ANKARA – The text message arrives on a pensioner’s phone with the kind of precision that makes it hard to ignore. It carries a promise of uncollected money – a retroactive pension supplement, a cost-of-living adjustment not yet deposited – and a link to what appears, at a glance, to be Turkey’s official e-Devlet government portal. For a growing number of retirees across Turkey, tapping that link has meant watching their life savings disappear in seconds.
Turkey’s Cybercrime Unit, the Siber Suçlarla Mücadele Daire Başkanlığı (SİBERAY), operating under the General Directorate of Security, issued a formal advisory this month warning pensioners against a sophisticated wave of smishing attacks – phishing conducted via SMS – that impersonates both the e-Devlet Kapısı (turkiye.gov.tr) gateway and the country’s Social Security Institution, known as SGK. The warning, which is not hypothetical, comes after documented cases in which victims lost entire account balances and had personal loans taken out in their names without their knowledge.
The mechanics are not new, but the targeting is. Criminals are exploiting a specific behavioral window: the weeks when pension holders are anticipating a wage adjustment or a one-time bonus payment. Messages claiming that an additional 3,000 Turkish lira supplement is waiting – that users need only verify their credentials through the attached link – arrive during exactly those periods. The timing is deliberate. Anxious pensioners, primed to expect legitimate government communication about pending payments, are far less likely to question whether a link is real.
What those links actually lead to is a mirror. The fraudulent pages are not sloppy imitations – they are pixel-accurate visual reproductions of either the e-Devlet login screen, SGK’s service portal, or the internet banking interfaces of several widely used Turkish banks. Once a user enters their Turkish Republic identity number (TC kimlik no), their e-Devlet password, and any banking credentials the page requests, that information transfers instantaneously to the criminal network operating the site. The official-looking page has done its job and the victim is none the wiser.
What happens next unfolds faster than most people realize is possible. Cybersecurity experts cited by Turkish security analysts explain that organized fraud rings operating these campaigns do not manually process stolen credentials – they feed them into automated systems that log into banking portals, sweep available funds, and in some recorded cases, submit instant consumer loan applications through the same internet banking interface. Turkish banking law, while among the world’s strictest on authentication requirements under the BSEBY regulation framework, has not fully closed the window that opens when a user’s own verified credentials are used to initiate a transaction.
The scale of the vulnerability is not incidental. Phishing campaigns globally have grown in sophistication alongside the platforms they mimic, and Turkey presents a particularly attractive target in this regard. The e-Devlet platform had 68 million registered users as of January 2026, according to the Directorate of Cybersecurity and TurkSat, with more than a thousand government agencies offering services through the single unified gateway. That concentration of services – tax records, court filings, social security documents, health insurance data, pension status – means a single set of compromised e-Devlet credentials carries extraordinary value.
The SİBERAY advisory is unambiguous on the one rule that would prevent every attack in this campaign: no Turkish government institution sends an SMS containing a clickable link that requires the recipient to enter a password. Pension payments, retroactive supplements, and bank promotional payments are all processed automatically and deposited into existing registered accounts without requiring any action from the recipient. There is no form to fill, no link to follow, no credential to enter. If a message appears to require any of those things, it is not from the government.
Experts and law enforcement officials have identified a second attack vector layered on top of the smishing campaign: voice calls. After stealing credentials through a fake e-Devlet page, some criminal networks then call victims posing as police officers, prosecutors, bank officials, or unnamed government representatives. The caller, appearing helpful, either extracts one-time SMS verification codes that allow account transfers, or manipulates victims into moving funds themselves under the pretext that their account has been “flagged” and needs to be temporarily secured. That second-stage vishing attack – voice phishing – is designed precisely for the scenario where automated account access hits a verification barrier.
Under Turkish criminal law, the penalties attached to this conduct are severe on paper. According to a 2026 cybercrime guide published by Istanbul Attorneys, aggravated fraud conducted via information systems under Article 158/1-f of the Turkish Penal Code (TCK) carries sentences of three to seven years imprisonment. Bank card fraud under Article 245 can draw six years. The financial crimes dimension falls under oversight by MASAK, Turkey’s Financial Crimes Investigation Board. But convictions require identification – and the technical architecture of these campaigns, which route credential harvesting through overseas-registered domains and anonymous infrastructure, makes attribution a lengthy process even when IP logs eventually become available through international cooperation.
The vulnerability, in this sense, is not only a technical one. Cyberattacks in Turkey and globally have repeatedly demonstrated that human behavior remains the most exploitable element in digital security chains. The e-Devlet campaign is effective not because the fake pages are undetectable – a careful look at a URL’s domain structure reveals that none of them end in turkiye.gov.tr – but because the message arrives at a psychologically calibrated moment and the page looks exactly right. Attention collapses. The credential goes in.
For those who have already clicked a suspicious link and entered any information, cybersecurity professionals recommend an immediate sequence: change e-Devlet and banking passwords from a separate, trusted device; contact the bank’s fraud line directly using the number on the back of a card or from the official website, not a number provided in any message; file a report with Turkey’s cybercrime reporting portal, the Siber Olay Bildirme Sistemi; and if a loan application may have been submitted, contact the relevant bank and the Banking Regulation and Supervision Agency (BDDK) immediately.
What the SİBERAY advisory does not answer – and what Turkish digital rights organizations have been pressing about since a major e-Devlet data breach surfaced in 2023, when the personal records of tens of millions of citizens appeared on criminal Telegram channels – is whether the phone numbers being targeted in these campaigns are derived from that leak. The operational value of a pensioner’s name, phone number, and approximate pension amount, taken together, is precisely what would make a message about a 3,000 lira supplement feel personal and plausible rather than generic spam. That question has not been formally addressed by Turkish authorities. It remains open.
