Online Casino Security and Scams

By Joonas Karhu, Updated:

Consumers are more at risk of falling victim to a scam now than ever before. We spoke to a top iGaming regulator and a cyber security expert to learn more about online casino scams and what licensed operators are doing to protect you.

On this page, you can read about security at online casinos, the licenses, and even get a few tips to spot an online casino scam.

It is very easy to fall victim to a scam. In the past, scammers used techniques such as cold-calling, door-stepping or even direct mail to convince vulnerable people to hand over their money. Today, scammers are intelligent and cunning and use modern technology to easily trick people. This includes spoofing emails and fake social media competitions and prizes.

As consumers, we are marketed to more than ever before and can easily find ourselves purchasing products and services without fully understanding the terms and conditions they come with. While this is not necessarily a scam, it does mean that people feel like they have been tricked into purchasing something that is different to what was advertised to them.

This issue is so big that in the UK the Citizens Advice Bureau runs an annual Scams Awareness campaign to help raise awareness and offer advice to consumers.

This is a great initiative and one that Bojoko supports. The risk of getting scammed by unlicensed rogue operators is still hurting the reputation of the entire online gambling industry.

In the past, this has certainly been the case. There have been many instances where online casinos have used player funds to run the business or have refused to pay out when a player has won. There are still unreputable online casino brands accepting players today – they are known as bad actors – but the sector has gone to great lengths to stamp them out.

This has been achieved through regulation and licensing.

What Is Regulation and Licensing?

Regulations are the rules that online casino operators must adhere to in each of the markets they operate in. Not all markets are regulated, but the UK is. In the UK, the Gambling Commission is responsible for making sure that operators meet these rules and requirements, and those that do are issued a licence.

Rules include things like having responsible gambling measures in place, making sure that games are fair, player funds are segregated from operational funds and so on. We go further into this subject in the UK licensed online casinos guide.

If an online casino operator does not meet these requirements, they will not be issued a UK Gambling Commission licence and cannot accept players from the UK. If they do, they are breaking the law.

UK Gambling Commission Timeline

7 September 2007:

UK Gambling Commission was formed as part of the Gambling Act 2005

1 October 2011:

National Lottery Commission becomes part of the Gambling Commission

1 November 2014:

Offshore online casino operators that want to continue to accept UK players must obtain a licence from the Gambling Commission

31 March 2015:

UK-licensed online casino operators can only offer games from UK-licensed game developers

29 June 2017:

Gambling Commission requires online casinos to provide players with a standard set of tools for monitoring their wagering activity

31 October 2018:

Gambling Commission sets out new standards for how online casinos have to deal with customer complaints

7 May 2019:

Online casino operators are required to complete KYC checks before allowing players to gamble

31 October 2021:

Major changes to games. Slots were slowed down and made to look and sound more fair amongst other changes

27 April 2023:

Long-awaited gambling White Paper is finally released. The games now must have smaller maximum bet limits, especially for younger players.

Dual-Licensed Operators Are Among the Most Reputable

In addition to a licence from the UK Gambling Commission, some online casinos will hold permits from licensing jurisdictions.

These are regulators based in other countries such as Malta, Gibraltar, Alderney and the Isle of Man. They also require operators to meet high standards in order to receive a licence from them.

These licences do not replace a UK Gambling Commission licence, but they are a sign that an operator is reputable and meeting the highest possible standards.

The Difference Between a Licensed and Unlicensed Online Casino

Licensed Online Casinos

Unlicensed Online Casinos

Online Casinos and Hacking

Despite these measures being place, players often ask whether regulated online casino sites can still be subject to scams or be hacked.

Peter Bassill is the founder of Hedgehog Security and is employed by online casinos to test their cyber security measures. This sometimes means trying to hack into an online casino site to identify any vulnerabilities and report back to the operator with any improvements they can make.

