentials and verification steps, the bank may argue that it executed an authorized instruction.
Potential bank liability may be discussed where:
The bank ignored suspicious transaction indicators.
The bank failed to act after prompt fraud notification.
Authentication systems were inadequate.
The transaction pattern was clearly unusual.
The bank failed to preserve or provide relevant records.
The bank’s system security contributed to the fraud.
The bank delayed blocking despite immediate notice.
Each case requires detailed banking law and evidence analysis. A victim should not assume automatic bank liability, but should also not accept a bank refusal without examining the facts.
18. Corporate Online Banking Fraud
Companies are frequent victims of online banking fraud. Corporate accounts may be targeted through business e-mail compromise, fake invoice fraud, executive impersonation, payroll fraud, compromised accounting systems or stolen banking credentials.
Corporate victims should preserve:
Payment approval records.
Internal e-mails.
Supplier correspondence.
Bank transfer authorizations.
Fraudulent invoices.
Full e-mail headers.
Employee access records.
Accounting system logs.
Board or management approvals.
Bank communication records.
Corporate cases may involve both criminal fraud and civil disputes between buyer, supplier, bank, employee and insurer. Companies should also assess whether personal data was exposed.
19. KVKK and Data Breach Issues
Online banking fraud may involve personal data. If a company’s customer, employee or supplier data is accessed through phishing, mailbox compromise or system intrusion, KVKK obligations may arise.
The Personal Data Protection Board’s Decision No. 2019/10 requires controllers to document personal data breaches and states that if notification cannot be achieved within 72 hours, reasons for delay should be attached; information may also be provided gradually where it cannot be supplied at once. The Turkish Personal Data Protection Authority separately explains that the “shortest time” requirement in Article 12(5) is interpreted as notification to the Board without delay and no later than 72 hours after awareness.
Therefore, a corporate online banking fraud incident may require:
Criminal complaint.
Bank objection.
Forensic investigation.
KVKK breach assessment.
Notification to affected persons where required.
Internal disciplinary review.
Contractual notification to business partners.
Companies should not treat bank fraud and data breach as separate issues if the same phishing incident exposed personal data.
20. Defence Strategies in Online Banking Fraud Cases
Persons accused of online banking fraud may include money mule account holders, callers, phishing page operators, SIM swap participants, bank account holders, employees, IT personnel or alleged organizers. Defence strategy depends on the alleged role.
Possible defence arguments include:
The accused did not make the transfer.
The bank account was used by another person.
The accused was deceived as a money mule.
There is no evidence of fraudulent intent.
The accused did not control the phishing site.
IP records do not identify the accused.
The device was shared or compromised.
The transaction was part of a genuine commercial relationship.
The accused did not receive or keep the benefit.
Screenshots and messages are incomplete.
The legal classification is excessive.
The evidence was unlawfully obtained.
In online banking fraud, intent and participation are crucial. A bank account connection may be suspicious, but it does not automatically prove that the account holder planned or knowingly participated in the fraud.
21. Prevention for Individuals
Individuals can reduce online banking fraud risk through practical measures:
Do not click banking links in SMS or e-mail.
Use only official bank applications.
Do not share SMS verification codes.
Do not install remote access apps upon request.
Call the bank from official numbers only.
Use strong passwords.
Enable biometric or two-factor security.
Keep phone software updated.
Do not use public Wi-Fi for banking.
Monitor account activity.
Set transaction limits.
Be cautious of “safe account” instructions.
Never transfer money because of a phone threat.
If suspicious activity occurs, contact the bank immediately.
Prevention is easier than recovery.
22. Prevention for Companies
Companies should adopt stronger controls because corporate losses are often larger.
Recommended controls include:
Dual approval for high-value transfers.
Callback verification for new IBANs.
Separation of payment preparation and approval.
Restricted online banking users.
Token and device controls.
Payment limits.
Employee training.
Business e-mail compromise awareness.
Secure accounting systems.
Vendor bank account verification.
Fraud response protocol.
Cyber insurance review.
Regular review of banking permissions.
Log retention.
Internal audit of payment workflows.
No company should change supplier bank details based only on e-mail. Verification should be made through a trusted phone number already recorded in company files.
Conclusion
Online banking fraud in Turkey is a serious cybercrime and financial litigation issue. Unauthorized money transfers may result from phishing, fake bank calls, remote access applications, SIM swap attacks, business e-mail compromise, fake investment schemes or compromised banking credentials. The main legal provisions may include Turkish Penal Code Article 158/1-f on qualified fraud, Article 243 on unauthorized access, Article 244 on system interference and data transfer, and Article 245 on misuse of bank or credit cards.
For victims, speed is critical. The bank must be notified immediately, a written objection should be filed, digital evidence must be preserved and a detailed criminal complaint should be submitted. The complaint should request investigation of recipient accounts, IP logs, device records, telecom records, bank transaction logs and camera footage. For companies, online banking fraud may also trigger KVKK breach assessment if personal data was exposed.
For suspects and defendants, the key issues are intent, participation, account control, digital attribution and reliability of evidence. Merely being connected to a bank account, phone number or IP address is not always enough for criminal liability; the prosecution must prove knowing participation and unlawful benefit.
In Turkey’s digital banking environment, unauthorized money transfers must be handled with a combined strategy: urgent bank action, criminal complaint, digital evidence preservation, civil recovery and data protection compliance where necessary. The strongest legal response is fast, documented and technically precise.
Yanıt yok