Gaming fraud: How fraudsters stack the deck against iGaming operators (and what can be done about it)

In 2022, the global online gambling market was estimated to be worth over $63 billion, and it’s only expected to grow in the coming years.

But where there’s honey, there will always be bees.

While that growth is music to the ears of online gaming operators, it’s also caught the eyes of opportunistic bad actors who want a piece of the profits for themselves.

The decentralized nature of online gaming allows for some unique fraud vectors that traditional brick-and-mortar casinos don’t have to deal with—fortunately, online gaming’s novel fraud concerns also come with novel solutions.

Types of fraud in the iGaming industry

While many fraud and abuse concerns are shared across various sectors of the iGaming world, each sector typically grapples with distinct primary issues.

1. Online poker

As an example, bad actors can use techniques like location spoofing to fool online poker apps into thinking they’re in different locations when they’re actually together. This enables the players to collude together in order to manipulate games in their favor against trustworthy players, who don’t know that some of their competitors are cooperating in person. Player collusion hurts the app and its user base by creating a frustrating and negative experience for  fair players who don’t realize they’re playing against a stacked deck. 

2. Slot machine and lottery apps 

Unfortunately, chance-based iGames are just as vulnerable to fraud and abuse as their skill-based counterparts. While fraudsters targeting online poker might focus on swindling their fellow players, the victims of a chance-based app fraudster may not even use the app themselves. One of the primary concerns for slot machine and lotto apps is card-not-present (CNP) fraud. CNP fraud happens when a bad actor uses someone else’s credit card information to make purchases on the app.

iGaming apps are also at risk of promo code abuse and other online gaming scams that use fake accounts (also known as multi-accounting). By creating multiple accounts, using multiple devices, and using app cloners to run an app multiple times on each device, bad actors can exploit free credits and promotional discounts that are intended to encourage new signups. 

3. Sports & events betting 

Since the Supreme Court overturned the Professional and Amateur Sports Protections
Act in 2018, sports betting hasn’t been federally regulated. With the legality and regulations surrounding sports betting varying by state, the stakes are high for sports betting operators to ensure all betting complies with local law.

Using online venues, fraudsters have found new ways to get around sports betting restrictions or bans in their home states. In 2022, DraftKings was fined $150,000 by New Jersey regulators as a penalty for failing to detect that a man in Florida—where sports betting is illegal—had used a proxy better in New Jersey to place multiple high-dollar wagers.

Proxy betting is the act of using an intermediary to place a bet on one’s behalf. While there scenarios wherein proxy betting is legal, using proxy betting to violate local gambling regulations is not, and proxy betting violates most online sports betting platforms’ terms of use. While proxy betting is possible with traditional betting venues as well as online ones, the use of an online venue makes it easier for proxied bets to cross multiple state lines easily, such as from Florida to New Jersey. 

Many online gaming fraud concerns are common across game types

Some forms of fraud and abuse can affect multiple different types of iGaming models. For example, CNP fraud is just as relevant a concern for online poker operators as it is for chance-based gaming apps.

Account takeover (or ATO) attacks are another significant concern affecting multiple branches of the iGaming world. If a fraudster gains unauthorized access to someone’s account through phishing, social engineering, or a data breach, they can steal funds and use that account to commit other violations, such as illegal proxy betting. Any type of online gaming that hosts discrete user accounts is vulnerable to account takeover attacks: that includes virtual slots, sports betting platforms, online poker games, and more.

The use of location spoofing can cause compliance violations that the gaming operator is liable for. Similar to how fraudsters use proxy betting to place sports wagers from a state where sports betting is illegal, fraudsters can commit geo-compliance violations using location spoofing. This means that a person living in a state where online gambling is illegal can manipulate the location signals transmitted by their device in order to gamble on a platform based in a state where online gaming is legal. Similarly to the risk of ATO attacks and CNP fraud, multiple different types of iGaming are vulnerable to forced noncompliance. Location spoofing can be used to skirt geo-compliance for any gaming app or platform governed by state gambling regulations.

The consequences of these types of abuse and fraud in online gaming can include lost user trust, chargebacks filed against the platform, fines from regulators, lost revenue, damaged user retention, and more. Operating an iGaming platform without a resilient fraud detection solution is a bet with bad odds. 

The importance of robust online gaming fraud detection solutions 

There’s no question that fraud is a concern in iGaming, but detecting and preventing it can be easier said than done. Fraudsters can be sophisticated in their techniques, and many fraud tools like location spoofing are intended to help keep fraud prevention teams off the scent. With mobile fraud detection in particular, the use of multiple devices to evade detection is also an issue.

The people who defraud iGaming companies are invested in a risk-to-reward ratio. Fraud is illegal and can bring consequences. The risk of being caught committing a gaming scam has to be worth the money they stand to gain from taking that risk. Any prevention efforts that increase risk or decrease reward can be enough to dissuade fraudsters from the start and reduce bad downstream outcomes.

Robust identity verification is one way that iGaming companies can dissuade fraudsters, but it comes at the cost of potentially causing frustration for legitimate players. However, forcing a fraudster to falsify a photo ID or use their true identity to sign on to a platform dramatically increases the workload and risk levels of a fraud scheme, which is a strong deterrent to the average bad actor.

Combining location and device intelligence is another way to weed out fraudsters farther upstream without adding unnecessary friction for good users. Tamper-resistant location technology can be used to identify mismatches between reported location and actual location as well as ensure that users are in a jurisdiction where the platform has license to operate. In addition, device intelligence can be used to identify device attributes such as the presence of app cloners, app tampering tools, GPS spoofers, and other indicators that would increase the riskiness of a given user. Because the data gathering for these methods is passive, they can be implemented with minimal friction for users.

Online gaming is an incredibly valuable market with the potential to expand much further. However, to make that expansion possible, ensuring compliance and protecting user accounts will require ongoing innovation and optimization.

For more information about fraud detection and prevention measures in the iGaming space, visit Incognia’s iGaming page here. Incognia helps iGaming companies tilt the odds back in their favor by providing tamper-resistant location intelligence solutions for better fraud detection with lesser user friction.