In the financial industry, companies engaging in million-dollar transactions invest in the latest in technology in order to safeguard valuable assets. However, in the art world—a market built on relationships and handshakes—even transactions that involve the transfer of large sums of money can be relatively casual, often occurring in environments lacking the protection of up-to-date cybersecurity. The reason behind this lack of security? Galleries and dealers, despite processing transactions in amounts that can easily rival those of some financial firms, are not subject to any particular regulation—and without such regulation, the interest and passion of the art world typically remains focused on the art itself rather than on instituting strong security measures. However, this leaves soft targets such as galleries vulnerable to cyber attacks.
Substandard cybersecurity means that opportunists with scant technical skill can easily infiltrate email accounts and impersonate unwitting victims. In October 2017, it was reported that a number of well-known galleries and dealers were targeted by a business email compromise/email account compromise (BEC/EAC) scam (The Art Newspaper, 31 Oct. 2017). These galleries and their clients lost amounts ranging from $13,000 to $1.3 million, but in the article insurance broker Adam Prideaux of Hallett Independent mentions that he “suspect[s] the problem is a lot worse than we imagine.”
Here is how the scheme works: a cyber criminal accesses an art dealer’s email account, monitors incoming and outgoing correspondence, and lies in wait until the right time to strike, which could be weeks or even months after the account is first accessed. When the gallery or dealer sends an invoice to a client following a sale, the hacker, posing as the gallery, steps in and sends the client an “updated” invoice with a message to disregard the first email and instead wire payment to an account listed on the forged invoice. Once the funds have been transferred into the hacker’s account, the criminal quickly moves the money and vanishes, avoiding detection. Hackers also use this technique to intercept payments made by galleries to their artists.
The scam is so successful because the cyber criminals gain access to their targets’ email accounts, which makes fraudulent emails appear as though they came from legitimate, known sources. The hackers can impersonate either party—the gallery or the artist/client—making it hard to identify that a fraud is occurring or that a cyber criminal is behind the emails. One of the targeted galleries, for instance, only discovered the hack when it contacted a client after noticing that the client’s payment had never hit the gallery’s account.
A hacker need only obtain credentials—a username and password—leaked during an unrelated corporate cyber breach to eavesdrop on an email account or take it over entirely. No sophisticated system penetration or “hacking” is required; rather, in these instances, the cyber criminal simply finds a “key under the doormat” and lets himself in. Using this BEC scam, the bad actor will attempt to profit, often through impersonation and/or the sending of incorrect wire instructions. In 2017 the FBI reported that BEC scam losses skyrocketed 2,370% between January 2015 and December 2016, with losses exceeding $3.1 billion—a statistic that should serve as a warning to all businesses, not just large financial institutions, to stay vigilant and proactive when it comes to cybersecurity.
These cyber attacks can be incredibly damaging, both in terms of financial loss and immeasurable reputational harm. No one is immune to this new normal of cyber attacks, whether a highly regulated financial firm or an art gallery. Because incorporation of certain basic cybersecurity measures is extremely effective in nearly eliminating the threat posed by cyber criminals, galleries should learn from the most recent wave of attacks and consult with experts to enact preventive and proactive measures to ensure that their networks and accounts are secure. When something of value is at stake, instituting cybersecurity protocols and ensuring that all employees are aware of best practices is the best prevention against cyber attacks.