Peter says that there is no such thing as unhackable or completely secure but that on the whole, online casino sites, especially those licensed by the UK Gambling Commission, are secure.

"Most use the latest technologies to aid in the defence and go through the routine and regular external security assessments with penetration testing firms. But in the majority, they stick to the tried and tested route for security validation and rarely ask the testing firm to go all the way."

"It is often a budget issue but also a lack of risk awareness on the part of the operator."

Some online casino operators do take their security assessments and testing to the next level and will ask Peter and his team to attempt to hack into their sites to identify any vulnerabilities. On that note, Bojoko has a page that lists secure and safe online casinos.

Last year we did a simulated "Oceans 11" for an operator. We put five weeks of effort into the prep work and only one day in the attack.
Peter Bassill, Hedgehog Security

Peter explains how they go about doing this:

"I start with a complete view of the operation. We call this intelligence gathering, identifying every one of the third parties connected with the operation. I map out all the technology used, obtain plans for all their buildings, identify as many staff as possible. Guaranteeing success is 90% prep work."

"Last year we did a simulated "Oceans 11" for an operator. We put five weeks of effort into the prep work and only one day in the attack. We got in, did our thing and got out without being detected. Success was proven to the client and they fixed their weaknesses."

For operators to be as safe as they possibly can, Peter recommends they regularly work with testing firms to ensure that they go beyond simply undertaking generic security assessments. They should also pay attention to patching, routine maintenance, fixing holes identified and generally ensuring their technology is as good, clean and lean as possible.

You, the player, can help too:

"Operators should have a way for players to easily and quickly inform them of any suspected scams they may have seen or received," says Peter. "The operator can then use this information to inform their customer base. It's a win-win."

How To Spot an Online Casino Scam

If you do decide to play at an unlicensed online casino – and Bojoko advises that you don't – you are at greater risk of being subject to an online casino scam.

These are some of the ways unlicensed operators may try to catch you out:

1) Games That Are Rigged or Fixed More in the Casino's Favour

Licensed online casino operators are required to use a random number generator to determine the outcome of games, and each game has a return to player percentage (usually around 96%).

These are independently tested to ensure they are working and that they are accurate.

Unlicensed online casinos might not use an RNG to determine the outcome of the game which means they could be rigged to their benefit.

2) The Casino Will Refuse To Pay Out Your Winnings

Another scam to be aware of is an online casino that will allow you to deposit into your wagering account but will refuse or block any withdrawals you try to make.

Licensed online casinos, on the other hand, always payout and it usually takes a few days to process withdrawals and for you to receive the money in your bank account.

3) Stolen Bank Details and Personal Information

If you do not play at a licensed online casino you also run the risk of the operator using your bank details and personal information to commit fraud.

This might not always be done by the casino; unlicensed operators may not have the necessary protections in place to safeguard your bank details and personal information from hackers.

Issues Playing at Licensed Online Casinos

Even when playing at a licensed online casino, some players believe they do not receive the experience they are promised by the operator.

This usually relates to the bonuses and promotions they receive and the terms and conditions that come attached to these incentives. We take a closer look at this below.

Bonuses Can Leave Players Feeling Short-Changed

Operators like to incentivise and reward players with casino welcome offers, which include sign-up bonuses, deposit matches, free spins and even tickets to prize draws.

In most cases, casino promotions come with terms and conditions which licenced online casino operators are required to make clear to players. Terms and conditions usually include wagering requirements and the time players have to complete them, win limits, eligible games and restrictions on deposit methods.

The problem, of course, is that most players do not take the time to read these terms and conditions before accepting an offer.

Later, when they discover they have to wager winnings 35x before they can be withdrawn, or the maximum win from free spins is £100 and they have won £300, they feel scammed.

They haven't been, of course, as they agreed to these terms and conditions when they accepted the offer. Although if they hadn't read them, it is easy to see where the confusion comes in. The UK Gambling Commission requires operators to clearly display T&Cs so that players know what requirements or restrictions are attached to an offer before they accept it.

