Data processing systems' convenience has led to emergence of new cybersecurity risks and methods for committing cyber-crimes, as well as a growth in such crimes, notably fraud. This is one of the unintended consequences of digitalization in the financial sector.
In Turkish law, cybercrimes are divided into two categories: direct and indirect. Direct cybercrimes are listed under Section 10 of the Turkish Penal Code No. 5237 [“TPC”] titled "Offenses in the field of Data Processing Systems", whereas indirect cybercrimes are regulated as a qualified form of various crimes under the TPC. In this respect, “access to data processing system", "hindrance or destruction of the system, deletion or alteration of data", "improper use of bank or credit cards" and " prohibited devices or programs" are classified as direct cyber-crimes under the Section 10. On the other hand, indirect cybercrimes are regulated as qualified forms of theft, fraud, and the crime of providing a place and opportunity for gambling.
Fraud By Using Data Processing Systems
Pursuant to Article 158/1-f of the TPC, committing fraud by using data processing systems, banks and financial institutions as a tool has been regulated as a qualified form of fraud that increases the penalty. Within this framework, offenders of such crime will be punished with imprisonment from four years to ten years and imposed punitive fine up to five thousand days, not less than twice the profit obtained from the crime.
Data processing systems serve as a bridge in the case of cyber fraud, transferring the fraudulent act from the perpetrator to the victim. Of course, there are a variety of ways to use this bridge. Phishing and man-in-the-middle attacks are the two most common methods used to commit cyber fraud, especially when international trading companies are targeted.
Phishing is one of the oldest methods of online attacks in which individuals or organisations are contacted by e-mails or websites that poses legitimate to lure the targets into making money transfers or providing sensitive data such as passwords, usernames, and banking and credit card details. Although virtually anybody might be the target of these attacks, business executives and employees in the finance departments who have access to confidential financial data are the most frequently attacked.
- Man in the Middle Attack
Man-in-the-middle attack is a type of cyber-attack in which the attackers illegally intrude into the communication between two computer users in order to secretly monitor and alter the communication between the parties who believe they are communicating directly and securely to one another. In this case, the perpetrator, known as the "man in the middle," frequently intercepts email correspondence between businesses that trade together and transmits emails on their behalf by impersonating one of the two parties. The perpetrator, who has a detailed knowledge of the nature of the business relationship between the companies and the intended transaction, intervenes in the email exchange and modifies the banking information that will be used by the businesses to transfer money, ensuring that the transaction is received by the modified account instead of the intended recipient.
These two methods, which are often used in fraudulent activities, have one thing in common: they both involve transferring money to the fraudster's account. Phishing convinces the remitter to make the money transfer by e-mails that appear to have come from persons with whom they have a business relationship or from their senior managers. In the man-in-the-middle attack, while the parties of the business relationship are actually communicating with each other, the attacker inserts themselves in the mail chain via a fake e-mail address that appears to be original by changing the extension, a letter or punctuation of the e-mail address belonging to one of the parties. Infiltrating the mail chain covertly, the attacker changes the real account details belonging to one of the parties of the commercial relationship and make the other party transfer the money to their own account. This account is mostly a bank account. Therefore, it is crucial to decide the position of the bank which plays a significant part in such crimes.
What Are the Legal Remedies?
So, what should persons who are exposed to cyber fraud in Türkiye do? In fact, the moment crime of any kind is discovered, it is imperative that the competent authorities are informed. In this regard, the report to cyber fraud may be submitted to the Chief Public Prosecutor's Office, law enforcement authorities, governor’s office, office of the administrative chief of district, or the court. However, it should be noted that the report submitted to the governor’s office, office of the administrative chief of district, or the court will cause a waste of time, considering that it will be sent to the relevant Chief Public Prosecutor's Office. Moreover, the crime may be reported to Turkish ambassadors and consulates if it was committed abroad but needs to be prosecuted in Türkiye.
In parallel to reporting the crime, it may be possible to cancel or postpone the money transfer in cyber fraud cases, which typically involve bank accounts, by directly contacting the Turkish bank that received the money. As a matter of fact, there is a limited time frame to cancel the transfer by blocking the payment. Sometimes the time frame is so limited that even if you realize the fraud and contact the bank immediately after making the transfer, the transfer cannot be revoked because it is instantaneous. Yet throughout the stages of the criminal investigation and prosecution, it is crucial to demand of the judicial authorities the implementation of measures to seize the bank accounts of the suspect or the accused. Because, if the unfairly transferred amount or a portion of it is still in the bank account, securing the money in the bank account might prevent the damage from occurring and make it possible for the victims to compensate their losses when the investigation is concluded more swiftly and efficiently.
The identification of the perpetrator present yet another challenge in fraud crimes committed via data processing systems due to the need for technical methods. In cases where the identity of the suspect is known, although it is extremely rare, legal actions such as lawsuits, enforcement proceedings etc. can be initiated directly against the suspect(s).
How much liability falls on the bank?
According to data from the World Bank published in 2021 76% of the total human population has bank accounts. In other words, 76% of people apply to banks to protect their savings. As a matter of fact, as stated in many decisions of the Court of Cassation of Republic of Türkiye, banks are institutions of trust and reliance. In this respect, banks have an objective duty of care to their customers, and the limits of their liability are determined as a requirement of being a trust/reliance institution. To summarise, banks are strictly liable for the unlawful acts of their employees and are held liable for even the slightest faults in their relations with their customers.
Although this is true in theory, it is questionable whether banks can really be held liable for cyber fraud cases. The bank is obligated to compensate the losses of the customers in accordance with the Court of Cassation's jurisprudence if the money in the customers' accounts is seized by third parties through illicit transactions or falsified documents without the customers' fault.
However, natural or legal persons, who are exposed to cyber fraud through the methods described above, place their own orders for money transfers in accordance with the instructions of the other party. In such cases, it becomes impossible to hold the bank liable, because it has been established through legal precedent, that if money transfer orders are given to incorrect account numbers, the bank cannot be sued. Banks are not even obliged to check whether the account number and the name of the recipient match.
In other words, even though the bank can be held liable for an unauthorized transaction, it is the customer that bears liability if the money transfer to the fraudster is completed by them, because this way the transaction is authorized by the customer. This approach, nevertheless, also sparks debate. Although it is accepted that the bank will not be liable for compensation in such cases, it might be argued that the bank's response and attitude once the cyber fraud is discovered may have an impact. Once the bank is notified of the cyber fraud crime and the associated transaction, certain actions are expected from the bank, such as control, detection, and reporting of suspicious transactions. The bank may be held fully or partially liable if it fails to take these actions, i.e., if a loss occurs due to the bank's fault.
By Baris Ulker, Senior Associate, and Beliz Boyalikli, Legal Trainee, Guleryuz & Partners