The crime of fraud committed by changing the International Bank Account Number (IBAN) or SWIFT information by the person who intervenes by using IT systems as a tool has become one of the most common fraud acts used by internet hackers. As a necessity of living in the digital age, we live in an environment where payment systems and banking information of all companies are managed via e-mail on the internet. Thus, if the necessary security measures are not taken, being exposed to IBAN or SWIFT fraud is a potential danger that every company, regardless of its field of operation, may face.
Offenders commit the criminal act of fraud in multiple ways by using IT systems as a tool. Examples of these include sending phishing messages containing fake links/files, spam e-mails, trojan software downloaded to the computer with links, keyloggers and screen recorders, fraud by connecting to the Wi-Fi network and the "Man In The Middle Attack", which is the subject of this article and the most common attack on companies.
How is the Crime Committed?
In Turkey, there are many companies with foreign partners and/or foreign offices or active commercial relations with foreign countries. The offenders especially monitor these companies and learn the usual workflow of the company before committing the fraud. This monitoring activity is usually carried out by accessing the company computer or phone of one of the authorities through one of the methods mentioned above, and the offenders have access to the internal functioning of the company starting from a long period of time in advance, even down to the e-mail patterns of the employees. Therefore, they also be aware of the payments to be made and the inflows and outflows of money.
When the offenders are ready, they create a new fake e-mail address, usually by changing one letter so that it is indistinguishable from the company's e-mail address, and pretend to be an authorized person of the creditor company. This method is so well developed that the previous original e-mails appear under the e-mails sent by the offenders and even the employees cc'd appear to be the same.
In this type of attack, referred to as a man-in-the-middle attack, the attacker, who is the man-in-the-middle, stalls both parties by deleting and changing e-mails by communicating with both parties. The attacker, who is aware of a payment, sends an e-mail to the person who will make the payment with the mentioned methods, stating that the IBAN / SWIFT account information of the recipient company has changed and that they want the money to be sent to the account they have forwarded. Since the person who will make the payment thinks that he/she is corresponding with the real creditor company, he/she makes the payment to the specified account and sends money to the offenders. Since the offenders usually share a bank account information abroad, by the time they realize the situation and block the account, the money is already gone and the company that made the payment has been frauded.
Analysis Within the Scope of Turkish Criminal Code
Under Article 157 of the Turkish Criminal Code ("TCC"), the crime of fraud is defined as deceiving a person by fraudulent acts and obtaining a benefit for oneself or another person to the detriment of the person or another person. Offenders who commit this act are sentenced to imprisonment from one year to five years and a judicial fine of up to five thousand days. The crime of fraud has three main elements. The first is that the offender acts fraudulently by means of qualified lying and that these fraudulent acts shall be carried out intentionally with the aim of harming the victim. The second is that the fraudulent behavior shall deceive the victim in the specific case and the situation of the victim. Thirdly, while the victim suffers harm due to the criminal act, the criminal must gain benefit in favor of oneself or someone else. In this context, there must be a causal connection between the damage and the act, and the offender must be at fault.
Monitoring by entering the e-mail addresses of companies or individuals as mentioned in this article and thus committing the crime is considered as a qualified form of the crime of fraud within the scope of Article 158 of the Turkish Criminal Code, which is the crime of fraud by using IT systems as a tool. Unlawfully entering all or part of an information system or continuing to stay there, preventing or disrupting its functioning are included in the crimes in the field of informatics within the scope of Articles 243 and 244 of the TCC. Offenders who commit the crime of qualified fraud are sentenced to imprisonment from three to ten years and a judicial fine of up to five thousand days (the lower limit cannot be less than four years and the amount of the judicial fine cannot be less than twice the amount of the benefit obtained from the crime), while imprisonment of up to one year or a judicial fine is imposed for the crime of entering information systems and imprisonment from one to five years for the crime of blocking, disrupting, destroying or changing the system.
Such cases can be evaluated by the prosecutor's office as the crime of entering information systems within the scope of Article 243 of the Turkish Penal Code, while it can also be evaluated as the crime of qualified fraud by using information systems as a tool, which is a more serious offense type within the scope of Article 158 of the TCC. Since the offenders in such crimes are usually abroad or commit criminal acts from abroad, unfortunately, there are problems in issues such as determining the IP address and determining the bank account within the scope of the investigation.
As an example, with a decision from Turkish courts; Istanbul BAM 22.C.D. 14/04/2022 K.T. 2022/1184 E. 2022/1119 K., the participating company operating in Azerbaijan does business with the X company operating in Turkey via e-mail, a fake identity and appointment document containing the name information of the defendant was sent to the participating company with the name and signature copied using the proforma invoice issued by Company X via the e-mail address created by changing a few letters of the original e-mail address of Company X, in the e-mail sent, the IBAN number belonging to the bank account of the defendant was sent and it was reported that the money should be sent to this account, believing this, the bank account of the defendant notified to them by the participating company officials was sent 31. 820 pounds was sent to the bank account belonging to the defendant, which was notified to them by the officials of the participating company, upon the failure to send the goods subject to the sale, in the investigation made by the participating company after they realized that they were defrauded and filed a complaint, it was found that the IBAN number to which the money was sent by the participating company belonged to the defendant and in the camera footage examined, it was understood that the money was sent by the defendant from within the branch, and in this way, it was found that the defendant committed the crime of fraud by using information systems bank or credit institutions as a tool.
What Precautions Can Be Taken?
First of all, it should be ensured that the systems used in companies are secured against cyber-attacks. All company employees, especially those working in the finance and sales departments, should be regularly informed about such potential risks, especially emphasizing that e-mail addresses should be checked in incoming e-mails regarding payments.
As a company policy, it would be useful to confirm the account information to which the money shall be transferred by means other than e-mail, for example by phone, and to check the accuracy of the account information, whether it is the account to which the payment is always made, and which country the account is connected to, in order to prevent the crime. Further precautions can be listed and in any case, it is advisable to consult with an IT expert or a specialized lawyer in this field.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.