The Extraordinary Christmas Lottery and its cybersecurity implications EN

The Extraordinary Christmas Lottery and its cybersecurity implications EN

Hello readers!

Pay close attention to today's post because we bring you an article about cyber threats related to the Christmas lottery campaign! The Christmas season arrives, a time of celebrations that many people look forward to all year long. Decorations, lights, gifts, special meals and, of course, the Extraordinary Christmas Lottery. This event, which is one of the most popular nationally, has been held every year on December the 22nd since 1812 and has become a cultural phenomenon of international relevance in which up to 7 out of 10 adults in Spain participate annually. In this event, the public state agency Loterías y Apuestas del Estado offers for sale in all the Autonomous Communities of the nation, tickets containing five numerical numbers, which on December 22nd can be awarded during the celebration of the draw, which on this occasion will take place at the Teatro Real in Madrid, as has been the case in recent years. These tickets have been on sale in 2023 since July 12th of this year and up to 185 million tickets have been released, according to RTVE[1].

There are many reasons why Spaniards decide to participate in the Christmas Lottery, even in the case of those who are more sceptical and do not participate in other draws of this kind. One of the most important is that, as mentioned above, it has become an authentic cultural phenomenon characteristic of the nation and, therefore, a tradition with a long history. In fact, this tradition has led to individuals being encouraged to participate in the lottery and to buy shared tickets from the corporate sphere, neighborhood communities, the family nucleus or even the educational sphere, among others, so that social and group pressure makes it difficult for individuals to decide to refrain from buying or participating in a lottery ticket. In addition, the excitement of the Christmas festivities makes people more likely to participate in events that generate a sense of belonging, without forgetting those individuals who base their purchases on superstition and the hope of being awarded a prize, since, compared to other draws, the Christmas Lottery has a large number of rewards. 

In this context, it is feasible to consider that cybercriminals try to take advantage of this phenomenon that so many people decide to be part of motivated by illusion and trust to design cyberattack campaigns targeting the Christmas Lottery consumer. Thus, and to interconnect this point with the above, it is necessary to refer to Kevin Mitnick (1963-2023), one of the best-known social engineering experts in the world, who stated that cybercriminals have four fundamental principles that make people likely to become the target of cyberattacks based on social engineering or, what is the same, on psychological manipulation through deception tactics. The principles are the following:

  • We all want to help.
  • The first move is always one of trust towards the other.
  • We don't like to say "no".
  • We all like to be praised.

Therefore, if we combine components such as social pressure, illusion, tradition or the hope of being rewarded with others such as the desire to help, the trust placed in the people with whom one interacts or the difficulty of saying "no", we can see that the Christmas festivities and, in particular, the Extraordinary Christmas Lottery, are the perfect breeding ground for a boom in cybercrime during the end-of-year holiday calendar. This scenario is even more important considering that, despite the traditional long waits to buy a lottery ticket in the most awarded administrations, such as Doña Manolita in Madrid, every year more and more users advocate the immediacy that online purchase of the Christmas Lottery offers.

In this way, it is common for phishing campaigns to proliferate from the beginning of the Christmas Lottery sales and especially in November and the days of December prior to the celebration of the draw, in which the Loterías y Apuestas del Estado agency is impersonated through different channels (email, SMS messaging, etc. ) to contact lists of users indiscriminately and get them to disclose their personal or financial information under false pretexts historically used in all kinds of phishing cyberthreats, such as an alleged validation of the account to operate on the website, a need for password restitution or, more specifically, even to sell fake Christmas Lottery tickets through fraudulent websites.

Illustration 1. Phishing distributed by e-mail impersonating Loterías y Apuestas del Estado. Source: Blog Protegerse

In any of the cases mentioned above, the most common is that the communications contain a link to an external website that impersonates the agency's official website in order to request data from users, as shown in the following example. In practice, if the forms on the website are filled in, the information stored here will be sent to the cybercriminals who designed the campaign, which could be used for malicious purposes.

Illustration 2. Fake website impersonating Loterías y Apuestas del Estado. Source: Blog Protegerse 

On other occasions, the purpose of the message, usually sent by email or SMS, is for the user to access the download of a supposed lottery ticket that has been granted to him or her either as a gift or using a supposed lottery purchase recently made by the subject as a lure. In practice, however, the most common scenario is that when the download is accessed, a family of malware is executed, intended to compromise the security of the user's device. 

It is even more common for cybercriminals to send false notifications to users after the lottery has been held, impersonating the organization and using the premise of having obtained a substantial prize for the tenth of a lottery ticket purchased. All this with the purpose of collecting sensitive information, both personal and financial, using as a pretext an alleged need for information or identity verification with which to process the economic gift. Thus, the mixture of nervousness, joy and illusion that such a communication may cause in the receiver of the message, may make individuals less inclined to remain alert and to check the origin of the contact, which may lead to a hasty decision on their part that, without being aware of it, may be detrimental to them.

