IT West Ltd

From the blog

News from IT West

Art Galleries And Dealers Defrauded Through Email Hack

Art galleries and dealers in the UK have lost hundreds of thousands of pounds after being targeted by email hackers.

Monitor, Intercept and Replace

The social engineering scam, known as a ‘man-in-the-email’ (man in the middle / MITM) attack, which has also worked on US art dealers, involves hacking into the email account of targets – in this case, London art dealers. The hackers have then monitored the email correspondence with the gallery’s clients, and intercepted and diverted payments from clients. This involved intercepting real PDF invoices sent to customers, and swapping them with fraudulent invoices with instructions to send payments to a different account.

It has also been reported that the hack has been used to steal payments made by galleries to their artists. After the money was received by the hackers, it is believed that that it was moved to untraceable locations.

At Least Nine Victims

Reports indicate that at least art galleries and art dealers in the US and now in London have fallen victim to the hackers, and although no exact figure has been put on the losses, the nature of the products that the victims deal in indicates that they could run from tens of thousands to millions of pounds to date.


The Society of London Art Dealers is reported to have previously warned its members about email fraud, and has released further cyber-security materials following this latest scam.

Initial Steps To Prevent More Fraud

The London Evening Standard reported that one way that the Mayfair gallery (Simon Lee), and Thomas Dane Gallery in St James’s have responded to this latest attack is by overhauling their invoicing procedures e.g. Simon Lee’s gallery now issues a standard warning about cyber fraud with every invoice, and the dealer’s accountant confirms banking details with clients over the phone.

What Does This Mean For Your Business?

Online fraud has been on the increase for some time now. Netcraft figures (2016) show that 95% of servers are lacking HSTS security features and are prone to MITM attacks. MITM is also spreading from desktop connections to mobiles, and even to IOT space.

Spyware and malware programs (often arriving by email) are two of the prime causes of MITM attacks and companies can, therefore, seek to insulate themselves against these types of attacks with initial measures such as being proactive in renewing antivirus programs and patches, and conducting regular scans for malware. It is also important to raise awareness among staff and to educate them about the dangers of opening unknown emails. Other measures that companies can take to help themselves include:

  • Introduce multi-stage authentication processes.
  • Have a (verification / authentication / authority) procedure in place for any requests for bank details, payments, money transfers etc.
  • Empower and encourage staff to ask questions and conduct checks wherever suspicions are aroused.
  • Avoid visiting or exchanging information across any websites that do not have the security of HTTPS.
  • Make sure you have the latest version of your server and disable old security protocols versions.
  • Avoid using Free Public Hotspots, and if there is no option but to use them, use a Virtual Private Network or a SSL plugin.
  • Implement Certificate-Based Authentication for all employee machines and devices.