Edited by: Ron Halfback
Everyday, nefarious actors work to steal private information from innocent people. These tactics, collectively known as phishing, result in untold millions of dollars in losses to both individuals and the legitimate brands these actors claim to represent. The online gambling industry often finds itself at the center of these complex scams.
Reading about these crimes is one thing. Experiencing them is another. Active sportsbook customers will likely encounter phishing as it becomes more common in the industry. The problem is unlikely to get better any time soon.
The TransUnion Credit Bureau recently conducted a study on fraud’s worldwide prevalence. The research showed that the global fraud attempt rate increased by 16.5% in Q2 of 2021 vs Q2 2020. This result represented increased fraud attempts across all industries. One of the most impacted was US gaming. When comparing Q2 2021 vs Q2 2020, the US gaming digital fraud rate increased an astounding 261.9%.
Criminals across the world are constantly looking for opportunities to steal innocent people’s money. While online gambling can be a convenient form of recreation, it’s important to be vigilant for phishing scams.
Learning how to protect yourself will help you bet online more confidently and securely.
- Types of Online Phishing
- Online Gambling Phishing Incidents
- How to Protect Yourself
Types of Online Phishing
There are many different ways to perpetrate online phishing. Techniques are constantly evolving. Currently, the most common types of phishing include email phishing, spear phishing, whaling, social engineering, and angler phishing.
When email phishing, scammers send mass emails in an attempt to make recipients divulge personal information. These emails can appear legitimate and convincing at first glance. Some website links prompt victims to enter personal information. Others contain malware downloads capable of stealing data from a victim’s computer.
A second phishing tactic is called spear phishing. This tactic is more personal than email phishing. It involves someone posing as a trustworthy individual in an attempt to gain system or website user information. Spear phishing is one of the more common methods of phishing. It accounted for 91% of all phishing attacks between February and September of 2012.
First, hackers gather an individual’s personal information. Social media account makes it relatively easy to find this information. They may obtain information about the victim’s hometown, their friends and family, favorite vacation spots, or employers.
Next, the hackers may pose as a coworker, friend, or acquaintance in an attempt to gain personal or financial information.
Hackers may also utilize trusted brands and organizations to convince a potential victim. For example, they will commonly use a company’s logo in their email messages. Often, hackers will alter an organization’s letters to mimic a logo and make it appear legitimate.
This also happens with website domain names or email addresses. For example, a fraudulent email might feature a company’s name spelled using an “rn” that is meant to look like an “m”. Only a keen eye would notice the discrepancy.
Whaling is a third online phishing tactic. It involves scammers posing as high profile individuals, such as company presidents, managers, or CEOs. This type of phishing is distinct from email and spear fishing. The targeted individuals are part of the same organization as the supposed sender of the communication.
Since the sender appears to be someone trustworthy within the victim’s workplace, he or she may feel comfortable supplying the requested information. This form of phishing is extremely effective as the source of the attack appears to be a legitmate figure.
A fourth online phishing tactic involves “social engineering”, a tactic that uses human interaction to compromise personal information. These fraud attempts feature criminals masquerading as polite and personable. The victim of social engineering communications may be convinced by the criminal’s sincerity.
In addition to having a non-threatening demeanor, the criminal may offer credentials to build trust. Smishing and vishing, two common modes of social engineering, are differentiated by the devices they employ.
Smishing is conducted over cellular SMS text messages. Criminals will trick a victim into opening a link, sending personal information, or even purchasing a voucher. The messages may appear to be from the government or another official, apparently trustworthy source.
Vishing happens over the phone. Criminals will call with an official-sounding automated message. Common ruses include outstanding tax bills, unpaid debts, or even family emergencies. The unsuspecting victim will be directed to call another number to speak with someone in person. When the vishing victim calls, they are asked for personal information – bank account, credit card, or social security number – in order to verify identity or access the victim’s “account.”
A final online phishing method is called angler phishing. This method targets social media users seeking help with a complaint about a company’s product or a recent purchase. Many disgruntled customers will use social media to vent or call out a company.
First, criminals will locate these complaints and begin interacting with customers. They’ll pose as a financial institution or a big name company.
Next, the criminals will provide a help link that takes the victim off the social media site. Unfortunately, the link will not give the consumer any solutions. Instead, the victim may be enticed to provide personal information. Or, they might be tricked into downloading malware.
