The Ministry of Social Rights, Consumption and Agenda 2030 registered almost 8,000 complaints (7,712) in 2024 from people who say they have been victims of identity theft in online gambling.
This is the first time that this figure has been known and it has been thanks to the protocol that Consumer Affairs launched last year through the Directorate General for the Regulation of Gambling (DGOJ) to protect taxpayers from these actions in the field of online gambling. The PACS, as this mechanism is called (Protocol for Action for Impersonated Taxpayers), has the collaboration of the State Agency for Tax Administration (AEAT) and the National Police, and is offered as a tool to assist those taxpayers whose identity has been used without their consent to hide winnings in online gambling and thus evade the payment of taxes.
In this way, and after the closing of the 2023 Income Tax campaign, the DGOJ has analyzed the data collected, focusing on those cases with winnings greater than 100 euros. Based on this, the DGOJ has detected that of all the people who won more than 100 euros in online games, almost 5% (4.7%) were victims of identity theft, according to the complaints filed. This percentage, in addition, could increase next year, warns the DGOJ, based on the preliminary data that are already known for the next fiscal year.
The data collected after the 2023 Income Tax Return show that identity theft affects men and women equally, despite the fact that the population of women who participate in online games only represents 16.5% of the total. Another significant fact is that most of the identity thefts, 91%, occurred in sports betting. The DGOJ analysis also highlights that the people who impersonate these identities use payment methods that are difficult to trace and cannot be verified in real time, such as electronic wallets and bank cards. In addition, these people have a different gambling pattern: making many more bets and for more hours per day, but using the impersonated accounts only 7.5 days on average, when the average for the general population is 35.8 days from activating the account until it is cancelled. The DGOJ has also identified that the use of the identities of family members or acquaintances is one of the most common patterns in identity theft, especially in cases of minors, in people registered in the General Register of Access Prohibitions to Gambling (RGIAJ) or in people who have been previously blocked by operators.
Another common pattern is identity theft for fraudulent purposes, both to avoid paying taxes and to carry out illegal operations. Given this reality, the DGOJ has conveyed to gambling operators the need to improve their fraud prevention and detection mechanisms, reinforce security in identity verification processes and guarantee effective care for those affected. It has also warned that these results and the perimeter of those impersonated are limited exclusively to people who have requested to join the PACS protocol and there are various reasons why a person may not have started the procedure, such as, for example, not having obtained profits greater than €100 or not having the obligation to file the declaration because they do not reach the minimum income.
Furthermore, the DGOJ emphasises that the activation of this PACS protocol has tripled the number of registrations in the Phishing Alert service, which reflects, in the eyes of the DGOJ, a growing concern for cybersecurity. Phishing Alert is a system designed to help citizens detect whether their identity is being used fraudulently in online gambling. Users can activate Phishing Alert directly from the DGOJ website, accessing the “Identity theft alert” section and providing their data to receive alerts in the event of suspicious activity.
