Cybersecurity Insurance Risks
The fact that the internet and information technologies are an increasingly large part of our lives has its pros and cons. While it is easier to communicate and many transactions such as banking, investment and shopping may be conducted online, people are more vulnerable to cybercrime since all of our data is stored in computers and online.
The Oxford Dictionary defines cybercrime as “crime that is committed using the internet, for example by stealing somebody’s personal or bank details or by infecting their computer with a virus”. Naturally, as the importance of the internet and information technologies has grown, offenders have found more sophisticated and harder to trace methods to obtain information from others.
This article aims to introduce the main types of cybercrime regulated under Turkish law, the most common cyber fraud methods and how these crimes are investigated in Turkey.
Turkish Criminal Code No. 5237 (“TCC”) regulates the most common types of cybercrime. In fact, part 10 of the TCC is entitled “Offences Related to Information Systems”.
The first crime in this section, under Article 243 of the TCC, is entitled “Accessing an Information System”. Pursuantly, any person who, either partially or fully, unlawfully accesses an information system or remains within such a system, is sentenced to prison for up to one year or a judicial fine. If these acts are committed in relation to a system that is accessible upon payment of a fee, or any data is deleted or altered due to these acts, the perpetrator is sentenced to six months to two years in prison. Any person who tracks data transfers within an information system or between information systems with technical devices without accessing such systems is sentenced to one to three years in prison.
Article 244 which is entitled “Preventing the Functioning of a System and Deletion, Alteration or Corrupting of Data” regulates preventing the functioning of an information system, or rendering such a system useless, as a crime, stipulating imprisonment for one to five years. Deleting, altering, corrupting, or preventing access to data or introducing data to a system or sending existing data elsewhere is subject to between six months to three years in prison. If these acts are committed on a system belonging to a bank or a credit institution or a public entity, the sentence imposed is increased by one half.
It should be remarked upon that most perpetrators who commit the abovementioned crimes usually commit other crimes at the same time, such as violation of privacy, violation of confidentiality of communication, illegally obtaining data, theft, etc.
Article 245 of the TCC regulates the misuse of bank or credit cards. Accordingly, any person who acquires benefit for himself or another, by any means, by taking possession of, retaining, using, or having another person use a credit or a bank card belonging to someone else or using them without the consent of the right holder is sentenced to three to six years in prison and a judicial fine of up to five thousand days. Meanwhile, any person who produces, transfers, sells, accepts, or buys a fake credit or bank card affiliated to someone else’s account is sentenced to three to seven years in prison and a judicial fine of up to ten thousand days.
Fraud is the most common and damaging cybercrime. According to Article 157 of the TCC, entitled “Fraud”, any person who deceives another through fraudulent behavior, and gains a benefit for himself, or others, and causes loss to the victim, or another person, is sentenced to one to five years in prison. Article 158 regulates aggravated forms of fraud, one of which is “committing fraud by using information systems, banks and credit institutions”. In this case, the perpetrator is sentenced to four to ten years in prison and a judicial fine of up to five thousand days. However, the judicial fine imposed cannot be less than twice the benefit gained the through the crime.
Since almost all entities and corporations are in some way internet-connected, they may easily become prey to vicious cyberattacks. Some of the most common cyberattacks are ransomware, phishing, and man-in-the-middle attacks.
Ransomware is a malicious software or malware that infects a computer and prevents users from accessing their systems and data. Usually, a message requesting a fee in order regain access to the system is displayed on the screen. There is no guarantee that a person who chooses to pay will actually get the computer decrypted. Ransomware comprises an aggravated form of “fraud” and “preventing the functioning of a system and deletion, alteration or corrupting of data” under Turkish criminal law.
A man-in-the-middle-attack involves a perpetrator inserting himself into a conversation between two parties by gaining access to the information and mail systems of one party to communicate with the other party. Perpetrators usually hack into the systems of banks and companies and request seemingly legitimate payments from affiliate companies or customers. Recipients of these requests, unaware that they are actually talking to attackers and not genuine senders, comply with the requests, sending money to hackers’ accounts. A man-in-the-middle-attack consists of an aggravated form of “fraud” and “accessing an information system” under Turkish criminal law.
Phishing is a method whereby a victim receives a communication through mail, phone, social media, etc. and is lured into sharing personal information. The perpetrator usually requests a payment while impersonating a person recognized to the victim, such as an authority or an entity, or deceives the victim into clicking a URL that enables them to access the victim’s computer and data. Phishing consists of an aggravated form of “fraud” under Turkish criminal law.
