Published: 9 October, 2024

Data leaks, deep fakes and digital manipulation: A deep dive into sports betting fraud

Trafficology spoke with Onfido Fraud Specialist Senoir Manager Simon Horswell on the increase in fraud around major sporting events and what fraud looks like in today’s market

During sporting events, the level of fraud around sports betting increases quite significantly. Do you think this is to capitalise on new players or trick older players, or even a combination of the two?

I don’t think this is about new subscribers or old subscribers. This is about taking advantage of the situation. Whenever these sporting events crop up, it’s big business for gambling industries. All the companies are competing for the increase they know is going to occur around that event. How do you do that? You give people incentives to join you rather than one of the other gambling companies. So, you give someone £100 ($133) in free bets or £100 in credit, the next company will give someone £150 in free credit. This competing, this promotion to drive business through one platform or one company over another, is what makes it more attractive for fraudsters. It’s a honeypot. Any that are giving stuff away for a sign up will attract the higher amount of fraud. That’s how we see things pan out.

In terms of fraudulent sports betting traffic, what exactly does that look like? How does it differentiate from above-board traffic?

If account opening requires you to provide some form of identity, you’re going to see things like altered documents. It might be a counterfeit document. It might even be, depending on the level of checks you have - if you don’t have a biometric component, if I don’t have to provide a photo or video of myself as the holder of that document - I can get away with potentially just uploading a picture I’ve found online or obtained from a data leak.

Then, if you include the biometric component, we’ll see photographs that may have been stolen from a number of different places. We’ve seen a large variety of things, from holiday snaps that someone’s cropped down, profile pictures, all the way to people uploading videos of chiropractors showing you how you should tilt your head from one side to the other or even deep fakes.

With all of these are elements, it’s the method of delivery. Is it something that’s been uploaded, or is it someone taking a video

or picture of a screen? There are a lot of different tells around that, but those are typically the techniques we’ll see happen.

What would you say are the three biggest factors that draw fraudsters to sports betting?

You have to understand the reasons why people are coming. You’ve got two different things happening. Number one, you’ve got that honeypot, the fact there are going to be bonuses for sign up and you’re exploiting that sign up to hoard as many bonuses as possible. But, on the other hand, this is why you’ve got regulations about account opening, because gambling can be used to launder money. In a month where you’ve got people coming purely for the bonus exploit, you’ve got people that are also coming and trying to open fraudulent accounts so they can lauder money. Again, it’s the events that are driving that. Because you’ve got increased volume around that time, that’s the best time, if you’re committing some form of money laundering, to camouflage in with the herd.

If I’m going to commit the bonus exploit, the main thing is scale. I want to hit as quick as I can with as many attempts as possible to reap the benefits. Whereas if I’m doing money laundering, I don’t want to draw too much attention. I could be hitting at scale, depending on how many sleeper accounts I want to open. But, it won’t necessarily be as obvious, or it won’t be as unsophisticated as some bonus exploits.

What techniques are fraudsters using to generate traffic? Have there been any recent trends in these techniques, something new that the industry hasn’t seen before?

What we saw last year was a huge spike in the adoption of deep fakes... a year-on-year spike of 3,000%. We went from having a couple of 100’s to tens of thousands. That’s been the biggest trend - the fact that’s suddenly exploded.

There’s a couple of reasons for that. If you look at lockdown, it drove a lot of people into online fraud, and they’ve got better at it. One of my colleagues, another expert, has this disagreement where he says fraudsters are lazy. I say fraudsters are incredibly efficient. When you look at the number of attempts and the adaptation, you see what fraudsters will do is go just as far as they need to get past the line. So it might be, in terms of avoiding a document detection system, they’ll reduce the exposure on the image to get it just light enough that it gets accepted, but just dark enough that you can’t pick up on the alteration to the date of birth, for example, or they’ll play with resolution. There’s a lot of experimentation, which means there is a lot of work that goes into achieving what might look like unsophisticated fraud when it eventually reaches the examination process.

