Hackers are stealing large sums of money from art galleries and their clients using a straightforward email deception. The Art Newspaper has so far identified nine galleries or individuals targeted by this scam. They include Hauser & Wirth, the London-based dealers Simon Lee, Thomas Dane, Rosenfeld Porcini and Laura Bartlett and, in the US, Tony Karman, the president of Expo Chicago.
“We know a number of galleries that have been affected. The sums lost by them or their clients range from £10,000 to £1m,” says the insurance broker Adam Prideaux of Hallett Independent. “I suspect the problem is a lot worse than we imagine.”
How it works
The fraud is relatively simple. Criminals hack into an art dealer’s email account and monitor incoming and outgoing correspondence. When the gallery sends a PDF invoice to a client via email following a sale, the conversation is hijacked. Posing as the gallery, hackers send a duplicate, fraudulent invoice from the same gallery email address, with an accompanying message instructing the client to disregard the first invoice and instead wire payment to the account listed in the fraudulent document.
Once money has been transferred to the criminals’ account, the hackers move the money to avoid detection and then disappear. The same technique is used to intercept payments made by galleries to their artists and others. Because the hackers gain access to the gallery’s email contacts, the scam can spread quickly, with fraudulent emails appearing to come from known sources.
This summer, the London-based dealer Laura Bartlett sold a group of works to a US collector. “It was quite a high-value sale for me,” she says. The transaction was negotiated entirely by email and when it was finalised, Bartlett sent the buyer an invoice via email, as she has sent all her invoices for the past 12 years. Her client received this but soon afterwards, Bartlett’s emails were intercepted. “Somebody sent out another email saying: ‘Ignore my previous invoice. I sent you old bank details; please use this invoice instead.’” The client duly wired the money to the hackers instead of to Bartlett.
“I kept checking my account to see if the money had arrived and sending more and more emails to my client to ask where the funds were,” she says. Her client responded to these emails, but “in retrospect, I realise that the tone of his emails had completely changed”, Bartlett says. What she and her client did not know at the time was that the hackers were now controlling all correspondence between them while impersonating them both. The hackers responded to Bartlett’s queries about the payment with reassurances that “everything was fine and that the delay in receiving payment was being looked into”.
It was only when Bartlett called the client a week later that they both realised what had happened. They reported the theft to the Action Fraud team at the Metropolitan Police in London but have no information about the ongoing investigation. (A spokesman for Action Fraud told The Art Newspaper that Bartlett and her client’s “reports have been reviewed and have been disseminated to the Metropolitan Police service for investigation”.)
Bartlett’s client has not recovered his money and is unlikely to do so. “His bank told him that it was not able to recompense him,” Bartlett says. In cases such as these, “the bank has not made an error for which it necessarily has to take responsibility”, says Chris Bentley, the director of underwriting at AXA Art Northern Europe, Middle East and Asia Pacific.
Some art dealers believe that banks should carry out more detailed checks on new clients before they are allowed to open accounts. Ian Rosenfeld of Rosenfeld Porcini in London has been trying to recover money stolen from one of his gallery’s clients for 18 months. As in Bartlett’s case, the theft occurred after criminals intercepted an email invoice sent to a client following the sale of a work.
The insurance industry is divided about the efficacy of such products. AXA Art does not currently offer a policy that will protect against loss from this type of email fraud, Bentley says. “This is a very rapidly evolving area for the insurance market,” he says. “It’s moving so quickly that if you renewed your policy in April rather than October, you might have a different arrangement.” He believes that it is more effective for galleries to adopt “a change in practice to avoid this situation happening in the first place rather than buying what is going to be potentially quite expensive insurance. Even if an insurance solution is eventually offered, it is still likely to be both limited and expensive.”
For galleries in the UK, introducing greater security is critical. Next May, the UK will implement new EU legislation: the General Data Protection Regulations. (The legislation will be introduced in Britain regardless of Brexit.) These require every company that stores personal data, such as clients’ email addresses, to protect it adequately. So, if your gallery’s email account is hacked because of inadequate security measures, you could be fined 4% of your annual turnover or €20m, whichever is higher. “No galleries are that aware of the impending regulation,” Lee says, adding that, for galleries, “there are huge responsibilities involved and there is a lot to do in preparation”.
Five-step protection against email fraud
1 Regularly change all passwords for email, software and wifi
2 Ensure all anti-virus software is up to date
3 Only send invoices by email if they have been encrypted (password-protected)
4 After sending or receiving an invoice by email, call and/or send a text or WhatsApp message to the recipient to double-check the sort code and account number
5 Urge all staff to be extremely vigilant when opening emails and do not download any attachments or click on web links from an untrusted source. Always confirm legitimacy over the telephone with the sender if in doubt
• To contact us about cyber crime, please email firstname.lastname@example.org
• For a discussion on cyber crime in the art world, listen to The Art Newspaper Weekly podcast released on Friday 3 October