Spanish gambling regulator warns of spate of identity theft reports
Gambling operators have been told to be alert for ID breaches and hackers.
Spain.- The Spanish gambling regulator, the DGOJ, along with financial institutions have issued another warning about an ongoing spate of identity theft cases related to online gambling transactions.
The regulator first issued an alert over the issue in February, but it says it continues to receive complaints from users who have received fines or tax demands related to accounts they were unaware of or did not control. The DGOJ said criminals were exploiting ID verification protocols on online gambling platforms and payment systems.
Spain’s Ministry of Consumer Affairs says that 7,700 cases of identity theft linked to online gambling and payment-related liabilities were reported last year. Around 5 per cent of gamblers who won over €100 via online gaming are said to have been victims of identity theft.
Mikel Arana, director general of the DGOJ, said: “Current regulations do not mandate the personalisation or individualisation of payment methods. This loophole enables the use of fake or third-party accounts to divert funds.
He added: “In 90 percent of scams, sports betting was involved. Most victims remain unaware until the Treasury demands taxes for supposed winnings they never received, by which point the damage is already done.”
Statistics were available for the first time after the DGOJ introduced a new protocol for impersonated consumers to register complaints. PACS was introduced in April 2024 in collaboration with the tax administration agency AEAT and the State Security Forces and Corps. It provides a step-by-step process for consumers to follow if they believe their identity has been stolen via online gambling platforms.
The DGOJ has recommended that users request certificates of activity from betting operators, close compromised accounts, and provide relevant documentation to the Spanish tax agency, AEAT, after reporting incidents.
In February, the regulator said it planned to work with AEAT on a report into the matter. It has also warned gambling operators to be alert for hackers using technologies like e-wallets and bank cards to evade detection. The regulator suggested that hackers can often be identified by operators because they exhibit different gaming behaviours, placing more or larger bets over longer sessions.
It also noted that registrations for its Phishing Alert service have tripled since the introduction of the new protocol, most likely due to an increase in awareness of cybersecurity risks. Players can activate the alert via the DGOJ website in the Identity Theft Alert section. They provide their details and will then receive notifications about any suspicious activity.
Last year, the AEAT signalled that it would be getting stricter on ensuring that players report gambling winnings in their income self-assessments. Director general Soledad Fernández said that the agency would increase its scrutiny of profits from online gambling as well as cryptocurrency, foreign income and property rentals. In 2022, rules were changed to require the disclosure of all gambling winnings. Previously the threshold that required disclosure was €300.
