How Art Collectors Can Avoid Online Phishing Scams and Social Engineering
Imagine you’ve just made a deal with a gallery to buy a piece by one of your favorite artists. You’ve worked out a price and gotten an invoice. Then, out of nowhere, the dealer emails you: “Hello dear, I’m sorry, I sent the wrong bank information. The attached is the updated invoice for wire transfer.” What do you do?
The short answer is: Pick up the phone and call your dealer. This could be someone else who intercepted your communication and is trying to have you wire the money to their account instead. And if you do, it’s often very hard to trace it and get it back. Emails like this are just one example of the scams making the rounds in the art world.
“It’s been unnerving and disheartening during this pandemic. There’s just so much going on,” said Anne Rappa, senior vice president at fine art insurance broker Huntington T. Block. “At this time, people are particularly vulnerable, since nervousness increases error.”
Many of these scams use social engineering as a tool to convince people to either divulge sensitive information or send money to mysterious overseas accounts, with scammers researching specific targets in order to pose as someone they trust. (Remember the Twitter breach earlier this month? It was a social engineering attack on Twitter’s own employees.)
“There’s been a shift away from hacking and data breaches that steal credit card numbers, as they became less valuable to sell,” said Robert Rosenzweig, vice president and national cyber risk practice leader at DeWitt Stern. “Now there’s more diversion and manipulation.”
Rosenzweig noticed a huge uptick about 18 months ago, with people opening files that locked down their systems and demanded ransom to regain access to data. Scammers target art galleries because their clients tend to be wealthy; phishing scams, especially, expose a lot of collectors’ personal information, which a scammer can use to target that person before moving on to their connections, and then their connections’ connections. Rosenzweig recommends getting encrypted software.
“Given the informality of the art world historically, there has been more and more direct financial loss as a result,” he said. “But it really is a human issue when it comes down to it.” Training people to follow specific internal policies—knowing when to be suspicious of emails and when to pick up the phone—are just as important as your security software. “There’s a need to operate with heightened awareness with every means of communication,” said Rosenzweig.
Adam Prideaux, managing director of insurance broker Hallett Independent, remembers the first time he came across one of these scams in the art world a few years ago, when a gallery lost £1 million (about $1.3 million). “The heart of the problem is email as a means of communication,” he said. “People send all their confidential information, and it’s easy to hack and see what they are talking about.”
Hallett sees a new case of this type about once per week (a lot of the smaller amounts lost may not be reported, or even noticed); cybertheft is much more likely than the physical theft of an artwork. Prideaux noted there are very simple measures galleries could put into place in order to protect themselves, like password-protecting invoices, sending sensitive information (including pricing details) via WhatsApp or another encrypted messaging service, or even using good old-fashioned snail mail.
“What’s always struck me is the lack of training,” Prideaux added. “Tech isn’t at the forefront of how the art world does business.” He said he tells people to always assume every email they write is being read by people other than the intended recipients.
Perhaps unsurprisingly, all of the insurance companies and brokers consulted for this article are happy to arrange some form of cyber insurance for galleries (many packages also come with access to forensics experts). But, as Prideaux put it, “if you have good training, you’re managing the risk, which negates the need for insurance. If a hacker sees passwords on all your email attachments, he moves on to the next gallery.”
In taking steps to create a more robust cybersecurity system, the gallery isn’t just protecting itself—it’s also protecting its collectors, who are much more likely to lose money in a social engineering attack. If collectors want to get personal cyber insurance and identity theft insurance, they can do so through their homeowners policy, but ultimately, Prideaux believes it’s galleries’ responsibility to educate both their employees and their clients in order to “clean up the system.”
In full disclosure, Artsy’s gallery network has been the target of similar phishing scams. To combat instances of social engineering, Artsy has invested in its security procedures to protect partners, created a team dedicated to trust and safety, built best-practice resources, and communicated directly with both its users and employees so they are better educated about the dangers of phishing scams.
In the aftermath of an uninvited third party getting between a dealer and a collector, there’s often a great deal of finger-pointing and accusation as to who is at fault. Most of the time, this involves figuring out whose email got hacked and how much responsibility that party should take for the breach—as seen in a recent case in the Netherlands.
The way to resolve these disputes is through lawyers, who determine both parties’ rights and vulnerabilities, explained Joseph V. DeMarco, partner at the law firm DeVore & DeMarco, where he focuses on information privacy and security, computer intrusions, and online fraud, among other issues. He said the first thing people tend to do when they find out what happened is immediately fix their system. But doing so could erase essential evidence, so it’s important to talk to experienced counsel, who “can hire a technologist to bring systems up while preserving relevant evidence,” he said.
DeMarco said he’s even been able to recover the lost money in some instances. When these cases go to negotiation or to court, it’s usually a matter of determining which party is more at fault and dividing up the loss accordingly. But it’s more important to take preventative measures, like creating a policy that all wire transfers are confirmed face-to-face or over the phone—or, very simply, writing in your contract: “We will never change our wire information without verbal confirmation.”
“Amend your sales agreements, documents, and policies to bring the odds of this happening to zero,” DeMarco said. “The best time to do it is now, not when you’re in the middle of it,” when it would be “like changing the batteries on a smoke detector while your house is on fire.”
In 2018, the Art Dealers Association of America organized a seminar to educate dealers on issues of cybersecurity, inviting FBI special agent William McKeen, who works on cybercrime cases, to participate. “Any time we can talk to an entire industry, it really makes a difference for us,” said McKeen, remembering an incident with a New York gallery where a scammer impersonated a private seller of a significant piece and changed the wire instructions; the gallery ended up wiring money to the scam account.
McKeen said the biggest red flag is usually someone reaching out in the middle of a deal to change instructions. It’s also important to pay attention to language, he said, as a lot of scammers might refer to a person by only their last name or greet them with a “Hello dear.” One should also be wary of anyone applying pressure to move very quickly. He said the art industry is particularly vulnerable to these kinds of scams because most companies and organizations are small, with no person dedicated to cybersecurity; large overseas wire transfers are the norm; and there are no industry-standard invoices.
“Cybercrime is the most lucrative crime,” McKeen added. “I’m working on a case now where the subject succeeded only 5 percent of the time and made $3.5 million in the last year.”
According to the FBI, in 2019, people in the U.S. lost $57 million to phishing scams alone, and that’s only the reported cases. McKeen always encourages people to report these crimes, since there are only several thousand scammers around the world, and many of them work in hierarchical groups, similar in structure to organized crime. “Folks are hard to trace as they’re mostly overseas, but we’ve had success recently related to building international relationships,” he said. “We make arrests weekly on these kinds of cases.” (He pointed specifically to a couple of Nigerian scammers who were caught earlier this month—at least partially due to Instagram posts documenting their lavish lifestyles.)
As for art transactions, one specific step McKeen suggested people take to avoid being scammed is to “find out the amount of money you’re willing to lose. Any amount above that, have two people authorize the transfer. Make it a part of the culture, no matter how urgent.” This is good advice for both galleries and collectors: A second opinion—no matter whose it is—could be the difference between acquiring a new and exciting work and suffering a massive financial loss. If you do find yourself a victim of a cybercrime, you can report it on the FBI’s Internet Crime Complaint Center website. “Time is of the essence!” said McKeen. The sooner you report, the more likely you’ll be able to get your money back.
For now, though, anytime you get a suspicious email from an art dealer and before you open any attachments, just pick up the phone and call the person. All the experts interviewed for this article said this is the most effective way to confirm whether or not they actually sent you the email. Just make sure you call a number you already have for them—don’t trust the one in the email signature, just in case.