That said, it is still the responsibility of the player to make sure they read and understand any terms and conditions before accepting the offer. The use of bonuses is something the wider online gambling industry is looking into at the moment as it continues to take steps to be fairer and more transparent with players.

Reputable online casino operators do not want their players to feel like they have been scammed, so most are going to great lengths to ensure T&Cs are as clear as possible.

Some like PlayOJO have gone so far as to remove wagering requirements on bonuses and promotions and allow players to withdraw cash whenever they like with no restrictions.

Naturally, unlicensed online casinos do not have to play by these rules and can offer bonuses that have unfair terms and conditions. These can be used to scam players, as they often encourage them to deposit large amounts of money that must then be subject to sky-high wagering requirements before being withdrawn.

These playthroughs can be upwards of x100 and, in reality, most players will lose any winnings they have accrued trying to complete such high wagering requirements.

Misleading Online Casino Adverts

If you live in a country where online casinos are legal and regulated, you will no doubt have seen adverts for online casino brands on TV, the radio, the internet and social media. These adverts are there to entice new players to sign-up and play at an online casino brand, and will sometimes include a special bonus offer.

In countries such as the UK and Sweden, online casino operators are allowed to market to players but they must do so "moderately" and by adhering to certain rules and guidelines.

In the UK, for example, this is the Advertising Standards Authority's CAP Code which aims to make sure adverts do not appeal to underage players or that offers are misleading among other things.

Most online casino operators have breached the CAP Code at some point – Paddy Power is a regular – and this does not mean that they are not reputable or that they are scamming players. It is usually the case that the advert is a little too "edgy" – for example, William Hill recently had an advert banned because it linked gambling with sexual success.

The ad was placed on Tinder and said:

"Stuck in the friend zone? You won't be for much longer if you use this Cheltenham free bet offer. Join William Hill with code W40 and bet £10 on any Cheltenham race to get 4 X £10 free bets. T&C's apply."

William Hill was not trying to scam its players with a dubious offer, it simply breached the code as the ASA deemed that it associated betting with finding a partner.

In other instances, online casino operators have had adverts banned because they didn't make clear the terms and conditions attached to an offer being promoted, making them "misleading". Most licensed online casino operators go to great lengths to ensure that their ads are within ASA guidelines and that T&Cs are clear, but occasionally they do breach the code.

When this happens, they are not allowed to run the advert again in its current format and must ensure that all future ads are within CAP Code guidelines.

What To Do if You Think You Have Been Subject to an Online Casino Scam?

As you can see, the online gambling industry does a lot to ensure that online casinos are safe and secure and that players are not subject to scams or fraud.

That said, there are some bad actors out there still and these online casinos are to be avoided at all costs. But what do you do if you think you have been the victim of an online casino scam?

  1. Contact the UK Gambling Commission
  2. Log a complaint with an alternative dispute resolution body such as eCOGRA
  3. If you think an advert is misleading, contact the ASA

The best way of preventing yourself from falling victim to an online casino scam is to play at licensed online casino brands, especially those that hold a UK Gambling Commission permit.

These sites meet the highest possible standards, are highly reputable and trusted by tens of thousands of players in the UK and beyond.

Here at Bojoko, you can find ratings and reviews of all the best UK-licensed online casinos so you can be sure they are operating honestly and transparently.

So, while scams remain a big issue across a wide range of industries, the online casino sector goes above and beyond to protect consumers and is one of the safest and secure.

An Interview of Carl Brincat, Chief Legal Counsel at Malta Gaming Authority

To learn more about what regulators require of operators when it comes to security and fraud, we spoke to Carl Brincat, Chief Legal Counsel at the Malta Gaming Authority (in the picture below).

Carl Brincat, Chief Legal Counsel at the MGA

Bojoko: What requirements does the MGA put on online casino operators when it comes to preventing fraud, money laundering and scams?