Successful execution of these phishing methods causes enormous losses of both money and personal information. In 2020, the FBI averaged over 2,000 complaints per day surrounding phishing reports. In fact, the FBI’s 2020 Internet Crime Report revealed that businesses and consumers lost over $4.2 billion. The implications of these crimes are serious and widespread.
Phishing has become one of the most dangerous online crimes. It surpasses common cybersecurity defenses by manipulating unsuspecting victims. Many people are easy targets, as they lack the awareness or training to detect common phishing tactics.
Learning about past incidents may prevent you from becoming a future victim.
|Fraudulent Websites||Florida, USA||1999-2004|
|Emails Accessed||Nevada, USA||2019|
|Cyber Espionage||Southeast Asia||2019-2020|
Australia Email Phishing 2020
In 2020, the Australia Communication and Media Authority (ACMA) issued a scam alert to help Australian citizens avoid online gambling scams.
Australia had been dealing with an outbreak of email phishing. Thousands of people received emails with links to promotional casino offers. When unsuspecting individuals click the links, they were prompted to provide personal details or to download malware.
Shockingly, the ACMA received over 6,000 cases in the first quarter of 2020 alone. The ACMA has since fought back, issuing proactive scam alerts. It also maintains a list of approved gambling websites.
Previously in November 2019, the ACMA had released a three point action plan to counteract vishing attempts. Australians had been losing both money and personal information to fraudulent callers.
Randy Craig Levine 1999-2004
From 1999-2004, Florida resident Randy Craig Levine ran three online phishing sites that stole money from people trying to bet on sports. Using fake names and accents to hide his identity, Levine baited people into sending him money by offering them offshore gambling accounts. In total, he scammed more than 25 victims. Their money was never recovered.
Levine promptly fled the United States following a March 2005 indictment for passport fraud. After a 2008 arrest in Poland, he escaped Polish authorities while on release pending extradition. In 2018, he was arrested again in Guatemala using a Russian passport with an assumed name. In June 2020, Levine was finally arrested in Austria.
Levine and his lawyer, Philip Reichenthal, were both subjects of a separate September 2020 criminal complaint filed in Manhattan Federal Court alleging involvement in a $5 million cryptocurrency fraud.
On May 17, 2021, Levine plead guilty to wire fraud and perjury charges stemming from his phony sports betting websites. He was sentenced to 48 months in jail and ordered to pay over $600,000 in restitution.
Golden Entertainment 2019
In a 2019 email phishing attack, a hacker gain access to employee emails of Golden Entertainment, a Las Vegas, Nevada slot machine operator. Between May 30, 2019 and October 6, 2019, the suspect accessed various email accounts and individual emails.
One email contained an attachment with personal data belonging to company employees, vendors, and customers. Social security numbers, passport numbers, government IDs, and other personal information were potentially exposed.
In a January 31, 2021 press release, Golden Entertainment found “no evidence” that anyone’s personal information had been misused since the attack. Potential victims were offered complimentary credit monitoring. The hacker was never identified. No one was ever criminally charged.
The Golden Entertainment incident serves as a reminder that companies should offer sound and comprehensive training to their employees about how to respond to emails, social media posts, and other messages.
Unethical Casino Affiliate 2021
Phishing emails don’t always result in loss of money or personal information. Some trick victims into clicking affiliate links so that unscrupulous marketers can profit. In June 2021, Bleepingcomputer.com, a US website that offers its readers technology tips, received word that email spammers were targeting online casino customers.
Affiliate Marketing 101
Many online gambling websites use affiliate programs to acquire new customers. Each affiliate marketer is given a tracking URL. When a customer clicks the URL, their browser stores a cookie containing the affiliate’s unique code. If a customer opens an account, the gaming site uses the code to credit the affiliate marketer for the referral. Customers are then permanently associated with, or “tagged to”, the affiliate’s account.
Affiliate marketers are compensated by cost per acquisition (CPA) or revenue sharing payment plans. A CPA is a flat fee paid for each new purchasing account. A revenue share is an ongoing commission paid on profits earned from the affiliate marketer’s customers. In either case, marketers who send multiple purchasing customers stand to make more money.
False Promises and Big Profits
One online casino affiliate combined email spamming with email phishing. They attempted to acquire new customers for Raging Bull Casino, Sports and Casino, Ducky Luck, and Royal Ace Casino. These casinos operate outside the United States. US law enforcement and state gaming regulators consider them illegal online gambling websites.
