Switch to United States?

It looks like you are currently located in United States but browsing the GB site.

Switch to United States »
Cover image
Ad Disclosure

Online casino security and scams - everything you need to know

by Bojoko Editorial Team

Consumers are more at risk of falling victim to a scam now than ever before. We spoke to a top iGaming regulator and a cyber security expert to learn more about online casino scams and what licensed operators are doing to protect you.

It is very easy to fall victim of a scam.

In the past, scammers used techniques such as cold-calling, door-stepping or even direct mail to convince vulnerable people to hand over their money.

Today, scammers are intelligent and cunning and use modern technology to easily trick people. This includes spoofing emails and fake social media competitions and prizes.

As consumers, we are marketed to more than ever before and can easily find ourselves purchasing products and services without fully understanding the terms and conditions they come with.

While this is not necessarily a scam, it does mean that people feel like they have been tricked into purchasing something that is different to what was advertised to them.

This issue is so big that in the UK the Citizens Advice Bureau runs an annual Scams Awareness campaign to help raise awareness and offer advice to consumers.

This is a great initiative and one that Bojoko supports. The risk of getting scammed by unlicensed rogue operators is still hurting the reputation of the entire online gambling industry.

In the past, this has certainly been the case. There have been many instances where online casinos have used player funds to run the business or have refused to pay out when a player has won.

There are still unreputable online casino brands accepting players today – they are known as bad actors – but the sector has gone to great lengths to stamp them out.

This has been achieved through regulation and licensing.

What is regulation and licensing?

Regulations are the rules that online casino operators must adhere to in each of the markets they operate in. Not all markets are regulated, but the UK is.

In the UK, the Gambling Commission is responsible for making sure that operators meet these rules and requirements, and those that do are issued a licence.

Rules include things like having responsible gambling measures in place, making sure that games are fair, player funds are segregated from operational funds and so on.

If an online casino operator does not meet these requirements, they will not be issued a UK Gambling Commission licence and cannot accept players from the UK.

If they do, they are breaking the law.

UK Gambling Commission timeline

7 September 2007:

UK Gambling Commission formed as part of the Gambling Act 2005

1 October 2011:

National Lottery Commission becomes part of the Gambling Commission

1 november 2014:

Offshore online casino operators that want to continue to accept UK players must obtain a licence from the Gambling Commission

31 March 2015:

UK-licensed online casino operators can only offer games from UK-licensed game developers

29 June 2017:

Gambling Commission requires online casinos to provide players with a standard set of tools for monitoring their wagering activity

31 October 2018:

Gambling Commission sets out new standards for how online casinos have to deal with customer complaints

7 May 2019:

Online casino operators are required to complete KYC checks before allowing players to gamble

Dual-licensed operators are among the most reputable

In addition to a licence from the UK Gambling Commission, some online casinos will hold permits from licensing jurisdictions.

These are regulators based in other countries such as Malta, Gibraltar, Alderney and the Isle of Man. They also require operators to meet high standards in order to receive a licence from them.

These licences do not replace a UK Gambling Commission licence, but they are a sign that an operator is reputable and meeting the highest possible standards.

The difference between a licensed and unlicensed online casino

Licensed online casinos

Unlicensed online casinos

To learn more about what regulators require of operators when it comes to security and fraud, we spoke to Carl Brincat, Chief Legal Counsel at the Malta Gaming Authority (in the picture below).

Carl Brincat, Chief Legal Counsel at the MGA

Bojoko: What requirements does the MGA put on online casino operators when it comes to preventing fraud, money-laundering and scams?

Carl Brincat (CB): "With regards to anti-money laundering, operators are obliged entities and are therefore subject not only to gaming legislation but also to the relevant anti-money laundering laws which oblige them amongst other things to conduct a risk assessment of the business and of each player, as well as to conduct customer due diligence on each player upon that player reaching a certain transaction threshold.

These are only examples of the measures operators are required to take in order to prevent money laundering and terrorist financing, as they form part of a holistic set of requirements that stems from AML legislation, as further explained in detail through implementing procedures issued jointly by the MGA and the Maltese FIAU.

As regards fraud, operators invest heavily in anti-fraud systems and procedures in order to mitigate their business risk. Part of the MGA's licensing and ongoing monitoring consists in vetting these procedures and verifying the effectiveness thereof at audit stage.

Bojoko: How do you ensure that online casino operators are meeting these standards? What happens if they are not?

CB: "The approach the Malta Gaming Authority takes to ensure that these standards are met is twofold – ex-ante and ex-post.

Ex-ante: during the application process, the policies, procedures and systems of an applicant (online casino operator) are thoroughly vetted in order to assess whether, if effectively implemented, they will enable the operator to adhere to its legal obligations.

