In today’s digital age, email communication has become an indispensable part of business operations. However, this convenience also brings with it serious risks; cyber threats, particularly those known as “email fraud,” can cause significant financial and reputational losses for companies. With advancing technology, fraud methods are becoming increasingly sophisticated, and companies face challenging technical and legal challenges in the face of these attacks. This article aims to provide a detailed overview of the legal responsibilities companies face in the context of email fraud within the framework of relevant legislation.

Email scams are typically malicious third parties posing as a company employee, executive, supplier, or business partner, misleading companies or customers into actions such as money transfers, sharing sensitive information, or accessing systems. Such incidents can profoundly impact not only the company affected by the scam, but also its customers, business partners, and even its reputation in the public eye. Therefore, the precautions companies should take against such attacks and the legal liabilities they face should an incident occur are crucial.

Types of Email Scams and Their Effects on Companies

Email scams can occur in a variety of ways, each of which can pose different risks and legal consequences for companies.

Phishing and Spear Phishing

Phishing attacks typically target sensitive data such as usernames, passwords, and credit card information through fake emails sent to a large number of people. Spear phishing, on the other hand, involves sending more convincing and personalized emails targeting a specific individual or company. Data compromised through these attacks can lead to unauthorized access to a company’s information systems, data breaches, and consequently, legal liability.

Business Email Compromise (BEC) and CEO Fraud

BEC is a type of fraud in which fraudsters pose as a high-level executive (CEO, CFO, etc.) or trusted business partner by infiltrating a company’s email system or using a similar domain name, often making urgent and confidential requests for money transfers or the sharing of sensitive information. CEO fraud is a subtype of this fraud. In addition to directly causing financial losses to companies, these incidents can also have serious legal consequences, such as the disclosure of trade secrets or the breach of contractual obligations.

Invoice Fraud

In this type of scam, fraudsters pose as a company supplier and send emails containing fake invoices or bank account information. When company accounting departments mistake these fake invoices for real ones and make payments, they incur significant financial losses. This doesn’t eliminate the company’s obligation to pay third parties and may even result in liability for damages.

Fundamentals of Corporate Legal Liability

The legal liability of companies in email fraud cases is evaluated within the framework of various laws and principles in Turkish Law, depending on the nature of the incident, to whom and how the damage was inflicted.

Turkish Commercial Code (TCC) and Duty of Care

According to the Turkish Commercial Code, merchants are obligated to act as prudent businesspeople. This “prudent businessperson” principle requires companies to exercise due diligence in their business processes, particularly regarding cybersecurity. Ensuring the security of email systems, training employees on these matters, and taking precautions against potential risks are all part of a prudent businessperson’s duty of care. Violation of this obligation could result in the company being held liable for any resulting damages.

Liability within the framework of the Turkish Code of Obligations (TBK)

The liability of companies in email fraud cases may arise as liability in tort (TCC Art. 49 et seq.) or liability for breach of contract under the Turkish Code of Obligations.

#### Tort Liability

If a company fails to take the necessary security measures or inadequately train its employees and causes a third party (e.g., a customer) to be exposed to email fraud and suffer damages, it may be liable for damages under tort law. In this case, the company’s fault (negligence) and the causal link between this fault and the damages are crucial.

#### Employer Responsibility

According to Article 66 of the Turkish Code of Obligations, employers are liable for damage caused to others by their employees while performing their assigned work. If a company employee causes damage by failing to exercise due care against email fraud or violating internal company security procedures, the company may be held liable for this damage as an employer. However, the company may be exempt from this liability if it can prove that it exercised due care to prevent the damage.

Responsibility Under the Personal Data Protection Law (KVKK)

Email scams often pose a threat to the security of personal data. If the personal data of customers, employees, or business partners is compromised as a result of the fraud, the company, acting as a “data controller,” may face serious administrative and legal penalties under the Personal Data Protection Law (KVKK). According to Article 12 of the KVKK, the data controller is obligated to take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing and access of personal data and to ensure its safekeeping. Violation of this obligation may result in administrative fines and compensation claims from the relevant parties.

Criminal Law Liability

While companies are not directly liable under criminal law, in email fraud cases, managers or relevant employees may be held liable under the Turkish Penal Code for crimes such as “abuse of office,” “abuse of office through negligence,” or “breach of data security.” In such cases, companies may find themselves in a difficult position in legal proceedings due to their negligence in facilitating the commission of the crime.

Preventive Measures Companies Should Take

It is essential for companies to take proactive measures to avoid legal liability and protect their business reputation.

Technical Security Measures

* Up-to-date Security Software: Use of strong anti-virus, anti-spam and firewall software.
* Two-Factor Authentication (2FA): Requiring 2FA or multi-factor authentication on email and other critical systems.
* Email Filtering and Encryption: Advanced email filtering systems and encrypted sending of sensitive data.
* Backup and Recovery Plans: Regularly backing up data and having rapid recovery plans ready in case of a cyber attack.

Administrative and Organizational Measures

* Employee Training: Providing regular and comprehensive cybersecurity and email fraud awareness training to all employees.
* Protocols and Policies: Establish clear, written procedures for internal money transfers, information sharing, and reporting suspicious emails. Mandate a “double-check” mechanism, particularly for financial transactions.
* Penetration Tests and Security Audits: Regular penetration testing of information systems and identification and elimination of security vulnerabilities.
* Incident Response Plan: Preparation of an incident response plan that includes the steps to be taken, responsible persons, and communication strategies when a cybersecurity incident (including email fraud) occurs.

Steps to Take in Case of Email Fraud

When exposed to an email fraud incident, it is critical for a company to take quick and accurate steps to minimize damage and effectively manage legal processes.

First Response

* Cease Communication: Avoid any interaction via the suspicious e-mail or link, and delete suspicious e-mails from the system.
* Stopping Financial Transactions: If there is a money transfer, immediately contact the relevant banks and instruct them to stop or reverse the transaction.
* System Isolation: If there is suspicion of unauthorized access to the company network or systems, isolating the relevant systems from the network.

Legal and Technical Processes

* Legal Consultation: Seek immediate legal support from a cybersecurity and IT law expert. The lawyer will assess the legal nature of the incident, guide the necessary steps, and determine potential liabilities.
* Computer Forensic Investigation: Getting support from computer forensic experts to determine how the incident occurred, the extent of the damage, and the evidence.
* Notification to Official Authorities: Filing a criminal complaint with the Chief Public Prosecutor’s Office and reporting to cybercrime prevention units.
* KVKK Notification: If there is a personal data breach, notification must be made to the Personal Data Protection Authority (KVKK) within the legal period.
* Informing Relevant Parties: Informing customers, business partners or other relevant parties in an appropriate manner and in accordance with the law, depending on the nature of the incident.

Email fraud is a serious threat that poses significant risks not only to companies’ financial but also to their reputation and legal rights. Combating this threat requires not only technical security measures but also comprehensive legal awareness and a proactive strategy. It is crucial for companies to act prudently, exercise due diligence, train their employees, establish robust internal procedures, and take the right legal action in the event of an incident, both to protect their own interests and to fulfill their legal responsibilities. In this complex process, seeking expert legal advice is the best approach to protecting companies’ rights and minimizing potential losses.