Over the past twenty years, countless of our daily activities have been upgraded with new, digital equivalents for our convenience. Everything’s online these days: paying bills, checking your bank balance, ordering food, and now, taking your one-in-a-million chance on the lottery from the comfort of your couch. iLottery games are online drawing-based games that work similarly to the traditional lottery, only conducted digitally through a web client or mobile app.
iLottery gaming can give people who enjoy participating in the lottery a new, more future-forward way to engage, but unfortunately, legitimate players aren’t the only people punching in their lucky numbers. Fraudsters also have a vested interest in online lottery games, but they’ll be relying on luck a lot less than the average person. Bad actors have a variety of ways to manipulate and exploit iLottery accounts and products for their own gain—and everyone else’s detriment.
There’s not much fraudsters can do to manipulate the luck of the draw. Unfortunately for iLottery operators, that isn’t where they aim their focus.
One unfortunate reality of our current technology is that wherever payment information exists, it exists to be stolen and used elsewhere. iLottery games are one industry among many that are vulnerable to payment fraud types like fraudsters using stolen credit cards or cardholders filing phony chargebacks.
Not only does an organization take a financial hit from the initial chargeback, but banks and credit institutions often have a mounting penalty associated with frequent buyer chargeback requests against the same merchant. At a certain number, the affected organization may even lose their relationship with some payment processors.
Any age-restricted industry or industry that handles payment processing needs to perform identity verification checks to ensure they’re complying with state and federal laws surrounding who can use their products. Naturally, the average fraudster is hesitant to commit fraud and abuse under their real name; additionally, known fraudsters might have backgrounds that disallow them from using the platform under anti-money laundering (AML) regulations.
So, what’s an enterprising bad actor to do? The answer is using faked or stolen identity information to create and operate their iLottery accounts. Compromised PII and synthetic identities can be found for sale on the dark web, and using them allows fraudsters to operate with much less risk—even if they get caught, their true identity can hide behind phony or stolen credentials.
Account takeover is another form of iLottery fraud. Fraudsters gain access to a gamer's account by stealing, phishing, social engineering, or finding their login credentials in a data breach. Once they have access, they can make illegal purchases, steal personal information, and commit other types of fraud under the victim’s name.
The damage of account takeover can be far-reaching: there’s reputational damage from the negative experiences of victimized users and financial consequences from the cost of restoring the account, investigating the breach, and restoring any fraudulent purchases made in the victim’s name.
Multi-accounting involves creating multiple accounts to take advantage of promotions and bonuses offered by an iLottery operator contrary to their intended use. Fraudsters use this technique to obtain rewards meant for other gamers, which results in revenue loss for the operator. In other words, promotions meant for the many instead go to the few, and thus it doesn’t encourage the spending and user acquisition the marketing team might have had in mind for the campaign.
Multi-accounting can also be used to help fraudsters avoid accountability for any other types of fraud they’re committing. If one account is caught and banned, they have backups waiting in the wings and don’t have to suffer any slowdown in their operation.
The threat of iLottery fraud is real, and operators have to be proactive to ensure they aren’t victimized by fraudsters and that bad actors don’t use them to violate AML and other regulations. So, how should iLottery platforms go about preventing fraud?
Strong identity verification is one contender for an early line of defense. Because iLottery games have to verify their users’ identities anyways, using identity checks as a risk signal can integrate seamlessly into the existing anti-fraud stack. The problem with this, as mentioned above, is that stolen and synthetic identities can also be used by fraudsters to get around these checks. The answer from the fraud fighters’ perspective might be to add some redundancy into the process.
Consider, for example, adding a layer of real-time address verification into the identity check. When a user provides their identity information, including their address, a real-time address verification check can look for inconsistencies in what they report versus what’s on their official documentation.
Most people handle account creation and other sensitive transactions from their home, making this a powerful risk signal. If the addresses match, the user is low-risk. If there’s an inconsistency, especially a large one (such as the user being in an entirely different country), that signup might be higher risk and some step-up verification might be in order.
Regardless of what the lottery numbers are at the end of the day, fraudsters will always try to cash in for a quick payday. By staying ahead of the curve and using the innovative risk signals, iLottery operators can reduce their fraud risk and protect their good users from bad actors.