Carl Brincat (CB): "With regards to anti-money laundering, operators are obliged entities and are therefore subject not only to gaming legislation but also to the relevant anti-money laundering laws which oblige them amongst other things to conduct a risk assessment of the business and of each player, as well as to conduct customer due diligence on each player upon that player reaching a certain transaction threshold.

These are only examples of the measures operators are required to take in order to prevent money laundering and terrorist financing, as they form part of a holistic set of requirements that stems from AML legislation, as further explained in detail through implementing procedures issued jointly by the MGA and the Maltese FIAU.

As regards fraud, operators invest heavily in anti-fraud systems and procedures in order to mitigate their business risk. Part of the MGA's licensing and ongoing monitoring consists in vetting these procedures and verifying the effectiveness thereof at the audit stage.

Bojoko: How do you ensure that online casino operators are meeting these standards? What happens if they are not?

CB: "The approach the Malta Gaming Authority takes to ensure that these standards are met is twofold – ex-ante and ex-post.

Ex-ante: during the application process, the policies, procedures and systems of an applicant (online casino operator) are thoroughly vetted in order to assess whether, if effectively implemented, they will enable the operator to adhere to its legal obligations.

Ex-post: as part of ongoing monitoring, the MGA commissions compliance audits by accredited independent auditors to ensure that the approved policies and procedures are being put into effect and that any systems and tools that are being leveraged to achieve these results are functioning effectively. Moreover, the MGA and FIAU jointly conduct full-scope examinations of operators' anti-money laundering effectiveness, to ensure that the operator is making the necessary efforts and that they are being implemented in an effective manner."

Bojoko: Do you have to keep tweaking your requirements to make sure they cover that latest fraud, AML and scam threats?

CB: "This industry is very dynamic and innovative, meaning that threats change constantly just as products develop on a regular basis. Hence as the regulator, we do endeavour to keep abreast of developments in order to be responsive with changes to regulatory requirements if and when these are required.

Indeed, the new regulatory framework introduced in August 2018 is structured in a way which enables us to be quicker to react to the need to make changes to such requirements in an effort for the law to keep up with the pace of the industry."

Bojoko: Any tips on what players can do to ensure they do not fall victim to an online casino scam?

CB: "We would always encourage players to make use of the services of a regulated operator to ensure that it is subject to controls and oversight, and to have a regulator to resort to in case issues crop up."

While most European markets are now regulated – this includes the likes of the UK, Sweden, Spain and Portugal – others are not so it can be tricky for players in these countries to know where to play.

Bojoko always recommends playing at online casinos that are licensed by the UK Gambling Commission as this is one of the most established and respected regulators in the world.

Operators that carry a UK Gambling Commission licence are trusted and reputable and do not try to catch out players with scams or misleading adverts.

An Interview of Heathcliff Farrugia, CEO of Malta Gaming Authority

Bojoko sat down with the CEO of Malta Gaming Authority, Heathcliff Farrugia (in the picture below). We discussed the New Gaming Act of 2018, blockchain gaming, MGA's priorities for 2019, growing demand for iGaming workforce in Malta and affiliate licensing.

MGA CEO Heathcliff Farrugia

Player Protection Under MGA Licence

Bojoko: How does the New Gaming Act provide added protection for players in MGA licensed casinos?

Heathcliff Farrugia (HF): For us, the new law was an opportunity to strengthen what we had in terms of player protection, but we also came up with new ideas.

When it comes to player protection, one of the most important measures we strengthened was the protection of players' funds. In the new law, player funds are considered as a separate patrimony. So, if there is a company in distress or going bust and there's a liquidation going on, the players' funds remain protected from any claim by the creditors of the licensee. We believe that in terms of players' funds, this is the maximum protection we could provide.