What we’ve also seen is a growing trend to digitally manipulate images of documents. Where previously we would see people creating physical counterfeits, so maybe copying a document or getting an image of a document, altering it using photo editing software and physically printing it out and trying to pass it off as a real document, what we started to see was a growing trend of people skipping that last stage. We started to see more inventive ways for people to do that, more digitally manipulated images popping up here, there and everywhere.

National IDs and driving licences are a big target for fraudsters. How are they getting this information and what safeguards can be put into place, or are being put in place, to prevent this and protect players?

Rule number one is, it doesn’t matter how proud you are of it, if you pass your driving test, don’t post a picture of it on social media. I know it sounds silly, but you’d be surprised how many people post that online, even in this day and age. But similarly, national identity cards, anything like that.

You’ve got a number of issues now. We’re not just talking about people having images stolen. I think many people now dismiss when they hear news about data leaks, but the fact of the matter is these data leaks might not just have your personal details, which is bad enough. Depending on which source the data leak has come from, if it’s somewhere you’ve had to sign up and prove your identity, that might mean your identity documents are in that spot as well.

In addition to this, we’ve seen fraud as a service, where people have started opening up different platforms that essentially give people tools to create fraudulent checks. So, it could be a template for a national identity card for [different] countries. They’re editable templates, or you can even do it on the platform. Obviously, it comes at a fee and there’s a subscription, or you’re paying piecemeal. But, the idea that’s now a growing industry? I think this is why national identity cards crop up in such a large percentage, because it’s a relatively easy document to get a hold of an image for.

Do you think there’s enough policy in place regarding identity fraud safeguarding?

The key is making sure you’ve got the right type of defence at the beginning of the onboarding process. We do see a difference between different companies in terms of what they’ve decided to do. You’ve got some companies that take the attitude of, if it’s not in the regulations, if I’m not required to do it, it’s an expense I’m not going to put my hand in my pocket for. Whereas you see other companies that are bigger, they’ve got more funds to play with, they’ll take a more robust approach.

It is really important you are establishing that someone is who they say they are through verification of an identity document, through biometrics that are linked to that particular identity. While those checks are going on, you can do a lot of passage checks in the background to try and ascertain if that transaction, that conversation where you’re establishing someone’s identity, if all the elements of are authentic.

Are there any areas of regulation you feel can be improved to help mitigate fraud?

In the financial industry, a lot a stuff has been in place for a while. It’s come about from the fact they’ve experienced fraud and have started to isolate where the risky areas are. Then you see an upping of the game. You see the anti-money laundering guidance that comes out and regulations around that. We’ve started to see in the last couple of years a similar thing with crypto, we’re starting to see regulations around onboarding with crypto so that you know who’s creating an account. I would suggest with gambling, it’s taking a closer look at what those regulations are, to ensure it is ticking all the boxes.

But, things have changed. You can’t just work on the basis that someone’s got an email and I’ve sent them a password. We’re dealing in an environment where devices can be stolen, emails can be cloned. You need to think about these things and establish things on a more fundamental level with more scrutiny.

Final note, going back to sports betting, the new football season just got underway. the Champions League started up again. What do you think could be done for players to keep them safe from fraud as we get into this busy part of the year for football?

From a consumer point of view, be wary about where you’re sharing material. But the protection really comes from the gambling sites and gambling companies themselves. You want to increase your security, be aware of the fact your promotion to improve business is always going to attract more fraud. I’m sure that’s not news to anyone that works in this industry. At least if you’re monitoring it, that’s what you’ll see. So, ensuring you’re putting protections in place, like having some kind of automated system so you’re covered around the clock. Something that’s consistent, that’s verifying someone’s identity from documents to biometrics but also covering that device layer as well. That’s as all-encompassing as it can be. That’s probably the best means they can perform to create that sense of trust, so people that are using those services feel like they’re dealing with someone that cares about their credentials.