Customer Z.K. receives an email appearing to be from his bank (Bank X). The email states, “A suspicious transaction has been detected in your account, and you need to update your account information immediately for your security.” Z.K. clicks on the link in the email in a panic.

The page that opens is an exact copy of the bank’s website. Z.K. enters his credit card number, expiration date, CVV code, and internet banking password into the fake site. A few hours later, he receives confirmation SMS messages on his phone regarding high-amount purchases (electronics and flight tickets) made without his knowledge. Realizing the situation, Z.K. immediately calls the bank to cancel his card, but some of the transactions have already passed into “pending provision” status.

Legal Evaluation This case is a typical “phishing” fraud, defined as an “IT crime” in the Turkish Penal Code (TCK) and constituting the crime of “misuse of bank or credit cards” (TCK Article 245).

1. Criminal Liability of the Perpetrator The perpetrator or perpetrators have committed multiple crimes:

  • TCK 245 (Misuse of Bank or Credit Cards): Obtaining unfair advantage by acquiring and using someone else’s credit card information. The penalty for this crime is imprisonment from three to six years.

  • TCK 243 (Entering an IT System): Ensuring the deception of the victim by creating a fake website (system).

  • Fraud (TCK 157) and Qualified Fraud (TCK 158): Obtaining benefits by deceiving a person using IT systems as a tool with fraudulent behaviors.

2. Legal Steps the Victim Must Take Z.K. must act quickly on two separate tracks to both get his money back and ensure the perpetrators are punished:

a) Banking Process (For Refund of Money):

  • Chargeback (Harcama İtirazı): In addition to canceling the card, Z.K. must immediately apply to his bank with a written petition stating that these transactions do not belong to him and initiate the “chargeback” procedure.

  • Bank’s Liability: According to the Bank Cards and Credit Cards Law, banks are obliged to establish secure systems against fraud. Unless gross negligence on the part of the victim Z.K. (such as sharing his password with someone else) is proven, the bank can also be held liable for unjust expenditures. “Phishing” attacks are generally not considered gross negligence.

b) Criminal Process (For Punishment of Perpetrators):

  • Prosecutor’s Complaint: Although this crime is not subject to complaint, it is essential for Z.K. to go to the nearest Public Prosecutor’s Office and file a criminal complaint with the “Cyber Crimes Bureau” to start the process.

  • Submission of Evidence: Z.K. should attach the following to the complaint petition:

    • Screenshots of the fake email received,

    • The link of the fake website he clicked (if possible),

    • Transaction notifications received from the bank (SMS, account statement),

    • The petition for chargeback made to the bank.

  • Investigation: Upon the complaint, the Prosecutor’s Office will send the file to the Cyber Crimes Combat Branch Directorate. The police will try to identify the perpetrators by investigating the IP addresses of the fake website, the accounts to which money was transferred, and the places where shopping was done.

Conclusion and Advice Speed is vital in cybercrimes.

The moment you realize you are a victim of a “phishing” attack, the first priority is to call the bank and close the card, the second priority is to make a written chargeback objection, and the third priority is to file a criminal complaint with the prosecutor’s office without wasting time.

In such complex and technical processes, getting support from an IT law lawyer to both manage the objection process with the bank correctly and follow the prosecutor’s investigation effectively will ensure the victim protects their rights fully and increases the chance of getting their money back.