The Nevada Gaming Control Board has put out another cybersecurity notice to operators across the state, making it clear that downplaying cyber risks is no longer an option. The message is simple: attacks are getting more sophisticated, and they’re not slowing down.

Recent breaches at major properties prove the point. Wynn Resorts reportedly had 800,000 records lifted by a group calling themselves ShinyHunters, who demanded $1.5 million to keep quiet. Caesars allegedly paid out $15 million to extortionists, though they never confirmed the figure. Some reports suggest the initial demand was double that.

These aren’t small-time operations getting hit.

These are billion-dollar companies with dedicated security teams. Yet they still got breached.

Social Engineering Is the Weak Spot

The NGCB’s latest notice focuses heavily on social engineering and phishing tactics. Hackers have moved beyond purely technical exploits. Now they’re using AI-assisted fraud to impersonate company insiders, particularly those with IT access.

The regulator highlighted common warning signs: urgent requests to reset passwords, wire transfers, changes to payment instructions. Anything that creates pressure to act immediately without following normal procedures.

According to Nevada’s Technology Office, attackers rely on urgency, impersonation, and human trust to bypass standard controls. Look, they want employees to break protocol, keep secrets, or skip approval steps. Simple as that.

Staff Training Matters

The NGCB is pushing operators to keep employees sharp. If something feels off, staff need to escalate it to managers or cybersecurity teams immediately.

A moment’s distraction can be all it takes for criminals to exploit a vulnerability.

Nevada casinos represent high-value targets. They handle massive amounts of customer data and financial transactions daily. That makes them attractive to organised criminal groups who know exactly what they’re after. These aren’t opportunists poking around, they’re professionals with a shopping list.

The regulator’s message is straightforward: cyber threats are persistent, they’re evolving, and they need constant attention. Operators who treat this as a box-ticking exercise are leaving themselves exposed. Full stop.