Fraudsters posed as art dealer, bilked museum for millions

“We got scammed!” said a London art dealer after business email compromise (BEC) scammers inserted themselves into a months-long conversation about the sale of a £2.4 million (USD $3.1 million) John Constable painting, spoofing their emails to make it look like the messages came from Simon C. Dickinson Ltd.

“No, we got scammed,” said the Dutch museum Rijksmuseum Twenthe, which now has the work by the 19th century English landscape painter and whose money got whisked away by fraudsters who transferred the funds to a Hong Kong account.

According to Claims Journal, lawyers for the two organizations have pointed fingers at each other’s clients, telling a London High Court that it was the other guy’s duty to maintain email security or to independently confirm that the bank details it received were legitimate.

That’s what BEC scammers do: they spoof emails to convince a target that they’re supplying product X in order to receive payment Y, so please make sure to send payment to bank account blah-blah-blah.

Rijksmuseum Twenthe, a museum based in Enschede, Netherlands, tried to file eight claims over the heist of its payment for the landscape painting, including that Dickinson owed it “a duty of care” to maintain reasonable email cybersecurity. Judge Mark Pelling dismissed the museum’s application but said it could seek an alternative way to claim for damages and try again to amend its claims against Dickinson.

Oh, puh-leeez, said Dickinson’s lawyer, Bobby Friedman, who told the court that the museum should have taken the basic step of independently confirming that the bank details received in an email were genuine.

How could the art dealer have known there was fraud afoot? It would have been horrified it if had known, he said. Claims Journal quoted Friedman’s written submissions:

Instead of accepting the reality of the situation, the museum has reacted by pursuing a series of hopeless claims against SCD, in the hope of pinning the blame for the museum’s mistake on SCD.

But Dickinson did know, according to the museum’s lawyer, Gideon Shirazi. Its negotiators were in on the email conversations but did nothing to point out that the emails were spoofed to look like they came from Dickinson, he told the court:

Silence would give rise to an implied representation. By saying nothing, they said everything.

Dickinson still hasn’t been paid. The museum still has the painting and won’t give it up, Friedman told the court. Thus, the dealer can’t sell the piece elsewhere, and it can’t pay the (undisclosed) owner, he said.

According to NL Times, the painting in question is A View of Hampstead Heath: Child’s Hill, Harrow in the Distance, a masterpiece of rolling hills and fleecy clouds that are as easy to put handcuffs onto as the hackers who got away with all that money.

Speaking of fleece …

How to keep from being fleeced

There are safeguards that businesses can take to protect against BEC, and then there are those that are good for both businesses and individuals.

As we noted when the FBI busted 74 people in a global BEC takedown in June 2018, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.

Cabarrus County, which fell for a BEC scam to the tune of $1,728,083, which it paid to a scammer posing as a building contractor says it’s doing just that: it’s hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes, and it says that it’s held training for staff and also implemented external checks to validate data received by the county.

Don’t rely on email alone

As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. Rather, authenticate requests to send money with face-to-face or voice-to-voice communications.

FBI Special Agent Martin Licciardo:

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.

Also, here are more tips, for both individuals and businesses:

Watch out for typos
As we saw in the case of crooks who nabbed the proceeds from that $150K home sale, the fraudster did what fraudsters often do: they made an (albeit tiny) punctuation/English usage mistake. Namely, they omitted a possessive apostrophe.

As Naked Security’s Paul Ducklin noted in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.

Watch out for weird requests.
In that case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed as opposed to being sent via snail-mail. As Paul noted, that makes sense… for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.

Report it.
Law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast.