How Bogus Lottery Scams Work

The FBI recently reported on arrests of a number of lottery scammers in what they call “Operation Hard Copy.”  We do like to report when cyber-criminals are arrested, prosecuted, and jailed, because it shows that stopping cyber-crime is not impossible.  But it is almost always a multi-national, multi-jurisdictional undertaking that requires the cooperative efforts of law enforcement from several countries.

What I found most interesting was the way that this scam operated.  The FBI reported that most of the victims were seniors, and that the “victims of the scam were targeted by the use of lead lists, which are the names, telephone numbers, and personal information of potential victims. The lists are often assembled in the United States and are sold to lottery scammers. Some lead lists are created by list wholesalers who send out bogus mass mailings purporting to be sweepstakes entries. Consumers, thinking the mailings are legitimate, pay to enter the non-existent sweepstakes. The wholesalers in turn pocket the entry fee then sell the consumer contact information to scammers for as much as $5.50 per potential victim.”

So this scam is coordinated between several groups of criminals.  The first group buys a mailing list of potential victims, based on demographics such as age and income or wealth.  They send out mailings inviting people to to register for the lottery, and the registration includes an “entry fee” which this first group keeps.  They also have created a list of targets, which they sell to another cyber-crime group at $5.00 per lead.

This second group then contacts the targets, informing them that they have “won” the lottery.  In order to collect the prize money, the “winner” is required to pay taxes in advance, or to send another fee of some sort.  So this second part is just another version of the advance fee fraud that is typically part of things such as the Nigerian prince letter.  The “winner” loses the second fee, and often their bank accounting routing number and account number .  With this information, the cyber-criminals can make unauthorized withdrawals and transfers out of the target victim’s bank account.

There are no real winners in these lotteries, except the perpetrators.  As with so many of these online scams, the only true defense is vigilance and skepticism.  If you are in the mood to gamble, nearly every state in the US has one or more lottery games, and Native American casinos are everywhere.  And remember the definition of a lottery is “a tax for people who do not understand math.”  Odds always favor the house.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.