Don't gamble your dataScammers prey on the unwary and commit eye-watering levels of fraud against both individuals and gaming companies. And the gaming companies themselves suck in enormous quantities of personal data that sits on their servers making it vulnerable in a data breach.
8 min read
The gambling industry is huge. You can see how big it is just from how many ads appear on TV and radio, full of smiley, happy people on a big winning streak. The ads are often placed around major sporting events, football, rugby, cricket, F1 and so on. The gambling companies suck in enormous amounts of personal data from anyone that uses them. It’s good to understand just how much they know about you.
And gambling is an area where scammers prey on victims only too willing to listen out for an ‘exclusive’ tip or something that makes them believe they can come out on top.
Fooled or foolproof?
Have you ever been offered a ‘foolproof’ bet, maybe for a subscription fee. Perhaps you’ve been told you’re going to get ‘inside information’ sent to you in return for a fee. Or, in another scam, you’re invited to use your own money to place bets on behalf of an ‘expert’ who claims they can beat the bookies. All you have to do is send him his winnings whilst also placing your own bets. The stake you place on behalf of the expert acts as your fee.
If you're thinking straight, you may well ask “why would someone with inside information want to pass it on to others when they could make bigger profits by keeping it to themselves”? Well, the scammer will say something like they are too well known in betting shops for always beating the bookies and for having illegal inside information, so the only way they can exploit their info is to use you to do it for them. Except that it’s a con and they’re fleecing you.
Gambling scams don’t just happen through betting shops. Of course it’s all over the internet too. Scammers are attracted to gambling sites not just to find individuals they can steal from, but also so that they can defraud gambling companies too. There are an ever growing range of online gambling games and opportunities. Scams take many forms and some even go as far as being vehicles for money laundering from other crimes.
Most commonly, online gaming scams are used to steal personal data. It can happen in a number of ways.
Scammers may use ‘phishing’ techniques by sending you a link that you’re persuaded to click on to download a gaming file. But in the process, malicious software is installed onto your device which records your keystrokes. By doing that, the scammer can learn login information, including access to your online banking service.
Scammers sometimes buy login information on the dark web. That can lead to ‘account takeover’, which is where fraudsters get access to your genuine online gaming account to send other innocent players ‘free’ stuff when they give up their username and password. Alternatively, players could be offered free trials or other ‘freebies’ if they click on a link. But the link will turn out to be malicious
What should you do?
- Never click on links in unsolicited emails, even if it refers to an online game you recognise
- Don’t believe the content of unsolicited emails. If you’re suspicious at all, use your own contact details to get in touch with the company directly
- Watch out for spam messages in your inbox
- Only download online games or extension packs from official websites that you have navigated to yourself, not from a link you clicked
- Check the name of the developer on legitimate websites or platforms to make sure that the software is genuine
- Create strong complicated passwords and change them regularly and consider using a password manager
- Never share any personal information with anyone you play against online that you don’t already know
- And remember that if a gambling offer sounds too good to be true, it probably is.
Gambling businesses have to put in place sophisticated tools to try and prevent and detect fraud. Here are some of the things criminals do when they attack gambling companies and that upsets the playing field for ordinary participants.
- Multi-accounting fraud. Scammers create dozens or even hundreds of accounts using fake credentials bought on the dark web in order to tilt the balance of a bet
- Bonus abuse. Many gambling firms offer sign up bonuses, free bets or other offers. Multiple fake accounts set out to drain the resources of the gambling company
- Gnoming. Often in poker, this is where multiple accounts are used to help one player win
- Chip dumping. Similar to gnoming, only this is about joining a poker table simply to influence the results, either in favour of one player, or against them
- Carding. Straightforward bank card fraud, where stolen details are used to place bets and pocket winnings
- Chargebacks. When cards get reported stolen or fraudulent activity is noticed, a chargeback can be initiated, leaving the gambling firm with the loss
- Top-up abuse. Scammers trick people into making phone payments that go into gambling accounts operated by the criminal.
To fight back against this, gambling companies put in place various systems, many centred around ‘KYC’, or ‘Know Your Client’ checks. To do that, gambling companies gather personal data for ID verification, which we’ll look at shortly because there’s an awful lot of personal data sitting in their servers.
Online casinos are big business. Some are legitimate, but it’s also an area where scammers set up fake casinos and set about stealing money.
One of the most common scams in these rogue casinos is deposit theft. In order to open an account, the user is asked to make a deposit, perhaps £20. But then the account closes, or disappears, or there appears to be no way to get the money out again. Some of the worst ones actually let you do a few transactions, in and out, so that trust is built. Then they put up a ‘reload’ button for a much bigger deposit, hundreds of pounds or even more. Once you’ve paid it, a wall comes up. You can’t contact anyone, they effectively disappear along with your money.
The next most common scam by rogue casinos is in rigged games. They might let you win for a little while, but after a short time they get you chasing money down a rabbit hole and empty your pockets as you go.