We also added the "one-click away" rule, which means that now, online casinos and other operators are obliged by law to always have certain information available within one click from the home or game page. For example, the self-exclusion tool has to be available not more than one click away from the page containing information related to Responsible Gaming. We believe that if a player is looking at information regarding responsible gaming, he/she should also be able to exclude him or herself very easily.  

Even though a number of operators already had this in place, we felt that with some others, players needed to navigate through various menus until they go to the self-exclusion tool. We believed this was unfair so we made it very clear that the tool had to be just one click away.

We need to be very careful that we don't end up in a situation where we include measures that are aimed at protecting players and then, in turn, they end up having the opposite effect.
Heathcliff Farrugia, CEO of MGA

An important aspect of the new law is the introduction of what we call "a duty of care for operators", whereby operators are obliged to monitor players who are showing patterns of problematic gambling behaviour and to intervene when appropriate.

There are some operators, whom I would say are leaders when it comes to responsible gaming. They have very interesting systems based on, for example, betting patterns and amounts to detect problem gambling behaviour. With the help of these sophisticated tools, they can then risk-rate players on the basis of whether they are likely to develop a gambling problem.

Let me also add that as a regulator we need to be very careful that we don't end up in a situation where we include measures that are aimed at protecting players and then, in turn, they end up having the opposite effect.

So, regarding this, we engaged Dr Mark Griffiths, a chartered Psychologist and Distinguished Professor of Behavioural Addiction at Nottingham Trent University, to critically analyse the provisions within the player protection legislation, so as to ensure that what we were proposing is backed up with evidence. He assessed the directives and gave us very positive feedback, and even suggested a number of further measures which could continue to strengthen player protection. Now we are examining his assessment and working on its implementation.

Bojoko: Can you highlight the salient points of the new gaming act both for the general public and for the gaming industry? Who stands to benefit the most?

HF: Well I think the industry in general, will benefit. The players will benefit because of increased, more thorough, player protection directives.

The regulator will benefit from the additional regulatory powers. For example, we introduced the power to conduct "mystery shopping". Previously, we were in a situation where if we wanted to conduct an investigation on a licensee, we had to log in through a designated account, hence reducing the effectiveness of our investigation.

Through the new law, we also gave the power to licensees, or applicants, to challenge the Authority's decisions before the Administrative Review Tribunal, which is, naturally, totally independent from the MGA. If, for example, an operator applies for an MGA licence and we decide not to grant the licence, the applicant can now challenge that decision through this independent Tribunal. So, the whole process is less costly and time-consuming for the Operator and improves the processes for administrative justice.

We also modernized our licensing system so that an operator, like an online casino,  can have a B2B and/or a B2C license and doesn't need to apply for multiple licenses for different brands.

Bojoko: Given what seems to be a crackdown on the industry's lax principles and the New Gaming Act which came into effect in July 2018, does the MGA plan on following in the UK's footsteps and implementing new rules and changes in regulation? For example, would you be making forfeitable bonuses (so that players have access to their deposit at all times) a must for online casinos?

HF: We are strong believers in the benefits that can arise when regulators share best practices among themselves. We always keep an eye open for what other reputable regulators do and we do meet with them on a regular basis to discuss different ideas.

For the time being, forfeitable casino bonuses specifically are not one of our priorities, however, no measure is off the table, and we continue to focus on making sure gambling is as safe and free from crime as possible.

Last year alone we conducted 33 AML onsite inspections to make sure that operators were in line with the 4th anti-money laundering directive. In 2019 this will still be one of the main priorities and we have another 40 inspections lined up.

Blockchain + Casinos

Bojoko: Is there an opportunity for regulators to apply blockchain technology to introduce greater transparency within these processes and the industry-at-large? Malta has dived headfirst into the adoption and regulation of crypto and blockchain and the existing iGaming business infrastructure seems ripe for this kind of implementation.

HF: As regulators, it's not that we need blockchain to have transparency, because licensees are already obliged by law to give us access to the data we need to achieve our regulatory objectives.

This said, we are aware that some of our operators are looking at blockchain as a technology solution for some parts of their business proposition, whilst some others are looking at cryptocurrencies as a payment solution.

However, whilst through our sandboxed guidelines for DLT we are allowing our licensees to test and learn in a controlled environment, overall it is still early to assess the impact of this technology on the gaming industry.

The Maltese Edge on iGaming

Bojoko: What's the biggest threat to Malta's iGaming success story? Will new regulators cropping up across Europe impact the industry in Malta, with companies shifting their operations to other jurisdictions?

HF: From our end, we see this as an opportunity to strengthen our collaboration with fellow regulators. This industry is cross-border in nature, so collaboration is extremely important.

For us, it is important to share the knowledge we acquired over the years and to also learn from other regulators, and so we regularly meet to share and discuss best practices. In fact, recently we had an Irish delegation here in Malta, where we discussed areas of common interest, and have also recently signed an MOU with the Swedish regulator.

For the time being, we are not considering licensing affiliates.
Heathcliff Farrugia, CEO of MGA

Bojoko: How do you see the iGaming job market evolving in Malta? There's a much higher demand for talent than the current supply. What kind of plans does the MGA have for addressing/supplying this labour and skills shortage with a skilled Maltese workforce?

HF: Overall, it is not the MGA's remit to tackle such issues, but locally there are a number of initiatives aimed at tackling this.

Having said this the population of Malta is what it is, and with the pace of the economy, where the country is experiencing skill shortage in other sectors like health and financial services, the solution appears to remain that of importing talent.

Bojoko: MCAST is the first Maltese academic institution to offer a course in iGaming leading to a certified diploma. Is there any other academic co-operation we can expect in the future, perhaps with the University of Malta?

HF: Gaming Malta, an independent non-profit foundation set up by the Government of Malta and the MGA, is working on a student placement program that gives more opportunities to students who are studying technology subjects. They organise summer working placements and even extended training programs.

We, at MGA, have also worked with the University of Malta and started to recruit students in their 3rd year to give them job opportunities at the MGA. They get a very flexible roster that complements their studies. So, they would be studying at university but at the same time working with the local gaming regulator.

We also know that there are some gaming operators who do something similar but independently and now through Gaming Malta they are trying to do this in a more organised manner.

There are also some initiatives for example by MITA, the technology arm of the Government, who do the same with IT students. Gaming Malta is looking to have something similar but focused on gaming and they are planning to launch very soon.

Bojoko: And one question about affiliate licensing. You have mentioned before that it won't be necessary. Is this still your way forward?

HF: For the time being, we are not considering licensing affiliates. When an operator is using an affiliate, it is still the operator (the licensee) who carries the responsibility of ensuring that the whole operation is in line with the laws and regulations. Operators are allowed to outsource some of their services, in line with our outsourcing guidelines.

Thank you, Mr Farrugia, for taking the time to chat with us and providing this insight into how MGA is ensuring the overall health of the industry as it develops on a multi-national stage.

About the Authors

Joonas Karhu

Article by:

Joonas Karhu

Joonas Karhu is a distinguished expert in the online gambling industry with over a decade of experience. A thought leader, Karhu has authored articles for major industry publications and is committed to promoting responsible gambling standards. His career began as an online poker player, leading to various management roles in the iGaming sector. Karhu holds three business degrees: MBA, BBA, and QBA.
Kati Saari

Article by:

Kati Saari

Kati Saari has worked in the gambling industry since 2014. She has tested hundreds of casinos and written thousands of articles while evolving into an iron-clad expert in her field. Having a true passion for her work she’s adamant about not rushing into anything without thorough research.

Say "OK" to the cookies. Learn more in our privacy policy.

Get the latest bonuses, free spins and updates on new sites💰

Subscribe to our newsletter. No spam. Opt out anytime.