Ex-post: as part of ongoing monitoring, the MGA commissions compliance audits by accredited independent auditors to ensure that the approved policies and procedures are being put into effect, and that any systems and tools that are being leveraged to achieve these results are functioning effectively. Moreover, the MGA and FIAU jointly conduct full-scope examinations of operators' anti-money laundering effectiveness, to ensure that the operator is making the necessary efforts and that they are being implemented in an effective manner."

Bojoko: Do you have to keep tweaking your requirements to make sure they cover that latest fraud, AML and scam threats?

CB: "This industry is very dynamic and innovative, meaning that threats change constantly just as products develop on a regular basis. Hence as the regulator we do endeavour to keep abreast of developments in order to be responsive with changes to regulatory requirements if and when these are required.

Indeed, the new regulatory framework introduced in August 2018 is structured in a way which enables us to be quicker to react to the need to make changes to such requirements in an effort for the law to keep up with the pace of the industry."

Bojoko: Any tips on what players can do to ensure they do not fall victim to an online casino scam?

CB: "We would always encourage players to make use of the services of a regulated operator to ensure that it is subject to controls and oversight, and to have a regulator to resort to in case issues crop up."

While most European markets are now regulated – this includes the likes of the UK, Sweden, Spain and Portugal – others are not so it can be tricky for players in these countries to know where to play.

Bojoko always recommends playing at online casinos that are licensed by the UK Gambling Commission as this is one of the most established and respected regulators in the world.

Operators that carry a UK Gambling Commission licence are trusted and reputable and do not try to catch out players with scams or misleading adverts.

Online casinos and hacking

Despite these measures being place, players often ask whether regulated online casino sites can still be subject to scams or be hacked.

Peter Bassill is the founder of Hedgehog Security and is employed by online casinos to test their cyber security measures.

This sometimes means trying to hack into an online casino site to identify any vulnerabilities and report back to the operator with any improvements they can make.

Peter says that there is no such thing as unhackabale or completely secure but that on the whole, online casino sites, especially those licensed by the UK Gambling Commission, are secure.

"Most use the latest technologies to aid in the defence and go through routine and regular external security assessments with penetration testing firms.

But in the majority, they stick to the tried and tested route for security validation and rarely ask the testing firm to go all the way.

It is often a budget issue but also a lack of risk awareness on the part of the operator."

Some online casino operators do take their security assessments and testing to the next level and will ask Peter and his team to attempt to hack into their sites to identify any vulnerabilities.

Last year we did a simulated "Oceans 11" for an operator. We put five weeks of effort into the prep work and only one day in the attack.
Peter Bassill, Hedgehog Security

Peter explains how they go about doing this:

"I start with a complete view of the operation. We call this intelligence gathering, identifying every one of the third parties connected with the operation.

I map out all the technology used, obtain plans for all their buildings, identify as many staff as possible. Guaranteeing success is 90% prep work.

Last year we did a simulated "Oceans 11" for an operator. We put five weeks of effort into the prep work and only one day in the attack.

We got in, did our thing and got out without being detected. Success was proven to the client and they fixed their weaknesses."

For operators to be as safe as they possibly can, Peter recommends they regularly work with testing firms to ensure that they go beyond simply undertaking generic security assessments.

They should also pay attention to patching, routine maintenance, fixing holes identified and generally ensuring their technology is as good, clean and lean as possible.

You, the player, can help too:

"Operators should have a way for players to easily and quickly inform them of any suspected scams they may have seen or received," says Peter.

"The operator can then use this information to inform their customer base. It's a win win."

How to spot an online casino scam

If you do decide to play at an unlicensed online casino – and Bojoko advises that you don't – you are at greater risk of being subject to an online casino scam.

These are some of the ways unlicensed operators may try to catch you out:

1) Games that are rigged or fixed more in the casino's favour

Licensed online casino operators are required to use a random number generator to determine the outcome of games, and each game has a return to player percentage (usually around 96%).

These are independently tested to ensure they are working and that they are accurate.

Unlicensed online casinos might not use an RNG to determine the outcome of the game which means they could be rigged to their benefit.

2) The casino will refuse to pay-out your winnings

Another scam to be aware of is an online casino that will allow you to deposit into your wagering account but will refuse or block any withdrawals you try to make.

Licensed online casinos, on the other hand, always pay out and it usually takes a few days to process withdrawals and for you to receive the money in your bank account.

3) Stolen bank details and personal information

If you do not play at a licensed online casino you also run the risk of the operator using your bank details and personal information to commit fraud.

This might not always be done by the casino; unlicensed operators may not have the necessary protections in place to safeguard your bank details and personal information from hackers.