The most notorious phishing method that usually targets companies and corporations is the “Business Email Compromise” whereby a perpetrator pretends to be a business partner, affiliate or customer of the victim and requests a payment via email. The domain of the email address is usually slightly different to the actual entity’s domain (e.g., a change of a letter) so the victim does not recognize the attack. Attached to the mails are often very realistic, but fake, invoices so that the victim will not suspect the true identity of the mail sender.
What happens when a company is defrauded and lured into sending money to a bank account in Turkey or money is withdrawn from accounts as a result of stealing data through a cyberattack? If the attack is ongoing, the priority, of course, must be to stop it. After that, depending on the case and the type of cyberattack, we recommend that victims create a forensic image of affected computers and logs, save screenshots of email correspondence, and obtain bank records of the transactions.
It is very important to notify both the sending and receiving banks of the fraudulence and file a criminal complaint. If the public prosecutor’s office sends the receiving bank a letter of memorandum, the bank is likely to temporarily block an account. Taking this step at an early stage will prevent a perpetrator from withdrawing money.
However, this is an uncertain, temporary measure. During an investigation, a magistracy decision on seizure must be obtained in order to seize a bank account. According to Article 128 of Criminal Procedure Code, bank accounts may be seized if there are grounds for suspicion that a crime under investigation has been committed.
This is an extreme protective measure. Therefore, the same article stipulates that a report regarding proceeds of the crime must be obtained from the relevant authority. In this case, the said report has to be obtained by the Banking Regulation and Supervision Agency, which may take a long time and be too late to stop the perpetrator from withdrawing the money.
Therefore, while the crime is being investigated, it is important to file for and obtain an interim injunction from the court competent over the merits of the case pursuant to Article 390 of Civil Procedure Code (“CPC”). The conditions for an interim measure are listed under Articles 389 and 390 of the CPC. Accordingly, it has to be established that either (i) it would be significantly more difficult or impossible to obtain a right or (ii) serious damage would occur due to the delay. The applicant also has to roughly prove that they are right in filing the case in terms of its merits. The decision on an interim injunction is usually made within a short time of the application.
After the decision on an interim injunction is obtained, no money can be withdrawn from the account. It should be remarked upon that a claim for damages resulting from tort must be filed within two weeks of the request for an interim injunction according to Article 397 of the CPC, otherwise, the interim injunction is revoked automatically.
Meanwhile, the criminal investigation will continue, with the public prosecutor’s office working closely with the police force’s cybercrime unit in order to capture and take statements from the suspect(s). If the suspects are not identified, the public prosecutor’s office will try to expose the identity of the suspect by obtaining an expert’s report that will reveal logs and trace IP addresses if necessary.
At the end of an investigation, if the prosecutor is of the opinion that there is sufficient doubt that a cybercrime has been committed, they will file a public prosecution. Otherwise, they will give a decision on no grounds for prosecution, to which a plaintiff may object.
As it is understood, even if the public prosecutor’s offices and criminal courts have to collect evidence ex officio, it is still important to gather as many documents and logs as possible before filing a complaint as it reduces the chance that the public prosecutor will give a decision of no grounds for prosecution. It is also necessary in terms of roughly proving the legitimacy of the merits of the case while filing for an interim injunction, as explained above.
To file a public prosecution, the prosecutor issues an indictment summarizing the events and the evidence collected and showing which crimes and suspects will be subject to prosecution. The prosecution takes place either before the criminal court of first instance or high criminal court depending on the crime for which the case has been filed.
Consequently, there will be one civil case and one criminal case for a cyberattack. The civil case aims to claim damages from the perpetrator and the criminal case aims to punish them. The civil court tends to decide in favor of the plaintiff if the criminal court convicts the perpetrator. This means that both cases have to be followed carefully and meticulously.
As people become more dependent on the internet and computers, they share more data, while hackers devise different methods for cyberattacks causing vast amounts of damage to both individuals and companies. Perpetrators usually persuade victims into transferring money into their accounts. Once an attack is recognized, blocking the receiving account so that the perpetrator cannot withdraw the money is paramount.
As can be seen, following the right steps at an early stage might save so much time and money for the victim. In Turkey, civil and criminal judgement procedures generally progress in parallel, so it is important to file for the right claims and files to avoid any unnecessary damage. Therefore, it is very important to work with legal experts who will provide a full-service and assist you through the entire process.