• Home
  • News
  • Return to sender? Falling foul of cybercrime

21 May 2019

Return to sender? Falling foul of cybercrime


The risk of being a victim of cybercrime can often be overlooked or underestimated in the art market. However, as artists, galleries and museums increase their reliance on online sales and the use of email to conduct and agree transactions, the opportunities for hackers to strike have never been greater.

It's a situation sellers know well. A potential purchaser contacts an artist or gallery asking to purchase an artwork and, after an email exchange, a price is agreed. Thereafter an invoice is emailed to the purchaser, who duly affects a bank transfer. The artwork passes to the purchaser.

However, what if, unbeknown to the seller and the purchaser, a hacker has infiltrated their email traffic and has manipulated the content of their emails, so that the purchaser receives an electronic invoice purportedly from the artist or gallery, but the payment details have been replaced with the hacker's own account details? Alternatively, what if an irate artist emails a gallery chasing payment for an artwork and the gallery rushes through the payment, without spotting that they had, in fact, been contacted by an alternative email address and the sums paid to a fraudster? Such situations can lead to monetary losses, data protection issues and PR disasters.

The art market can be particularly vulnerable to such attacks, with hackers aware that large sums of money will eventually be changing hands and that those operating in this sphere may underestimate the need for robust (and maintained) cyber protection. There is also a wider value to be gained from accessing a gallery or art institution's servers, with the identity of a gallery's customers or an institution's benefactors potentially being of considerable value.

Prevention is better than cure

We all protect our physical assets – doors are locked and alarms are set. However, in the increasingly digitalised world, we can be more lax in protecting access to our electronic data. Personalised user accounts and private passwords, together with antivirus and security software, are important tools for anyone conducting business electronically. However, they can often be undermined, with passwords shared and out of date software not replaced.

The importance of maintaining these protections can often be overlooked where there is no obvious evidence that email servers have been attacked. However, hackers will often sit dormant within a compromised server, watching email traffic and waiting for their moment to strike, usually when money is to be paid. Complacency now may well lead to issues later on.

As well as ensuring that robust cybersecurity measures are implemented and maintained, being aware of potential 'red flags' may also save you from making a costly mistake. For example, having identified the basic details of a sale, fraudsters may set up a near-on identical email address and open a line of communication, in an attempt to make the purchaser divert the purchase price to an alternative bank account. In the world of overflowing inboxes, minor changes to an email address may be overlooked, but a simple call to the purchaser to confirm bank details (using contact details previously obtained) can put your mind at ease. Similarly, receiving updated or amended invoice details midway through a transaction may well be legitimate but can often be a sign that something is amiss and that further confirmation is required. Staff training and regular reminders to be alert to the possibility of cybercrime may mean that they are more likely to be alert to situations where something 'isn't quite right'. The time spent making a telephone call to double check details with a third party may save you from making a costly mistake.

Acting fast to maximise recovery

If you believe that you have been the victim of cybercrime and transferred sums to a fraudster, you must act quickly if you are to attempt to recover some or all of the sums that have been lost. As well as notifying the police, legal advice should be urgently obtained as to whether it is possible to freeze the recipient bank account and recover the transferred sums. Whilst fraudsters may immediately empty bank accounts once sums have been obtained, slow bank transactions and clearing processes may provide you with a very short window in which to freeze the transferred sums. You may also wish to consider invoking a temporary moratorium on paying all pending invoices whilst those invoice details are double checked, to ensure that further transactions have not been compromised.

As well as taking steps to recover the transferred sums, it is vital to establish how the fraudster was able to bypass cyber security systems or was otherwise able to redirect payment. You will also need to check whether any other transactions have been compromised. This information will be crucial in formulating a strategy going forward, from managing the PR of a potential data breach to complying with the reporting requirements under data protection legislation.

Preparation, preparation, preparation

As with other potential threats, preparation is key. Careful consideration as to how a potential cybercrime event would be dealt with and establishing a process to be followed is likely to save precious time if the situation ever arose, and may well increase your chances of recovering any lost sums.



Roland Foord

Roland Foord

T:  +44 20 7809 2315 M:  Email Roland | Vcard Office:  London