In April 2025, the UK Gambling Commission published a warning that most operators probably skimmed and forgot about. Buried in their updated AML guidance was a blunt statement: criminals are now using deepfakes and AI-generated documents to bypass customer due diligence checks.
Forged passports, fabricated utility bills, manipulated bank statements, all submitted during source-of-funds reviews, all getting past compliance teams. Gambling proof of payment fraud, in short, is no longer a fringe concern.
At VerifyPDF, we have been processing documents for iGaming operators and the pattern is always the same: companies invest heavily in identity verification (selfie checks, liveness detection, biometric matching) but then ask a junior compliance officer to eyeball a PDF bank statement. That bank statement is where the real fraud happens. Let’s dive into how this works and what operators can actually do about it.
Source-of-funds checks created a new fraud surface
When people talk about fraud in iGaming, they usually mean bonus abuse, multi-accounting or chargebacks. Fair enough, those are real problems. But there is another fraud vector that gets far less attention: the documents that players submit during enhanced due diligence.
Source-of-funds checks are now standard practice across regulated markets. When a player deposits above a certain threshold (or triggers a risk rule), the operator asks for proof: a bank statement, a deposit receipt, a payslip, a payment confirmation. The idea is simple, show us where the money came from.
The problem? These documents are trivially easy to fake. And most compliance teams are not equipped to tell the difference.
According to Sumsub’s 2024 iGaming Fraud Report, fraud in online gaming increased 64% year-over-year. Four in five operators reported facing more fraud than the year before.
Deepfake-related fraud jumped a staggering 700% between Q1 2024 and Q1 2025. Yet the conversation still revolves almost entirely around identity, not documents.
How gambling proof of payment fraud works
There are a few common techniques, and they range from crude to surprisingly sophisticated.
Editing PDF bank statements directly. This is the most common method we see at VerifyPDF. Adobe Acrobat Pro allows you to edit the text layer of a PDF without converting it to another format.
A fraudster downloads a real bank statement from their online banking, changes a few transaction amounts or adds deposits that never happened and resubmits it as source-of-funds proof. The fonts match, the layout is perfect and to the human eye, nothing looks wrong.
Here is a realistic example. A player deposits €2,000 via bank transfer and triggers an enhanced due diligence check. The operator asks for a bank statement showing the source of funds.
The player downloads their real statement, opens it in Acrobat Pro, changes their salary from €2,400 to €6,500, adds a fictitious savings transfer and submits it. The compliance analyst sees a clean PDF with a plausible income, correct bank formatting and no visible signs of tampering. Approved. The whole process took five minutes.
We covered this technique in detail in our post on the rising threat of fake bank statements, the same methods that target lenders and insurers are now showing up in gambling compliance workflows.
Fabricating deposit receipts from scratch. Some players create fake payment confirmations entirely. A template for a bank transfer confirmation or e-wallet receipt takes about 20 minutes to build in any design tool.
Slap on the right logo, match the fonts, add a transaction reference number that looks plausible and you have a convincing fake deposit receipt. These are especially effective when an operator accepts image files rather than original PDFs, there is simply nothing to analyze forensically.
Submitting screenshots instead of originals. This is a red flag we see constantly. When someone sends a screenshot of a bank statement rather than the actual PDF, you lose all forensic metadata, the creation date, the producer software, the internal document structure.
As we wrote about in our post on screenshots and document forensics, a screenshot is essentially a blank canvas. There is nothing left to verify. And criminals know this.
Buying templates from fraud rings. Organized groups sell ready-made document templates online, the same template farms that fuel rental fraud and loan fraud. For a few hundred euros, you get fake bank statements from major European banks, complete with accurate formatting and realistic transaction patterns.
We have seen these exact templates show up in gambling-related source-of-funds submissions, sometimes the same template used by different players at the same operator within weeks.
The UKGC deepfake warning operators should take seriously
The UK Gambling Commission’s April 2025 guidance on emerging money laundering risks did not mince words. They explicitly stated that criminals are using AI-generated media to forge documents, manipulate live verification videos and bypass due diligence checks. They even provided a specific suspicious activity report code (0752-NECC) for deepfake-related fraud.
What makes this warning different from the usual regulatory guidance? Two things.
First, the UKGC acknowledged that the threat is not hypothetical, it is already happening. They described an “increase in the scale and sophistication of attempts to bypass customer due diligence checks using false documentation.” This is not a future risk assessment. This is what their intelligence team is actively seeing in the UK market right now.