Illustration 3. Smishing regarding an alleged lottery win. Source: Telematic Crimes Group of the Guardia Civil (Facebook)

In this case, it is common for communication between the attacker and the victim to take place both by email and SMS, since these channels allow cyber-actors to reach a large number of users using few resources; as well as by phone calls, since the rise of vishing together with the use of human voice automation tactics and deepfakes allow not only to reach a large number of individuals but also to provide greater reliability in the receiver, who interacts either with another human being ("trust movement towards the other'') or with an artificial intelligence (AI) that pretends to be one. Moreover, as in the previous case, the fraudulent communication is often combined with the use of a phishing website in which Loterías y Apuestas del Estado is impersonated to get users to fill in predefined information forms that provide attackers with all kinds of data with which to commit fraud and scams in cyberspace. 

In all these cases, and in the same way as in phishing campaigns using other types of lures, there are variants in which the ultimate goal of the action is to deploy a certain malware family on the user's device, which are propagated by means of e-mail attachments or inserted in fake websites that impersonate the Administration. Thus, it is common among cybercriminals to use spyware malware type, designed to steal sensitive information, and, more specifically, the use of bankers, with functionalities based on the theft of banking information. 

On the other hand, in the month of November, different agencies and police forces of the nation have been alerted about the rise of the already traditional "tocomotxo" scam, according to which a stranger contacts other people to tell them that he owns a Christmas ticket or, in general, any winning lottery ticket that he cannot collect due to some personal matter, and therefore he has decided to sell this good in exchange for an amount considerably lower than the gratification that would be received once the prize has been collected. To encourage the confidence of the potential victims of the action in the claim of the stranger, the most common, according to the authorities, is that the fraud is carried out with the actor in the proximity of a lottery administration, although, with the expansion of the use of cyberspace, it cannot be ruled out that this well-known scam could be adapted for dissemination through social networks, e-mail messages and so on, as a possible form of evolution of the Nigerian letters. 

Finally, taking into account the approaching celebration of the draw and the foreseeable increase in Christmas Lottery sales in the coming weeks, it has been considered appropriate to gather here ten recommendations addressed to the participants of the Extraordinary Christmas Lottery in order to avoid being affected by a possible cyber-attack related to the frauds described in the preceding paragraphs: 

  • First of all, one should always go to the official and authorized administration posts to purchase any Christmas Lottery tickets. In the case of the purchase of tickets on the Internet, it is necessary that the user previously verifies that the accessed website belongs to a true administration and checks that the page contains the official domain of the administration to which he/she wanted to access. 
  • Secondly, it is advisable to pay for the tickets through prepaid cards or cards with a limit, as well as through intermediaries such as PayPal, thus avoiding entering the most sensitive bank details (full card number, expiration date and CVV) on any third-party website. 
  • Thirdly, in order to verify that the transaction is reliable and true, it is necessary for the individual who has made the purchase to request a receipt or proof of payment for the purchase of the lottery ticket. In the case of official websites, it is most common for both the receipt and the lottery ticket to be sent to the subject's e-mail address after the transaction has been verified. 
  • Fourthly, it is necessary to verify the authenticity of the purchased lottery ticket. To do so, it is necessary to pay attention to its price, since it will never be less than 20 euros, and check if it has the official logo and the seal or code of the administration where the purchase has been made. In addition, the official tickets must incorporate a holographic seal, a bar code and a unique serial number. However, in case of doubt, the authenticity of the lottery ticket can be checked at an official point of sale
  • Fifthly, in the event of purchasing the lottery ticket jointly with another person, it is advisable to draw up a document stating that the transaction has been carried out in shared mode, specifying the full name of all those involved, their ID and specifying who is responsible for the custody of the ticket until the lottery draw is held on December 22nd. 
  • Sixthly, it is particularly advisable to be cautious in relation to notifications and communications that may arrive by e-mail and SMS messaging, paying special attention to the origin of the message, checking whether the sender is known or not and the purpose of the message, avoiding any interaction in case of suspicion. In this sense, it is advisable not to access external links requesting sensitive information and not to download files whose origin is unknown
  • Seventh, the user should only go to authorized points of sale to check if the lottery ticket has been awarded, paying no attention to possible phone calls he/she may receive in which this premise is referred to. As in the previous point, sensitive information should not be disclosed through any channel other than the official one and, in case of receiving calls from unknown senders, it is advisable to include the telephone numbers involved in the spam lists of the device and block them. 
  • Eighth, it is advisable not to share images of the purchased lottery tickets through social networks, as these contain valuable information, such as their numbering and series, and may allow a potential attacker to impersonate the owner, try to claim the prize if applicable, or be contacted by cybercriminals claiming to belong to the lottery administration to request information. 
  • In ninth place, it is necessary to remember that it will never be required to the subject rewarded by the Christmas Lottery to make any payment to access to the prize
  • Tenth and lastly, it is recommended to contact the relevant authorities and the national agency of Loterías y Apuestas del Estado if you suspect that you have purchased a fake Christmas Lottery ticket or have become a victim of a scam related to the lottery.

And this is the end of today's post. We hope you found it useful and that you liked it, and don't hesitate to share it so that it reaches more people! 

See you next time!


[1] Without author. Arranca la venta de Lotería de Navidad en toda España con 185 millones de décimos, cinco más que en 2022. RTVE. Available in:

Raquel Puebla González and Itxaso Reboleiro Torca, Cyber Intelligence Analysts at Innotec Security, Part of Accenture

Itxaso Reboleiro Torca