There have been other examples where a gambler has been persuaded to download an app onto their phone or other device, only to find that it contained malicious software. Ransomware might lock their phone, or computer, with a message telling them to send Bitcoin or all their files will be destroyed, or their personal data shared on the dark web.
In some examples, you play the game and win. Fantastic, you think. The release of endorphins that leads to gambling addiction kicks in. But then the rogue site simply refuses to pay out - they go dark or just won’t respond to calls or emails.
Shockingly, refusing to pay out happens even with some legitimate online casinos too. They may rely on a clause buried on page 37 of the terms and conditions that you never read, giving them the right not to pay. It’s always worth checking what legal jurisdiction the gambling firm is based in before you start handing over any money.
The gambling companies gather massive amounts of data. Some of it, they would argue, is in order to make sure that they know who they are dealing with. They would say that they need to gather this data to help prevent money-laundering and other fraud. And they would say that they need it to help protect individuals from malicious intent of scammers and minimise risk of identity theft.
All that may be true. But the sheer volume of data the gambling companies gather raises eyebrows. Because the gambling firms gather so much data, they have a responsibility to look after it. But on occasion, they’ve been found wanting.
In 2022, Ladbrokes was fined £17 million after failing to enforce player safety and anti-money-laundering measures. At the time, it was warned it could lose its UK gambling licence if it happens again.
In 2021 it was reported that up to 120,000 people, who had explicitly asked Sky Bet and its sister company Sky Vegas not to send them betting correspondence, were sent multiple promotional emails during Safer Gambling week in a “catastrophic mistake."
Ladbrokes faced criticism from the gambling regulator over an incident in which confidential information about betting addicts, including photos, names and addresses, was found in a bin bag on the street.
In 2010 a story emerged saying that the confidential records of 4.5 million Ladbrokes’ customers were offered for sale to The Mail on Sunday.
All the big gambling companies collect a large quantity of personal data on all its customers. That makes them obvious targets for hackers. If hackers access the servers of a gambling company, they could potentially gather your personal data, putting you at higher risk of being scammed and other criminal activity.
The big companies all gather a lot of data. Below, we have set out the type of data that Ladbrokes says it stores on its customers:
- Names and passwords of account holders
- Email addresses
- Billing address
- Date of birth
- ‘Account notes’
- Records of bets, wins and losses
- Online images of play and screenshots
- Information on customer’s wellbeing
- Interests and habits
- Web Pages visited outside Ladbrokes
- List of active software applications and active processes while using our website, including access to files and site-related program folders
- Images and CCTV images from retail
- Dates and times of shop visits
- Risk scores, profile classifications
- A physical description or profile of you where your personal details are unknown to the company
- Facial recognition
- Records of correspondence, whether via the Website, email, telephone or other means
- Responses to surveys or customer research the company carries out
- Details of the transactions whether via the website, telephone or other means
- Details of your visits to the Website including traffic data
- Preference choices, and other account settings
- Phone numbers
- Recordings of phone calls
- Chat room records
- Metadata on how people use the Ladbrokes mobile app and website
- Device model, OS and MAC address, browser type
- Location data
- Your Facebook or other third party ‘sign-in’ app data
That is a lot of data. The depth of profile of an individual user held by a gambling company perhaps goes further than many people might realise.
Does it matter?
Does it matter that they have so much data on you? Well, it might. If the gambling firm that has the wealth of data on you gets hacked and the database is breached and your data gets stolen, that is gold to the scammers of this world. People who hack company databases are constantly trying to break through the defences of firms, day and night. Hackers get the data and sell it in great swathes over the dark web, where scammers can pick up a full profile for relatively little money. A full and detailed profile of you like that could lead to a serious case of identity theft, financial loss and emotional collapse.
Can I get my data deleted from gambling sites?
Yes you can. Remember, you have the legal right to delete all of your personal information that any company holds about you. This is due to your 'right to be forgotten' under GDPR law.
If the gambling apps and websites don’t have your data, they can’t share it and they can’t lose it. Of course, it’s not just gambling firms that have your data, so you might like to think about where else you’d like it to get deleted.
The easiest way to get your data completely erased from companies that no longer need it is to use our Rightly Protect service that can identify who has your data and send a deletion request, to multiple companies in one go and for free. The companies must respond within 30 days and execute your legal right to have your data completely erased.
4 min read
Breaches of 2022
2022 saw more data breaches than ever. Take a look at just ten examples. And think about how you can minimise the risk of your data appearing in a hack that could make you vulnerable to scams.
4 min read
Should a company data breach bother you?
October is Cyber Security Month. Just last month one of the biggest and most serious data breaches that has ever occurred, happened to Australia’s second largest telecom business. The breach has compromised almost half of the whole of the country’s population, leaving them exposed to serious risk of being scammed and the appalling prospect of identity theft. Could this happen in the UK? Have you ever switched provider? What happened to your data when you did?