In June of 2016 Small Business Trends reported a rapid rise in the number of small businesses being targeted by cyber criminals. Today cyber criminals appear to be discerning their targets and setting their sights on larger prey, focusing on businesses where the average transaction amount is in the thousands, sometimes millions of dollars.
As originally reported in October by The Art Newspaper, art galleries in the U.K and the U.S. are the latest business segment to fall victim to cyber criminals employing the Business Email Compromise (BEC) scam, also referred to as “man-in-the-middle.”
How the man-in-the-middle scam works
Cyber criminals will hack into a business’s email account, and monitor for messages containing a PDF, usually an invoice being sent to a customer following a sale. The scammer then makes up a fake invoice with different bank details and sends an additional message telling them to ignore the previous invoice and pay against the revised invoice. The funds are then diverted to the account of the scammer instead of the gallery. The scammer withdraws the funds and quickly disappears.
The technique is also used to intercept payments made by the gallery to the artists who supply their work. The scam is easy to fall victim to because the emails appear to come from a known source. Galleries are an ideal target due to the high ticket price on many of the products they sell. The scam has so far netted millions of dollars.
“We know a number of galleries that have been affected,” said Adam Prideaux, Hallett Independent art insurance broker, in an interview with the publication. “The sums lost by them or their clients range from £10,000 [$13,000] to £1 million [$1.3 million]. I suspect the problem is a lot worse than we imagine.”
One London-based art dealer, Laura Bartlett, told reporters she was hit by the scheme earlier this year after making “quite a high-value sale” to a U.S.-based art collector.
“Somebody sent out another email saying, ‘Ignore my previous invoice. I sent you old bank details; please use this invoice instead,’” Bartlett recalled. “I kept checking my account to see if the money had arrived and sending more and more emails to my client to ask where the funds were.”
The Art Dealers Association of America issued a warning on cyber risks in February of this year, outlining different kinds of online fraud schemes, including man-in-the-middle attacks, advising galleries and art dealers to take precautions such as encrypting invoices and confirming bank details by phone with clients, artists and service providers before money is transferred.
1 – Regularly change all passwords for email, software and wifi
2 – Ensure all anti-virus software is up to date
3 – Only send invoices by email if they have been encrypted (password-protected)
4 – After sending or receiving an invoice by email, call and/or send a text message to the recipient to double-check the sort code and account number
5 – Urge all staff to be extremely vigilant when opening emails and do not download any attachments or click on web links from an untrusted source. Always confirm legitimacy over the telephone with the sender if in doubt
Cyber insurance is catching on but may not cover high losses
With a rapid increase in small business cyber crime, many small and medium sized businesses are taking out cyber insurance policies. This kind of insurance offers some protections, but it’s not a catch all. Cyber policies will only protect the policy holder, so if the victim is a gallery customer, they are likely to have no way to get reimbursed.
Small businesses, particularly those in the art world should be vigilant and take extra precautions in guarding access to your business email account. Also, stay informed by familiarizing yourself with the techniques scammers are employing, the Symantec Internet Security Threat report is an excellent resource as well as the following articles from Experian: