Fraud has become one of the defining operational risks for online betting operators. As payment journeys become faster and more seamless, the same infrastructure enabling instant deposits and withdrawals has also created fertile ground for increasingly organised fraud networks.
Industry forecasts suggest financial institutions will spend more than $21bn on fraud detection in 2025, with that figure expected to rise sharply over the coming years as digital payments expand.
The gambling sector sits squarely within this escalating arms race. While card fraud once dominated the threat landscape, operators now face more complex attacks centred on account takeovers, social engineering and the manipulation of payment workflows themselves. In many cases, fraudsters are no longer probing systems blindly but studying payment flows, withdrawal rules and risk thresholds before designing attacks around them.
Ahead of SBC Summit Malta, Payment Expert spoke with Sean Spiteri about how these tactics are evolving, and what the betting industry can learn from fintech’s far larger investment in fraud prevention.
Read the full interview below.
Fraud losses in online gaming continue to climb. From your vantage point, what types of payment fraud are proving most difficult to control today?
Fraud in online gambling has become more sophisticated nowadays, and the most difficult fraud to control isn’t the use of stolen cards anymore, but its account takeover accompanied with smart withdrawal strategies.
Fraudsters are actively studying operator’s payment flows, velocity limits, withdrawal automation rules, and so on. They then opt to design their attacks around these flows, proving fraud mitigation harder than ever.
We’re also seeing more sophisticated social engineering. Deepfake and AI-assisted impersonation tactics are improving at rapid pace, which increases the success rate of account takeover. In practice, the bigger challenge lies with how quickly fraudsters can operationalise their attacks at scale, which subsequently highlights the Operator’s biggest challenge, response time over simple detection.
Fintech is investing tens of billions into fraud detection. Which tools or techniques from fintech do you think iGaming operators should be adopting more aggressively?
One area where iGaming Operators are lacking, is a true unification tool which enables different Operators to collaborate and share fraud patterns & strategies being deployed by fraudsters, and instead, these are being safeguarded as company secrets as if it provides some sort of competitive advantage as opposed to being a shared vulnerability.
Unification on this front would result in a singular force in the fight against fraud, making it harder than ever for fraudsters to take advantage and reducing their success rate across the board, which ultimately reduces friction for good players, adds friction where it needs to be, and finally provides a safer gambling experience overall.
AI-driven behavioural analytics is often cited as the next frontier. In practice, how effective is it compared to traditional rule-based systems?
Rule-based systems are built upon predetermined thresholds such as velocity limits and several other metrics, which work well for risks which are already known by the user setting these safety barriers up. The main advantage here is the transparency with regards to having an audit trail, and how simple it is to explain the logic to regulators.
On the flip-side, AI goes beyond just looking at static rules and evaluates probabilistic patterns which may not be as evident as it takes into account additional variables such as payment sequencing, payment timing and other factors to build a story.
Layering different strategies is the key for an all-encompassing risk-based approach driven by data, not just a hunch.
Mobile betting platforms appear particularly exposed. What makes fraud prevention on mobile more complex than desktop environments?
Linking a device to a specific player is particularly challenging, especially when compared to desktop’s stable environments, browser persistence and more predictive behavioural trails. Changes within the mobile sphere aiming to protect players with good intentions, unfortunately also work to safeguard fraudulent players.
Clear examples on how devices can be particularly exploited would be sim swapping, app cloning, emulator farms and others. These get very complex, very quickly, which can leave a company exposed to different exploits.
Additionally, both Apple and Google add in privacy layers to limit fingerprinting capabilities across different apps. This is especially apparent when they provide multiple layers of user protection where each user is able to restrict access, disable and even reset different elements, such as the advertising ID.
This makes it harder to detect multiple account abuse for instance and thus, leaving operators on the backfoot as they are essentially working in an environment which is intentionally hostile to tracking persistent identity.
There’s always a trade-off between security and user experience. How do you strike the right balance between frictionless payments and robust risk controls?
Whilst I understand the merit behind the argument of there being a conflict between security and user experience, there is also an argument to frame the discussion differently where the two are not juxtaposed against each other.
What I mean by this is that security also works in favour of user experience and not exclusively against it, as it works to ward off fraudulent users, which in turn, amplifies the feeling of safety for the good users as they can also bear witness to the safety measures in place at the casino they’re playing at, which renders dividends in trust which positively impacts both acquisition and retention rates.
On the other side of the conversation, if too many hurdles are put in place, players could rightly perceive this as too much effort for a leisurely activity. The aim is to get them to their end goal as quickly as possible – playing.
One way to mitigate this challenge is to ensure that most of the friction logic is tailored towards behavioural friction, as opposed to more traditional barriers which require player input like sms verification. This is achieved by having invisible layers of resistance which only add friction when certain predefined criteria is met and challenges the player to authenticate.
Using data and pattern recognition, especially with the assistance of AI and machine learning, you’d be able to quickly identify anomalies within the player’s behaviour to trigger your digital safety nets.
The goal is not to eradicate friction, but to apply friction intelligently, guided by data rather than arbitrary rules.
As fraud tactics evolve, are operators moving fast enough, or is the industry still largely reactive?
There is definitely an improvement, but most structures are still built to be reactive, rather than proactive, and it mostly boils down to how teams are being organised.
A trend I’m noticing across different companies is the unification of the Payments department. Historically, Payment Operations and Payment Product lived in separate departments, whereas there is an ongoing shift where the two are being merged into one.
Product functions focus on PSP integrations & performance optimisation, whilst Operations teams manage risk and transaction monitoring. This separation can create delays between identifying a threat and implementing a strategic response.
Working within such a fast-paced industry where fraud tactics evolve rapidly, speed has become the defining advantage, and the industry is beginning to recognise that organisational alignment is as critical as technological implementations.
You’ll be discussing the fintech–iGaming crossover at SBC Summit. What’s the one lesson you believe gaming operators must internalise if they’re going to keep pace in this arms race?
One of the biggest lessons gaming operators can take from fintech is how payments are perceived.
Many gambling operators still treat payments simply as revenue which grants access to the casino. In contrast, fintechs extract greater value from each transaction, using it as a source of behavioural insight to build dynamic digital identities.
They operate on a continuous cycle of re-evaluation, using new behavioural data to adapt their strategies over time, rather than relying solely on information captured at initial verification.
Get your VIP Event Pass (€600). Group Discount: Buy 3+ VIP passes and pay just €400 per ticket.
Operators & Affiliates: Eligible attendees may receive a complimentary VIP Event Pass with full access.
Expo+ Pass (€150): Access to the exhibition floor and all conference sessions (no VIP evening events).
