The ever-increasing global digitization increases the usage of technology by companies and individuals, as well as the role of cyber technologies in daily life. It is safe to say that Türkiye keeps up the pace with this global digitization trend and advancing in the field of cyber technologies. According to the Information and Communication Technologies Sector 2022 Market Data and Trends Report issued by the Informatics Industry Association’s (TÜBİSAD) [1], the cyber and communication technologies sector reached to a notable size of TRY 409 billion in 2022, showing a growth of 54% compared to the previous year.

Advancement and spread of cyber technologies in Türkiye, together with their active usage in the banking sector, led to the emergence of a variety of cyber-crimes the numbers of which are progressively increasing. One of the global providers of network security and intelligence, WatchGuard, stated that in 2023, a malicious cyber-attack occurred every three minutes within Türkiye [2]. In this regard, it is important to be informed of the legal remedies introduced by the Turkish lawmakers to take measures against such crimes.

In Turkish Criminal Law, cyber-crimes are divided into two categories as direct and indirect cyber-crimes. Direct cyber-crimes [3] are those specially stipulated in the Turkish Penal Code No. 5237 (“TPC”); indirect cyber-crimes are the crimes resulting from the commission of other offenses through cyber systems.

In recent years, cyber fraud to which companies, managers, businesspeople, and other individuals fall victim, qualifies as an indirect cyber-crime and considered as an aggravated form of fraud within the scope of Article 158/1-f of TPC.

Cyber Fraud Committed Via Software Systems, Banks or Credit Institutions

According to Article 158/1-f of TPC, commission of cyber fraud using software systems, banks, or credit institutions constitutes an aggravated form of fraud. The aforementioned article also stipulates that those who commit this offense are subject to imprisonment for a term ranging from 4 to 10 years, as well as a judicial fine up to five thousand days, which shall not be less than twice the benefit obtained from the crime.

There are many different methods used by cyber fraudsters who utilize software systems as tools. Among these, the most common methods, which primarily target corporate entities, are: Man-in-the-middle (MITM) attack; phishing; SMS phishing (smishing); voice phishing (vishing).

Man-In-the-Middle Attack (MITM)

In this method, perpetrator i.e. cyber-fraudster, encrypt the data, through unauthorized access, transferred between network devices and the victim's computer and then illicitly monitors the correspondence between companies and/or businesspeople who maintain their commercial relationship generally via e-mail [4]. Typically, the cyber-fraudster infiltrates the correspondence by unauthorized means and often manipulates e-mail exchanges, particularly those related to money transfers, by subtly altering just one letter of the e-mail address to divert the transfer to a bank account they control unnoticed.

Phishing

In phishing, victims are initially directed to fake websites through deceptive e-mails that appear to be sent by reputable organizations such as banks, government agencies etc. Once victims provide their personal data on that website, such personal data is exploited to gain access to victims’ bank accounts and their funds are siphoned to a bank account designated by the cyber-fraudsters. In a recent decision concerning the phishing method [5], it was determined that the creation of a fake website identical to the bank's website, leading users to mistake it for the actual website, and then stealing their personal data and passwords entered by those users attempting to access their accounts via e-mail under internet banking constitutes aggravated fraud.

Smishing

The method and the purpose of smishing is almost identical to those of phishing but only this time fraudsters use short messaging services (SMS) i.e. WhatsApp messages instead of e-mails. Considering that communication through text messages is quite common among businesspersons, especially those in senior levels, it is quite possible for cyber fraudsters to access sensitive financial information. In a smishing attack, fraudsters generally send deceptive text messages to trick recipients to click on malicious links whereby their personal data is stolen.

Vishing

In vishing method, fraudsters access victims through phone and pretend to be a trusted authority such as a law enforcement officers, public servant, bank official etc. Fraudsters aim is the same as in other methods, gaining access to victims’ sensitive information, especially those relate to bank account details. Fraudsters generally aim at corporations that have a longstanding commercial relationship and preferably running accounts. They pretend to be calling from the accounting department of one of the corporations and lure their counterpart to transfer monies to a different bank account. According to the X-Force Threat Intelligence Index 2022 published by IBM, cyber fraudsters proved three times more successful in vishing method compared to phishing [6].

Legal Remedies Against Cyber Fraud

For individuals or corporations that fall victim to any of the above defined methods of cyber fraud, initial action should be notifying the authorities. For domestic offences, such authorities are the public prosecution office, the police, governorates and courthouses. For cross-border offences that transpired abroad but needs to be prosecuted in Türkiye, authorities are the relevant Turkish embassy and/or consulates. It is important to note that in the event of a cyber fraud time is of the essence to take the correct legal action. Any delay in taking an action would render it significantly cumbersome if not impossible to detect the perpetrator and claw back the stolen amount.

Given that cyber fraudsters almost always transfer the money to a designated bank account, it is of paramount importance to identify such bank and get in touch with the administration of the bank and proceed the legal action in parallel to cancel the transaction or freeze the relevant bank account and claim the money back.

Although it is theoretically possible to detect the owner of the bank account, which was utilized for a cyber-crime, and press charges against such person, in practice it is almost impossible to detect the actual perpetrator as they use anonymous accounts. In that case, the question arises: whether the bank is liable or not?

Liability of Bank

Banking is a heavily regulated sector in Türkiye. Banks are established by special legislation [7] and granted certain privileges in their field of operation and have a liability and duty of care to safeguard with a collected funds and participation accounts against fraud attempts. In this respect, banks are treated as trusted parties to banking transactions and bear a significant level of liability [8].

Liability of banks is controversial in terms of commission of cyber fraud with the use of banking systems. It is regulated that banks are liable, under their objective duty of care, from any damage incurred by customers due to unauthorized withdrawals of funds without any fault of the customer [9] or due to fraudulent actions by way of using a forged document [10]. On the other hand, there are court decisions, which concluded that banks shall not liable from damages incurred due to transfers of money to the bank accounts stated by fraudsters as a result of deceptive action [11] and banks have no liability to check the names of the recipient of the transferred money and the owner of the relevant IBAN account [12].

In conclusion, liability of banks in cyber-crimes must be evaluated on case-by-case basis. In any case the most crucial action to claim monies back in the event of a cyber fraud, is to act as swift as possible before the relevant authorities (prosecution offices, and the bank) and then conduct a diligent inspection in cooperation with the authorities to detect the perpetrator and the relevant account.