Online Security

Do not respond to these scammers. If you suspect that somebody is misrepresenting themselves as a Betfair employee on the phone ask the caller for details of the issue, disconnect and contact Betfair immediately. If its an email, do not respond to the sender. Instead contact us and we will be able to advise on the best course of action.

Can I monitor logins to my account?

We've added a handy new feature under the 'My Security' section which lets you review all of the access to your Betfair account.

Essentially, you can check this section to verify the date, time, country and Internet Protocol Address for each login.

If there are details of a login which you cannot account for, or from a country that you did not visit, you can contact us and have our staff check out your concerns.

How do I report a security incident?

If you believe that you have discovered a vulnerability in a Betfair product please report it to us through HackerOne - https://hackerone.com/flutteruki.

If you have a security incident to report please get in touch with us through our customer support.

Please include a detailed summary of the issue, including the name of the product (e.g. Exchange, Sportsbook, etc.) and the nature of the issue that you have discovered. Make sure that you include an email address where we can reach you, in case we need more information. Upon receipt of your message, we will reply with a unique tracking number.

We value the security of Betfair services, as well as your privacy, when you report vulnerabilities or incidents to us.

What is Phishing?

Phishing attacks are carried out by an attacker who sends a genuine looking communication, such as an email, to their victim claiming to be from a company with which they have dealings, e.g., Betfair. These spoofed emails will ask you to "verify your details" or "re-submit" personal account information. There's often a link provided that takes you to a fake website that looks very similar to the legitimate one. This website may ask you to input login, password and other details such as your credit card number to verify your account. Unfortunately, the recipient of your information is a fraudster who will use your information for financial gain.

The best way to protect against Phishing attacks is learning how to identify suspicious emails and websites.

How can I identify phishing e-mails?

A Phishing (or spoofed) email will try to represent a well-known company such as Betfair and request personal information from you, the customer. The following are some characteristics to help you identify Phishing emails:

Common or general greetings
Many Phishing emails begin with a common greeting, such as, "Dear Betfair member". If you don't see your first or last name, be suspicious and don't click on a link or open any attachment.

A false sense of urgency
Many spoofed emails try to alarm you by claiming your account is at risk unless you update it immediately. The email may even claim that an unauthorized transaction occurred on your account, or that Betfair is updating its records and needs confirmation of your details. These are all tactics to trick you into clicking on a fake link which then opens a hoax website that encourages you to re-enter your personal and financial information.

Misspellings and bad grammar
Phishing emails often contain spelling mistakes, bad grammar, or missing words. This can be due to the fact that the email is not written in the native language of the fraudster, or because spelling mistakes help fraudsters avoid email spam filters.

Fake links
Some Phishing emails look like a company's webpage. Always check the destination of any link before you click by moving your mouse over it and examine the website address in your browser or email status bar.

How can I identify phishing websites?

The following are some characteristics of Phishing websites.

Hidden Address bar
Many Phishing websites disable the browser's 'address bar', meaning that the address of the website you are visiting is not visible to you. This is deliberate so that you will not notice that the site you are viewing is a hoax website and not the correct address.

Deceptive URLs.
Phishing emails sometimes show links that appear similar to the web address of a genuine company website. Clicking on these links however will result in you visiting a hoax website. Here are some indicators to be watchful for:

If you see an @ character in the middle of a URL, there's a good chance this is a spoof (e.g. https://Betfair.com@ 3574397731).
Even if a URL contains the word "Betfair" it may not be a Betfair site.

Examples of deceptive URLs include: www.Betfairsecure.com, www.myBetfair.com etc. Pay close attention to the URL structure. E.g. myBetfair.com is not a genuine Betfair URL whereas my.Betfair.com is (myBetfair.com is totally different domain to Betfair.com). The primary domains used by Betfair include Betfair.com and Betfairpoker.com.

Recommendations:

If you think you may have accidentally visited a Phishing website, we're only a phone call away to help you.
If you are suspicious whether a website you have visited is an authentic Betfair website please contact antiphishing@betfair.com.

Figure 1: Spoofed Betfair site with deceptive URL

Figure 2: Spoofed Betfair site in decimal format

Figure 3: Spoofed Betfair site with URL containing word Betfair

Figure 4: Spoofing domain name with Betfair as sub domain

Figure 5: Spoofing domain with close spelling (www.betfaiir.com)

What is a DDoS attack?

A DDOS (Designated Denial of Service) Attack is a technique used by criminals to disrupt or crash websites. It works by sending millions of page requests to a website (just like when you hit F5 to refresh a webpage), until it eventually crashes. You may have seen over Christmas the Sony Playstation and Microsoft Xbox platforms were attacked by a similar group, who demanded Bitcoin payment before they would restore the service.

