How and Why Galleries Are Getting Hacked
In January 2020, the museum Rijksmuseum Twenthe in Enschede, the Netherlands, was on the verge of purchasing an 1824 John Constable painting from London dealer Simon Dickinson. In the middle of the negotiations, however, something went wrong: Hackers managed to convince the museum to send the money to a different bank account.
Dickinson is hardly the only gallery in the art world hit by this type of fraud. In 2017, Laura Bartlett Gallery was forced to close following the financial impact of a similar scheme. And earlier this year, Italian gallery T293 was targeted by hackers, who duped a German collector into sending over $30,000 into their bank account instead of the gallery’s. What is it about the art world that makes it such a target?
In fact, this kind of scam is pervasive across industries, said Fionnuala Rogers of Canvas Art Law: Criminals target what they see as vulnerabilities. “They always target smaller businesses, just because they know that the systems in place are going to be fairly basic,” Rogers said. And yet the huge sums of money at play, and the low-security channels used to transact them, make the art world particularly attractive as a target.
“You’ve got high values, and so much is done on an informal basis: emails and WhatsApp exchanges,” Rogers added. This opens the door to a variety of scams, some of which are extremely hard to detect. She noted that galleries and collectors typically exchange invoices as PDFs, and those files are very rarely password-protected. Those PDFs can be intercepted by a hacker who can then change the bank details to their own accounts. “That’s a really common thing,” she said. This type of scam also creates a problem when it comes to assigning liability when the worst happens: “I’ve heard it reported that the banks have done nothing, because they’ve said, ‘Well, neither party has made a mistake,’” Rogers explained.
There are a range of names for the type of hacks used to target the art world, but it’s similar to business email compromise, in which an email account is hacked into and then used to impersonate a person with power to request payment, often on short notice. In a recent public service announcement, the FBI named it “The $43 Billion Scam”—the total dollar amount lost in the 241,206 domestic and international incidents reported to the agency between June 2016 and December 2021. “Some of them look really legit,” said PJ Rohall, co-founder of the fraud-fighting resource About-Fraud.com, “and then there’s victims that go through all the shame of, ‘I shouldn’t have done that.’”
Financially, these crimes can have a huge impact. The Rijksmuseum Twenthe, for instance, lost over $3 million, and ended up in a liability lawsuit with Dickinson. But perhaps because of these high-profile cases, there is a sense that this is a problem that needs tackling, said Maureen Bray, executive director of the Art Dealers Association of America (ADAA). “Cybersecurity is a pressing concern for galleries, collectors, and artists alike,” she said. Meanwhile, the 2021 Hiscox Online Art Trade Report showed that a growing number of galleries are worried about cyber crime: 48% said they were “concerned” or “very concerned” in 2021, compared to 22% in 2019. In part, this could be due to gallerists’ assessments of their own vulnerability, as COVID-19 has brought more of the art world’s transactions online.
Even so, it’s not clear that things in the art world are changing to keep up with best practices outside of it. The art industry still seems woefully behind other luxury markets, where payments generally occur on tailor-made e-commerce platforms that ensure secure transactions.
Michael Wilkins, senior director of trust and safety at Turo, a car-sharing start-up, explained that the high-value nature of the company’s business made it a significant target for fraudsters. On Turo, all payments must take place on the platform’s system in order to maintain security protocols. “Email addresses can be spoofed and manipulated,” he said. “And so taking communication off the platform, which is secure with different verification procedures and systems in place, you can run afoul of certain schemes that exist out there in the world. If you’re keeping it on the platform, you know that you’re operating within a trusted and safe environment.”
Kevin Lee, vice president of digital trust and safety at Sift, which produces fraud prevention tools, echoed that statement. “Email is one of the worst places to store personal identifiable information,” Lee said. “It’s not anonymized or encrypted in any fashion.” This is the main reason that many industries have shifted away from email transactions and towards buying and selling on an e-commerce platform. “[Email transactions] are becoming less and less common across all of e-commerce, mainly because a lot of merchants are moving to a proper ‘shopping cart,’ where you can check out, and put in your credit card information,” Lee continued. “From a security standpoint, all that stuff is anonymized.”
In a worrying turn, the ADAA warned that it wasn’t just emails but also galleries’ social media accounts that are now being targeted by hackers—which is particularly significant given that Instagram has become a selling platform for some galleries.
In all of these cases, there are some basic steps that can be taken to prevent fraud. “The ADAA consequently encourages galleries to be vigilant about implementing two-factor authentication, vetting all emails from unknown senders, and guarding login credentials,” said Bray. Rogers added that galleries could require clients to verify new bank details on invoices by phone, as is standard in more tightly regulated fields such as law and real estate. “A law firm would always sort of have this practice in place,” she said.
As galleries move into blockchain sales and NFTs, a new set of security factors are coming into play. “If you’re packaging up a piece of art, that’s going to take days or weeks to ship internationally. NFTs, they’re pretty instant in terms of transfer of ownership. So the speed, the velocity, and for some price points of some of these things can be quite high, so the losses can add up quite quickly,” Lee said.
Indeed, it’s been hard to miss some of the high-profile NFT hacks over the last few months, many of which are carried out by phishing attacks, where account owners are conned into giving away passwords or secure information.
The key is that ultimately, humans are the biggest security weakness in all systems. And scammers rely on human involvement to jam their way in. “The general thesis is that it’s way more economical and a better return on investment to hack a human being, as opposed to spending a ton of time trying to get behind firewalls,” said Rohall. “The human mind is very susceptible.”