ARTICLE
23 July 2024
Contributor
Sakar is a client and solution oriented, investigative and innovative law firm based in Istanbul. Our Firm is committed to provide our clients with high-quality legal services and business-minded approach. We are a full service law firm to clients across a wide range of areas including Mergers and Acquisitions, Corporate and Commercial, Contracts, Banking and Finance, Competition, Litigation, Employment, Real Estate, Energy, Capital Markets, Foundations, E-commerce, Media and Technology, Data Privacy and Data Protection and Intellectual Property. In order to offer the best possible service for our clients, we harness the latest market developments in legal technology and innovation and we closely follow the legislative changes in Turkish Law. Our lawyers are multi-specialists, equipped to handle a broad range of legal matters. In addition to our depth of experience and awareness of market practice, clients know they will benefit from our team’s innovative mindset and willingness.
Explore
The crime of fraud committed by changing the International Bank Account Number (IBAN) or SWIFT information by the person who intervenes by using IT systems as a tool has become one of the most common fraud acts used by internet hackers.
Turkey Criminal Law
To print this article, all you need is to be registered or login on Mondaq.com.
The crime of fraud committed by changing the International BankAccount Number (IBAN) or SWIFT information by the person whointervenes by using IT systems as a tool has become one of the mostcommon fraud acts used by internet hackers. As a necessity ofliving in the digital age, we live in an environment where paymentsystems and banking information of all companies are managed viae-mail on the internet. Thus, if the necessary security measuresare not taken, being exposed to IBAN or SWIFT fraud is a potentialdanger that every company, regardless of its field of operation,may face.
Offenders commit the criminal act of fraud in multiple ways byusing IT systems as a tool. Examples of these include sendingphishing messages containing fake links/files, spam e-mails, trojansoftware downloaded to the computer with links, keyloggers andscreen recorders, fraud by connecting to the Wi-Fi network and the"Man In The Middle Attack", which is the subject of thisarticle and the most common attack on companies.
How is the Crime Committed?
In Turkey, there are many companies with foreign partners and/orforeign offices or active commercial relations with foreigncountries. The offenders especially monitor these companies andlearn the usual workflow of the company before committing thefraud. This monitoring activity is usually carried out by accessingthe company computer or phone of one of the authorities through oneof the methods mentioned above, and the offenders have access tothe internal functioning of the company starting from a long periodof time in advance, even down to the e-mail patterns of theemployees. Therefore, they also be aware of the payments to be madeand the inflows and outflows of money.
When the offenders are ready, they create a new fake e-mailaddress, usually by changing one letter so that it isindistinguishable from the company's e-mail address, andpretend to be an authorized person of the creditor company. Thismethod is so well developed that the previous original e-mailsappear under the e-mails sent by the offenders and even theemployees cc'd appear to be the same.
In this type of attack, referred to as a man-in-the-middleattack, the attacker, who is the man-in-the-middle, stalls bothparties by deleting and changing e-mails by communicating with bothparties. The attacker, who is aware of a payment, sends an e-mailto the person who will make the payment with the mentioned methods,stating that the IBAN / SWIFT account information of the recipientcompany has changed and that they want the money to be sent to theaccount they have forwarded. Since the person who will make thepayment thinks that he/she is corresponding with the real creditorcompany, he/she makes the payment to the specified account andsends money to the offenders. Since the offenders usually share abank account information abroad, by the time they realize thesituation and block the account, the money is already gone and thecompany that made the payment has been frauded.
Analysis Within the Scope of Turkish Criminal Code
Under Article 157 of the Turkish Criminal Code("TCC"), the crime of fraud is defined as deceiving aperson by fraudulent acts and obtaining a benefit for oneself oranother person to the detriment of the person or another person.Offenders who commit this act are sentenced to imprisonment fromone year to five years and a judicial fine of up to five thousanddays. The crime of fraud has three main elements. The first is thatthe offender acts fraudulently by means of qualified lying and thatthese fraudulent acts shall be carried out intentionally with theaim of harming the victim. The second is that the fraudulentbehavior shall deceive the victim in the specific case and thesituation of the victim. Thirdly, while the victim suffers harm dueto the criminal act, the criminal must gain benefit in favor ofoneself or someone else. In this context, there must be a causalconnection between the damage and the act, and the offender must beat fault.
Monitoring by entering the e-mail addresses of companies orindividuals as mentioned in this article and thus committing thecrime is considered as a qualified form of the crime of fraudwithin the scope of Article 158 of the Turkish Criminal Code, whichis the crime of fraud by using IT systems as a tool. Unlawfullyentering all or part of an information system or continuing to staythere, preventing or disrupting its functioning are included in thecrimes in the field of informatics within the scope of Articles 243and 244 of the TCC. Offenders who commit the crime of qualifiedfraud are sentenced to imprisonment from three to ten years and ajudicial fine of up to five thousand days (the lower limit cannotbe less than four years and the amount of the judicial fine cannotbe less than twice the amount of the benefit obtained from thecrime), while imprisonment of up to one year or a judicial fine isimposed for the crime of entering information systems andimprisonment from one to five years for the crime of blocking,disrupting, destroying or changing the system.
Such cases can be evaluated by the prosecutor's office asthe crime of entering information systems within the scope ofArticle 243 of the Turkish Penal Code, while it can also beevaluated as the crime of qualified fraud by using informationsystems as a tool, which is a more serious offense type within thescope of Article 158 of the TCC. Since the offenders in such crimesare usually abroad or commit criminal acts from abroad,unfortunately, there are problems in issues such as determining theIP address and determining the bank account within the scope of theinvestigation.
As an example, with a decision from Turkish courts; Istanbul BAM22.C.D. 14/04/2022 K.T. 2022/1184 E. 2022/1119 K., theparticipating company operating in Azerbaijan does business withthe X company operating in Turkey via e-mail, a fake identity andappointment document containing the name information of thedefendant was sent to the participating company with the name andsignature copied using the proforma invoice issued by Company X viathe e-mail address created by changing a few letters of theoriginal e-mail address of Company X, in the e-mail sent, the IBANnumber belonging to the bank account of the defendant was sent andit was reported that the money should be sent to this account,believing this, the bank account of the defendant notified to themby the participating company officials was sent 31. 820 pounds wassent to the bank account belonging to the defendant, which wasnotified to them by the officials of the participating company,upon the failure to send the goods subject to the sale, in theinvestigation made by the participating company after they realizedthat they were defrauded and filed a complaint, it was found thatthe IBAN number to which the money was sent by the participatingcompany belonged to the defendant and in the camera footageexamined, it was understood that the money was sent by thedefendant from within the branch, and in this way, it was foundthat the defendant committed the crime of fraud by usinginformation systems bank or credit institutions as a tool.
What Precautions Can Be Taken?
First of all, it should be ensured that the systems used incompanies are secured against cyber-attacks. All company employees,especially those working in the finance and sales departments,should be regularly informed about such potential risks, especiallyemphasizing that e-mail addresses should be checked in incominge-mails regarding payments.
As a company policy, it would be useful to confirm the accountinformation to which the money shall be transferred by means otherthan e-mail, for example by phone, and to check the accuracy of theaccount information, whether it is the account to which the paymentis always made, and which country the account is connected to, inorder to prevent the crime. Further precautions can be listed andin any case, it is advisable to consult with an IT expert or aspecialized lawyer in this field.
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circ*mstances.
