Casinos and other gaming businesses: Change mindset to protect against fraud. By David Navarro, Nevada Regional President Enterprise Bank & Trust, Member FDIC
The bulk of popular culture references and media coverage related to fraudulent activity at casinos focus on threats within the confines of a building. From card counters to machine manipulation to nefarious employees, the gaming industry continually adapts to trends in an effort to minimize losses. However, a recent high-profile cyber attack provided a stark reminder that increased and necessary reliance on technology continues to change the nature of threats industry leaders face.
In September, hackers gained access to customer information for MGM Resorts International – one of the largest gambling firms in the world. MGM expected a $100 million hit to its bottom line in Q3 after being forced to shut down systems upon discovering the data breach, which involved customers’ private data including contact information, gender, date of birth and driver’s license numbers, according to the company’s regulatory filings.
For gaming industry leaders, the wake-up call is apparent. Fraud continues to be a leading threat, but while past focuses were on internal bad actors and clever con artists, the external threats continue to mount. Gaming firms have an opportunity to enhance their defensive plans based on the latest threats in order to combat fraud across an expanding digital target.
Reliable and skilled banking partners should be part of any preventive plan in helping to avoid incidents, while additional procedures should be adopted in the event of needing to maximize recoveries and minimize interruptions. In particular, banks can do more than just "hold the money” and provide lending services for firms invested in prevention of fraud. A strong financial services partner can potentially help casinos combat fraud before it occurs.
Why casinos?
The FBI recently acknowledged the trend of increased ransomware attacks on casinos and other gambling-oriented businesses. This makes sense for many reasons, the most obvious being the large amount of money involved. However, the number of entry points to vital data and information can be overlooked. Because of the heavy regulatory activity related to gambling, casinos and third parties have a duty to heavily monitor clients, workers and money.
In short, the gambling industry generates large amounts of money and proprietary data.
What are the biggest threats?
Cybercriminals use all of the well-known methods, including phishing schemes that deceive users via e-mail and social engineering campaigns that manipulate users into divulging compromising information through communications or social media. However, significant vulnerabilities can exist from third-party vendor systems or remote access into internal systems. These can be used to encrypt servers and compromise and steal the desired data. Customer experience technology including wearable gaming devices, traceable casino chips and more can also provide access to larger systems.
This has been especially true for smaller and/or tribal casinos that may have fewer resources available.
In addition to more traditional ransomware attacks, schemes like account-takeover fraud utilize customers’ personal information to withdraw funds or unique loyalty benefits from the victim’s account. This can lead to harsh financial consequences in terms of refunds or payouts but also damages trust in a brand.
Additionally, threats to online gaming services involve most of the same risks, but one current trend involves Distributed Denial of Service (DDoS) attacks, which involve overwhelming a target service’s systems with requests. This leads to service disruptions that allow the perpetrator to win head-to-head games, increase disconnections from outside parties and manipulate rankings or winnings.
How an experienced bank helps
The most effective plans to address fraud start by having protections in place to begin with, particularly when it comes to finances and digital threats.
Because doing business in the gaming industry remains inherently complex due to the regulatory environment, the banking needs for casinos and other gambling-oriented businesses and corresponding relationships with financial institutions are complex, as well. Thankfully, a successful partnership helps ensure that a business will have access to specialized expertise needed to combat both traditional and emerging fraud techniques.
A collaborative financial partnership to manage all the moving parts of the banking relationship in a responsive and communicative manner becomes imperative for any gaming firm preparing for specific threats. Here are some important protection measures that banking partners can assist with:
- Address vulnerabilities through strong safeguards that reduce instances of fraud perpetrated through financial account information or systems.
- Identify opportunities to balance level of transaction protection without negatively impacting overall business operations or customer experience.
- Provide banking professionals who are well versed in the gambling space, with the ability to make sure industry-specific financial numbers are accurate and free of potential suspicious activity.
- Recommend industry partners that can assist with the protection and response, especially when coordinating needs with outside vendors and third parties.
While cyber policies are an integral component of protection, all companies should develop and implement an incident response plan, with consideration given to all internal and external team members who should be involved.
Should a breach occur, banking partners can be prepared to respond with access limitations or history. When it comes to maximizing recovery and minimizing interruption after an incident, however, other partners including cybersecurity vendors, cyber insurance providers and legal aid may take a more central role.
Most importantly, leaders need to immediately escalate any suspicious transactions to the financial institution, especially ACH or wire transfers. There is a limited recovery window for these transactions and expedited attention may prevent further loss. A banking partner can often quickly assess the situation and keep it from devolving if fraud or cyberattacks are verified in collaboration with the gaming firm and relevant response parties, such as law enforcement.
With a prevention plan that properly utilizes tools, controls, policies and continuous education, proactive mitigation of risk associated with a destructive fraud attack becomes possible. Although the initial investment in time and resources may deter some businesses from implementing this type of prevention and response strategy, the long-term maintenance of an effective plan ends up being both practical and economical.