Participating in lotteries and sweepstakes: are we paying too much for a chance to win?


Personal data can be used for more than just ads

According to Tomas Stamulis, the Manager of the Informational security group at ATEA, data given away to a lottery – even a seemingly innocent one – can be used not only for marketing but also for criminal activity.

“By revealing our data, we risk that it can be used for a wide variety of purposes. Data can be illegally sold to various client databases or used for direct marketing purposes. However, cybercriminals can also pretend to offer you a chance to win a prize that in fact does not exist – this way, they can trick you to give away your data, which can then be exploited for criminal activity,” explains T. Stamulis.

Every situation that requires revealing data should be critically assessed

The informational security expert advises to always pay attention for what purposes, with whom, and what kind of data you are about share.

“You should consider if and what kind of data are safe to share in every individual situation. When you disclose your phone number or email, you risk being subjected to heavy advertisement or social engineering; if you reveal your address, you might get robbed. Revealing certain types of data might not be risky but giving away too much might result in complete identity theft. If this happens, criminal may get access to all your social media and internet accounts,” warns T. Stamulis.

How to recognize fraud hiding behind lotteries?

Most internet users have seen many fraudulent letters about winnings in lotteries or invitations to participate in various sweepstakes. Often, cybercriminals even imitate legitimate lotteries run by established organizations – thus, people are easily tricked into believing the published information and trust criminals not only with their data but also with their money.

Fraud related to the “Green card” (the permit to live and work in the US) lottery is especially common. Cybercriminals can imitate the official website of the lottery, the emails sent to those who win the permit. Fraudsters usually ask for a fee to complete the “Green card” application, promise an increased chance of winning the permit, send letters congratulating the participants on “winning” the lottery and asking to send money to pay for a visa.

Such offers should be viewed with suspicion. The official lottery is accessed at and its winners are determined completely randomly, so it is impossible to influence the outcome in any way. Further, the organizers of the lottery never ask for any payments until after the selection, while the winners are asked to come to the US embassy or a consulate.

There are also instances when users are informed (via email, text, or other means) about winning certain prizes and then are asked to “pay tax” or “cover the delivery expenses.” Falling for this trap and paying for these “fees” gives away all bank and personal data to the cybercriminal behind the invitation. One must also not trust giveaways or extreme sales, where goods and services are offered at no cost or for an unrealistically cheap price (i.e., plane tickets for 1 EUR). Paying for such also result in losing access to your data or bank account.

New changes in data protection grant the “right to be forgotten”

What can be done if, after you voluntarily or unknowingly give away your personal data to various companies or organizations, you can no longer stop the incoming flow of information they send?

This spring, in Lithuania as well as across the European Union, the new General Data Protection Regulation (GDPR) went into effect, which sets out stricter rules for personal data management.

The new regulation mandates the companies that use and manage data to clearly indicate for what purposes they would use the data, who has access to the data, for how long the data will be stored and managed, as well as other information. Further, the GDPR grants the right for individuals to withdraw their consent to give away their data at any point and establishes the right to demand that the data already given away would be deleted – the “right to be forgotten.”

Having failed to clarify and agree upon issues of concern with an organization that uses your personal data for direct marketing purposes, you may always contact the State data protection organization, which can help defend your rights.

You may like