Issues playing at licensed online casinos

Of course, even when playing at a licensed online casino, some players believe they do not receive the experience they are promised by the operator.

This usually relates to the bonuses and promotions they receive and the terms and conditions that come attached to these incentives.

We take a closer look at this below.

Bonuses can leave players feeling short changed

Operators like to incentivise and reward players with online casino bonuses, which include sign-up bonuses, deposit matches, free spins and even tickets to prize draws.

In most cases, casino promotions come with terms and conditions which licenced online casino operators are required to make clear to players.

Terms and conditions usually include wagering requirements and the time players have to complete them, win limits, eligible games and restrictions on deposit methods.

The problem, of course, is that most players do not take the time to read these terms and conditions before accepting an offer.

Later, when they discover they have to wager winnings 35x before they can be withdrawn, or the maximum win from free spins is £100 and they have won £300, they feel scammed.

They haven't been, of course, as they agreed to these terms and conditions when they accepted the offer. Although if they hadn't read them, it is easy to see where the confusion comes in.

The UK Gambling Commission requires operators to clearly display T&Cs so that players know what requirements or restrictions are attached to an offer before they accept it.

That said, it is still the responsibility of the player to make sure they read and understand any terms and conditions before accepting the offer.

The use of bonuses is something the wider online gambling industry is looking into at the moment as it continues to take steps to be fairer and more transparent with players.

Reputable online casino operators do not want their players to feel like they have been scammed, so most are going to great lengths to ensure T&Cs are as clear as possible.

Some like PlayOJO have gone so far as to remove wagering requirements on bonuses and promotions and allow players to withdraw cash whenever they like with no restrictions.

Of course, unlicensed online casinos do not have to play by these rules and can offer bonuses that have unfair terms and conditions.

These can be used to scam players, as they often encourage them to deposit large amounts of money that must then be subject to sky-high wagering requirements before being withdrawn.

These playthroughs can be upwards of x100 and, in reality, most players will lose any winnings they have accrued trying to complete such high wagering requirements.

Misleading online casino adverts

If you live in a country where online casino is legal and regulated, you will no doubt have seen adverts for online casino brands on TV, the radio, the internet and social media.

These adverts are there to entice new players to sign-up and play at an online casino brand, and will sometimes include a special bonus offer.

In countries such as the UK and Sweden, online casino operators are allowed to market to players but they must do so "moderately" and by adhering to certain rules and guidelines.

In the UK, for example, this is the Advertising Standards Authority's CAP Code which aims to make sure adverts do not appeal to underage players or that offers are misleading among other things.

Most online casino operators have breached the CAP Code at some point – Paddy Power is a regular – and this does not mean that they are not reputable or that they are scamming players.

It is usually the case that the advert is a little too "edgy" – for example, William Hill recently had an advert banned because it linked gambling with sexual success.

The ad was placed on Tinder and said:

"Stuck in the friend zone? You won't be for much longer if you use this Cheltenham free bet offer. Join William Hill with code W40 and bet £10 on any Cheltenham race to get 4 X £10 free bets. T&C's apply."

William Hill was not trying to scam its players with a dubious offer, it simply breached the code as the ASA deemed that it associated betting with finding a partner.

In other instances, online casino operators have had adverts banned because they didn't make clear the terms and conditions attached to an offer being promoted, making them "misleading".

Most licensed online casino operators go to great lengths to ensure that their ads are within ASA guidelines and that T&Cs are clear, but occasionally they do breach the code.

When this happens, they are not allowed to run the advert again in its current format and must ensure that all future ads are within CAP Code guidelines.

What to do if you think you have been subject to an online casino scam?

As you can see, the online gambling industry does a lot to ensure that online casinos are safe and secure and that players are not subject to scams or fraud.

That said, there are some bad actors out there still and these online casinos are to be avoided at all costs. But what do you do if you think you have been victim of an online casino scam?

  1. Contact the UK Gambling Commission
  2. Log a complaint with an alternative dispute resolution body such as eCOGRA
  3. If you think an advert is misleading, contact the ASA

The best way of preventing yourself from falling victim to an online casino scam is to play at licensed online casino brands, especially those that hold a UK Gambling Commission permit.

These sites meet the highest possible standards, are highly reputable and trusted by tens of thousands of players in the UK and beyond.

Here at Bojoko you can find ratings and reviews of all the best UK-licensed online casinos so you can be sure they are operating honestly and transparently.

So, while scams remain a big issue across a wide range of industries, the online casino sector goes above and beyond to protect consumers and is one of the most safe and secure.

About the author

Profile logo

Bojoko Editorial Team

Bojoko editorial team curates and publishes content from our in-house expert and outside contributors.


or sign up to leave a comment.

Say "OK" to the cookies. Learn more in our privacy policy.