Is my money safe?
Absolutely yes. All client funds are ring-fenced and are as secure as can be.

Could it happen again?
Yes. It would be irresponsible for Betfair to claim that we won't ever be attacked again, however rest-assured that site uptime and stability continues to be our top priority and we'll continue to invest in systems that protect us from criminal activity.

What is Adware?

This is also a type of Trojan. Adware refers to software which automatically plays, displays, or downloads advertising material to your computer. Adware is usually comes bundled with freeware software to generate advertising income.

What are Trojans?

This attack is derived from the classical myth of the Trojan Horse. Trojans are applications that masquerade as legitimate and often interesting software. Links or attachments in emails from people you don't know should always be treated with suspicion. Of course, if you have an up to date anti-virus program running, you greatly reduce the risk of being infected with a Trojan, but it’s best not to take any chances.

One of the more nasty Trojans to watch out for are "keyloggers" which capture and store all the information you type then forward it to some very sophisticated hackers or criminals.

What is Spyware?

Spyware is another type of Trojan that performs activities on your computer without your knowledge. Typically, Spyware monitors your computing habits to gather personal information. This can be analysed to provide advertising information, collect credit card numbers, profile your browsing patterns and so forth.

What should I do to protect my personal computer?

Your computer has the potential to become the target of an attack by a criminal hacker. Their goal might be to capture your personal information, use your machine to attack others or it could even be used to store illegal data. Here's what you can do to help protect yourself and minimize the risks:

Keep your system and software up-to-date and only download patches, upgrades, new releases, applications or other files from trustworthy sites.
Install anti-spam, anti-virus and spyware software, and keep those up to date with the vendor's latest patches and signature files.
If possible, configure your computer to run the 'automatic updates' option.
Your broadband router or home PC may be able to run a powerful security tool called a firewall. A firewall restricts external access to your computer. They can be complicated and require some time to set up, but are well worth it.
Be cautious when you click on links within emails or web pages. Bear in mind, they could be fake and lead to harmful web pages.
Read pop-up messages carefully and don't automatically choose 'yes' or 'ok'.
Try to avoid using public computer access points like those at Internet Cafés for access to your Betfair account, or to any of your sensitive on-line systems, such as banking or shopping.
Visit http://www.getsafeonline.org/ for more useful tips.

Knowledge is the key to protecting yourself online. Common dangers include Trojans, Spyware, Adware and Phishing. All of these can contribute to fraud and identity theft.

How can I better protect myself online?

Be aware of phishing emails.
Betfair emails will be sent in the same format and structure at all times. We will never request you to update your details/passwords by clicking on a link via email. If at any time you wish to update information always login to your account by visiting www.betfair.com and going to the 'My Account' section. This applies to emails from banks and other legitimate businesses.
Check your logins.
Visit the 'My Account' section and click on 'My Security'. In this section you can view your recent logins. If you do identify any logins that you are concerned about, please contact Betfair for further guidance.
Don't share your username and password.
Never, ever, under any circumstances disclose your Betfair username and password to a third party. Memorise your username and password and ensure it is not easily guessed. It is never wise to write down these details or store them on your computer.
Change your password regularly.
It's a good security practice to change your password on a regular basis. Having a Betfair specific password, i.e. one that you do not use for other services, will also increase the security of your account. Simply put, the more you share your secret, the higher the chances of being leaked.
Never click on a link, which purportedly sends you to the Betfair website.
You should always access the Betfair website by typing the address into your web browser. Fraudsters often attempt to direct you to a website where malicious software can be downloaded to your computer or executed within your browser session.
Always log out of your Betfair account once you have finished using the site.
If you don't log out you may leave your account exposed to session hijacking attacks for a short period of time.
Beware of emails from people you do not know or trust.
These could be harmful to your computer and it is best that you delete them immediately.
Install reputable anti-virus, firewall and spam filtering software.
This will give you the best possible protection against criminals accessing your information. Make sure you regularly update this software when prompted to do so.
Avoid, if possible, using publicly available computers and terminals to access your Betfair account.
Malicious software, such as key loggers and Trojan horses, could be loaded onto these systems prior to your use.
Clear your private data from your browser.
This is especially important if you use public access computers or terminals. Be sure to clear all private data such as saved passwords, cache, cookies and form data right after you use a public computer.

Additional external references:

Regular updates and information about your browser and operating system security.
Get Safe Online and Identity Theft are two site developed by the Government, police and industry-leading bodies to offer advice on how to stay safe online and how to protect yourself from identity theft attacks.
CIFAS is a non-profit organisation dedicated to prevent fraud. The service is open to people who have fallen victim to or are at risk of identity theft attacks.