In January 2020, the Rijksmuseum Twenthe museum in Enschede, the Netherlands, was on the verge of purchasing an 1824 painting by John Constable from London dealer Simon Dickinson. In the middle of the negotiations, however, something went wrong: hackers managed to convince the museum to transfer the money to another bank account.
Dickinson is hardly the only gallery in the art world to be hit by this type of scam. In 2017, the Laura Bartlett Gallery was forced to close after the financial impact of a similar program. And earlier this year, Italian gallery T293 was targeted by hackers who tricked a German collector into transferring over $30,000 into his bank account instead of the gallery’s. What makes the art world such a target?
In fact, this type of fraud is ubiquitous across industries, said Canvas Art Law’s Fionnuala Rogers: Criminals target what they see as vulnerabilities. “They always target smaller companies just because they know the systems in place are going to be pretty basic,” Rogers said. And yet the vast sums of money involved and the less than secure channels through which they are transacted make the art world a particularly attractive destination.
“They have high scores and so much happens on an informal basis: emails and WhatsApp exchanges,” added Rogers. This opens the door to a variety of scams, some of which are extremely difficult to spot. She found that galleries and collectors usually exchange invoices as PDFs and these files are very rarely password protected. These PDFs can be intercepted by a hacker who can then change the banking details to their own accounts. “It’s a really common thing,” she said. This type of fraud also creates a problem when it comes to assigning worst-case liability: “I heard the banks didn’t do anything because they said, ‘Well, neither party made a mistake.’ ‘ Rogers explained.
There are a number of names for the type of hack targeting the art world, but it’s similar to business email compromises, where an email account is hacked and then used to impersonate a person issue that is authorized to request payment, often just a brief note. In a recent public filing, the FBI called it “the $43 billion scam” — the total dollar amount lost in the 241,206 domestic and international incidents reported to the agency between June 2016 and December 2021. “Some of them look really real,” said PJ Rohall, co-founder of fraud prevention resource About-Fraud.com, “and then there are victims who go through all that embarrassment, ‘I shouldn’t have done that.'”
Financially, these crimes can have a huge impact. The Rijksmuseum Twenthe, for example, lost over $3 million and ended up in a liability suit with Dickinson. But perhaps because of these high-profile cases, there’s a sense that this is an issue that needs addressing, said Maureen Bray, executive director of the Art Dealers Association of America (ADAA). “Cybersecurity is a pressing concern for galleries, collectors and artists alike,” she said. Meanwhile, the Hiscox Online Art Trade Report 2021 showed that a growing number of galleries are concerned about cybercrime: 48% said they were “concerned” or “very concerned” in 2021, compared to 22% in 2019. Partially This could be due to gallery owners’ assessments of their own vulnerability as COVID-19 has brought more art world transactions online.
Still, it’s not clear things are changing in the art world to keep up with best practices outside of it. The art industry still seems to lag miserably behind other luxury markets, where payments are generally made on bespoke e-commerce platforms that ensure secure transactions.
Michael Wilkins, senior director of trust and safety at Turo, a carsharing startup, explained that the company’s high-value nature makes the deal a prime target for scammers. At Turo, all payments must be made on the platform’s system to maintain security protocols. “Email addresses can be forged and manipulated,” he said. “So if you take communications off the platform that are secure with various verification procedures and systems, you may conflict with certain schemes that exist in the world. By leaving it on the platform you know you are working in a trusted and secure environment.”
Kevin Lee, vice president of digital trust and security at Sift, which makes fraud prevention tools, echoed that statement. “Email is one of the worst places to store personal information,” Lee said. “It’s not anonymized or encrypted in any way.” This is the main reason why many industries have shifted from email transactions to buying and selling on an e-commerce platform. “[Email transactions] are becoming increasingly rare across e-commerce, primarily as many merchants are moving to a proper “shopping cart” where you can checkout and enter your credit card information,” continued Lee. “For security reasons, all this stuff is anonymized.”
In a worrying twist, the ADAA warned that not only emails but also galleries’ social media accounts are now under attack from hackers – which is especially important as Instagram has become a sales platform for some galleries.
In all of these cases, there are some basic steps that can be taken to prevent fraud. “The ADAA therefore encourages galleries to be vigilant when it comes to implementing two-factor authentication, checking all emails from unknown senders, and protecting credentials,” Bray said. Rogers added that galleries could require clients to verify new bank details on invoices over the phone, as is common in more tightly regulated areas like law and real estate. “A law firm would always use this practice,” she said.
As galleries move into blockchain sales and NFTs, a number of new security factors come into play. “When you package an artwork, international shipping takes days or weeks. NFTs are fairly instantaneous in terms of ownership transfer. So the speed, the speed and for some price points of some of these things can be pretty high so the losses can add up pretty quickly,” Lee said.
Indeed, it has been hard to miss some of the high-profile NFT hacks of the last few months, many of which were carried out through phishing attacks that trick account holders into revealing passwords or secure information.
The key is that humans are ultimately the greatest security weakness in all systems. And scammers rely on human involvement to get in. “The general thesis is that it’s much more economical and profitable to hack a human than to spend a lot of time getting behind firewalls,” he told Rohall. “The human mind is very vulnerable.”