BEC scammers are targeting art galleries, collectors and artists, swindling them out of money and, on occasion, ruining their businesses.
According to The Art Newspaper, nine art galleries in the UK and the US have been hit, some of them successfully. Insurance broker Adam Prideaux told the publication, the actual number of targets is likely considerably higher.
The scammers’ MO
The scammers start by finding a way to compromise an art dealer’s email account, and by monitoring incoming and outgoing emails. As a deal is struck between the gallery and a client, and the gallery sends an invoice to finalize the sale, the scammers spring into action.
They copy the invoice, change the bank account information in it and send it to the client, along with an email explaining that the previously sent invoice has the wrong account number. The email is sent from the compromised email account, making the communication seem legitimate.
Once the client transfers the money to the scammers’ account, they move it to another one and ultimately withdraw the funds. Until that step is finalized, they keep up the charade:
- Art dealers’ emails to the clients, asking why the payment has not been effected, are intercepted, and fake responses are delivered to them, reassuring them that there has been a slight delay, but that everything will be solved in a few days.
- The clients, on the other hand, might be reassured with fake emails that the deal has gone through, and that delivery of the artwork will soon be effected.
A similar scheme is used to intercept galleries’ payments to artists whose artwork they sold. And sometimes, the scammers simply hijack an account of a higher-up in the company, send an invoice to the in-house accountant and simply demand that the invoice is paid immediately.
In short, these art galleries are targeted in the same exact way that many other types of businesses are. The criminals don’t care which industry these businesses are in, they just care about the fact that large sums of money are often exchanged for goods or services.
Protection is easy and cheap
According to Prideaux, the victims he knows about lost from £10,000 to £1 million to scammers.
London-based dealer Laura Bartlett lost a major sale that way and, ultimately, had to close her gallery.
Some of the victims were lucky: the transactions were flagged by the bank as suspicious, and never completed. Others lost money and are still battling the bank, claiming that it should have spotted the unusual transactions and raised an alert.
The Society of London Art Dealers has been warning its members about the dangers of email fraud for a while now, and so has the Art Dealers Association of America.
“These attacks, known as ‘man-in-the-email’, show us just how successful social engineering tactics can be at extorting money from victims,” says Thomas Fischer, Global Security Advocate at Digital Guardian.
He advises businesses to implement multi-factor authentication wherever it is available, as it will help prevent unauthorised access to e-mails, especially if an attacker attempts to log in from a new location.
“They should also look to add a digital signature solution to emails and assess whether certain documents, such as invoices, should only be sent using a secure file exchange solution. These are small, relatively inexpensive measures, but together, they can significantly improve defences against social engineering,” he notes.
“In addition to stronger security protocols, raising user awareness is an effective way to lower the risk of man-in-the-email attacks, and it’s not just up to the IT department. It is the responsibility of every business leader to ensure that employees receive training on identifying fraudulent e-mails. They should be taught to be skeptical of urgent money transfer requests, especially from C-level executives, and verify those requests, either by phone or in person.”