The affiliate marketer sent emails asking customers to confirm their account details or claim a $3500 prize. When customers clicked these links, they were redirected to the affiliate’s tracking URL, dropping a cookie with the affiliate’s code into the customer’s browser. Customers who later played at the online casinos made the spammer money.
Chinese Hackers Target Gambling Companies 2019-2020
Starting in the summer of 2019 and continuing into 2020, Chinese hackers targeted online gambling companies based in Southeast Asia. To date, authorities haven’t released the affected companies and gambling websites.
The hackers used Spear phishing to carry out these attacks. Company employees received emails with document attachments that, when opened, released backdoor trojans. The hackers utilized the popular file sharing app DropBox as a command and control service and as storage for stolen data.
Talent-jump and Trend Micro, two cyber security firms, published reports confirming that the hackers accessed company databases and source code. Hackers didn’t steal any money and made no ransom demands. Instead, espionage was the motive.
Unfortunately, there have been no arrests or legal inquiries related to these incidents.
How to Protect Yourself and Others from Online Phishing
Hearing about online phishing may be concerning. Fortunately, there are many ways to safeguard yourself against phishing attempts.
One way is to continually educate yourself about phishing. Technology is constantly evolving. So are the ways in which people try to exploit others. Staying educated and current can help you remain one step ahead of criminals.
Another way to remain safe is to be skeptical. Does a link, email attachment, website, SMS text, or phone call seem suspicious? Is it credible? A moment of hesitation can save you headaches down the road. Ask yourself questions like, “Where might this link lead me?”, “Does this offer seem too good to be true?”, and “Do I know and trust this website?”
Check for Your Name
Expect to see your name in emails coming from businesses you patronize. Many phishing emails begin with a generic opening like “Dear Customer”. That should be an immediate red flag, especially if the company already knows your name. Do not click any links or download attachments from such emails.
Even if a sender uses your name, consider investigating the source first. Double checking the website name with a simple Google search can provide reassurance that you are dealing with the right business. If you accidentally clicked on a suspicious link, immediately scan your device for malware and change your passwords.
Update Your Computer
Keeping your computer up to date is another way to prevent prevent phishing attacks. Companies like Microsoft and Apple are constantly evaluating their products for flaws and security risks. Malware takes advantage of these vulnerabilities. Regularly updating your computer’s software makes successful malware attacks less likely.
The same also goes for browsers such as Safari, Chrome, or Firefox. Stay on top of update requests. Review the login history of your email, social media, and other online services. You’ll quickly notice any suspicious or unusual activity.
Use Strong Passwords
Using strong passwords is a simple, yet effective, method to reduce phishing risk. Don’t reuse the same password at multiple sites. Instead, create different passwords for each site. A hacker gaining access to one of your accounts will not be able to use that same password to get access to all of your accounts. Change those passwords regularly.
Enable Two Factor Authentication
In recent years two-factor authentication (2FA) has become widespread. It can be a great way to protect yourself against phishing.
2FA authentication is another layer of protection used alongside a standard password and username. Once activated, a website will prompt you to complete 2FA after you’ve entered your username and password.
2FA can come in many forms. Most common are secret questions, a pin number, voice verification, or one-time access codes sent via text message. Mobile apps like Google Authenticator provide verification codes that refresh every 30 seconds.
Report Phishing Attempts
Reporting a phishing attempt can also help prevent attacks against yourself and others. File a report with the US government’s Internet Crime Complaint Center (IC3). Authorities rely on complaints to begin criminal investigations and shut scams down.
Check Website SSL
Finally, check if your browser confirms a website’s Secure Sockets Layer (SSL) Certificate. Browsers typically display this notice in their address bars.
Websites use a SSL Certificate to authenticate their identity and encryption. That ensures the entity is who it says it is. SSL technology creates a secure connection between your browser and the website’s server. Your browser will encrypt any personal information you enter before transfer to the website’s server. This process minimizes the risk of loss or capture by an illegitimate third-party.
Phishing has affected millions across the globe. It isn’t going to disappear anytime soon. The online gambling industry, like many others, is not immune to phishing attempts. Criminals will target anyone, whether you are a private individual or part of a large company. Take time to learn about phishing and how to keep both your identity and your money safe.