Second, the guidance puts the burden squarely on operators. Staff must be “appropriately trained to assess customer documentation, including how to identify false and AI generated documents.” In other words: if a forged bank statement gets through your review, the regulator will hold you responsible.
And they are backing that up with real consequences. European gambling regulators issued over €36 million in AML-related penalties between March 2024 and March 2025 alone. In Lithuania, Olympic Casino Group was fined €8.4 million after failing to prevent a former fund manager from gambling millions in stolen money, money that passed through their compliance checks supported by documents that should have raised red flags but did not.
How confident are you that your compliance team would catch an AI-generated bank statement from a Portuguese neobank?
Why manual document review breaks down at iGaming scale
Here is the core issue. Most iGaming operators handle document review the same way: a compliance analyst opens the file, looks at it, checks some details against the player’s account and approves or rejects it. Maybe there is a checklist. Maybe there is a second pair of eyes for high-value accounts.
This approach has three fatal problems.
Volume. A mid-sized operator might process hundreds or thousands of source-of-funds documents per month. Each one needs to be checked against the player’s deposit history, cross-referenced with their stated income and examined for signs of manipulation.
At that volume, fatigue sets in fast. Error rates climb after the first hour of reviewing documents and compliance analysts are often doing this for entire shifts. When you are looking at your two hundredth bank statement of the week, a well-made forgery starts to look perfectly normal.
Speed pressure. Players expect fast verification. When someone deposits €5,000 and wants to play right now, a 48-hour document review creates friction, support tickets and churn.
So operators push their teams to review faster. Faster review means less scrutiny. Less scrutiny means more forged documents getting approved.
The localization problem. Spotting a well-made forged bank statement requires knowledge of that specific bank’s formatting, typical metadata patterns and common manipulation techniques. An analyst reviewing a statement from a Greek bank or a Belgian neobank probably does not know what the genuine article looks like, especially if they primarily handle UK documents.
This localized knowledge gap is exactly what fraudsters exploit. It is the same weakness we described in our comparison of AI fraud detection versus manual checks: the human eye simply cannot catch modifications made at the PDF content layer. The changes are invisible without forensic tools.
What iGaming operators should do about document fraud
The good news: this problem is solvable. Here is what we recommend based on our experience working with operators across Europe.
Accept only original PDF documents. Never accept screenshots, photos of screens or scanned printouts as source-of-funds proof. An original PDF downloaded from a banking portal contains metadata and structural information that makes forensic analysis possible. A screenshot contains nothing.
Make this a hard policy, not a suggestion.
Cross-reference documents against account data. A bank statement showing a €10,000 deposit should match a €10,000 incoming transaction in your payment system. The dates should align. The account holder name should match the player’s verified identity.
Basic cross-referencing catches a surprising number of fake documents, because fraudsters often get sloppy with the small details, a date that is off by one day, an amount that does not quite match.
Automate document forensics. This is where tools like VerifyPDF come in. Our API analyzes the internal structure of PDF documents, metadata, creation patterns, content layer integrity, font consistency, producer software and returns a risk rating in under 5 seconds. That is fast enough to sit inside a real-time deposit workflow and thorough enough to catch manipulation that no human reviewer can spot with the naked eye.
Train your team on document-specific red flags. Even with automation, your compliance analysts need to understand what they are looking at. Documents produced by unusual software (Photoshop or Illustrator instead of a banking system), files with mismatched creation and modification dates, text that cannot be selected with a cursor, these should all trigger additional scrutiny.
Build a feedback loop. When your tools or analysts catch a fake document, log the template, the technique and the claimed source institution. Over time, this builds institutional knowledge that makes your entire document review pipeline stronger. In our experience, the operators who do this systematically see measurable improvements within months.
The weakest check in your compliance stack
The iGaming industry spends millions on identity verification, transaction monitoring and bonus abuse detection. But the documents that players submit during source-of-funds checks? Those still get reviewed by a human with no forensic tools, under time pressure, with limited training on the specific banking format they are looking at. It is the biggest blind spot in modern iGaming compliance.
Fraudsters know this. That is why gambling proof of payment fraud keeps growing, it is the path of least resistance into an operator’s platform.
The UKGC has made it clear that operators will be held accountable for letting forged documents through. The data from Sumsub shows the problem is accelerating faster than most compliance teams can adapt. And at VerifyPDF, the operators who automate document verification consistently catch fraud that their manual processes never would have found.
At the end of the day, your compliance stack is only as strong as its weakest check. For most operators, that weakest check is a PDF sitting in someone’s inbox, waiting to be eyeballed and approved.