​Faking the Winning Ticket

In the high-stakes world of lotteries, regulators and operators need stronger controls against fraudulent schemes.

Comments Views

​He might have gotten away with it if he hadn't been greedy, a U.K. judge said in sentencing a man to nine years in prison for lottery fraud. The BBC reports that Edward Putman used a forged lottery ticket to claim a £2.5 million prize in 2009. The court found that Putman collaborated with an employee of National Lottery operator, Camelot U.K. Lotteries Ltd., to create the fraudulent ticket based on a list of unclaimed winning numbers.

The scheme began to unravel after Putman's accomplice, Giles Knibbs, took his own life in 2015. Putman and Knibbs had a dispute over dividing the winnings, and earlier in 2015, Knibbs had told friends he had "conned" the Lottery.

Lessons Learned

Creating a fraudulent lottery ticket is not as difficult as one might think. Similar to creating fake credit cards, there are resources on the internet that describe the basic steps for making a fake ticket. One simple method is to alter the date for which an expired ticket, with a winning number, was issued to fool the sales agent into believing that the ticket is currently valid.

However, this story involves a much more sophisticated methodology that requires a more systematic approach to fraud prevention and detection. In this case, the story notes that the U.K.'s Gambling Commission fined Camelot £3 million in 2016 for violating its operating license in the way it controlled databases, investigated prize claims, and paid out prizes. These are areas where lottery operators and regulators should consider some measures:

  • Regularly review and enhance controls relating to ticket-making databases and other information sources. Putman's accomplice, Knibbs, had seen a document detailing big prizes that had not yet been claimed, while he was working for Camelot. Lottery operators should tightly protect such information, particularly details of unclaimed winning ticket numbers and locations of their sales. Very few people should have access, even within the fraud detection department.

    Related to this, human resource controls, such as regular background checks and rotation of staff, can help deter and detect fraudulent activity. Lottery operators cannot assume that specialized, experienced, long-term employees who perform highly sensitive duties can always be trusted without some measures of verification.

  • Make processes for investigating and paying out a prize claim as stringent as possible. This is especially necessary for large prizes. In this case, Camelot paid out the prize to Putman despite the fact that the bottom part of the mangled ticket was missing its barcode. Even if the ticket had been found valid, this is an obvious "red flag." Lottery operators should consider some form of multifactor authentication of a ticket purchase such as a duplicate paper receipt or an electronic form that contains all relevant security information. A winning ticket should not be successfully claimed without such evidence.

  • Improve public communications about fraud prevention. Lottery operators such as Camelot should communicate about fraud-prevention measures on their websites and through other channels. Moreover, they should add audit requirements to demonstrate the continuing effectiveness of their controls over the lottery ticket process.

    In the news story, Camelot states that, "We've strengthened our processes significantly since then and are completely confident that an incident of this nature could not happen today." However, Camelot's website does not provide information about either this incident or how the company is improving its fraud-prevention measures.

    Lottery industry regulators should consider requirements to improve this aspect of fraud awareness and prevention, including for public communications and auditing. This might include public reporting of audit results. As a measure of deterrence, regulators could mandate that a company's operating license be suspended if a further incident of fraud occurred.
Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx


Comment on this article

comments powered by Disqus
  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3