Art Market

Steps Galleries Can Take to Sell Art Safely Online

Justin Kamp
Aug 28, 2020 3:25PM
Kristin Headlam
Milena at computer, 2017
Charles Nodrum Gallery

The vast majority of art world transactions have shifted online due to the COVID-19 outbreak, making the frequently time-consuming process of purchasing art potentially both much smoother and much riskier. The transition of face-to-face business online has greatly increased the possibility of cyberattacks, which can cost all parties involved not just money but also peace of mind. And while collectors can take precautions to ensure their security, galleries are often the primary targets of these attacks—and the ones with the most to lose.

According to Kenneth Mullen, an art law group member at Withers and a partner in the law firm’s intellectual property and technology division, most large galleries are regularly subject to automated phishing or malware attacks designed to gain access to confidential financial information. While these sorts of attacks are easily recognized and averted by security software and firewalls, targeted hacking is becoming ever more prevalent, and is usually more successful than the copied-and-pasted phishing attempts.

As the name implies, a targeted hack involves a concerted effort focused on exploiting weak spots in an organization or on manipulating specific parties in a business transaction. When these sorts of exploits are successful, hackers can “gain access to sensitive information about clients or transactions, which can then be used to facilitate fraud,” according to Mullen. “Some of these attacks may go undetected and hackers may be monitoring accounts for weeks to assess movements of the gallery staff or the transaction before striking.”

With this newfound stockpile of confidential information, hackers can then initiate a number of exploits. According to Mullen, the most common of these include the “man in the middle” attack—where the hacker overtakes a conversation by impersonating either buyer or seller in order to redirect purchase proceeds into their own bank account—and a related exploit in which the fraudster poses as a senior employee of the gallery and bombards a low-level employee with urgent emails and invoices, stressing that funds be transferred immediately.

Attacks of these sorts can end up costing dealers thousands—if not millions—of dollars. When dealer Simon C. Dickinson sold a John Constable painting to the Rijksmuseum Twenthe for £2.4 million ($3.1 million) in 2018, he never received payment—hackers had hijacked Dickinson’s correspondence with the museum and swapped his bank details with theirs. The two parties are still embroiled in a legal battle, with each side blaming the other for the slip in security.

According to Mullen, the probability of holding the hackers accountable for losses is extremely low. “Pursuing the actual perpetrators is extremely difficult, assuming you even know who they are—they will usually be part of a complex network which has covered its tracks across multiple jurisdictions,” he said. “Even if you are able to trace the criminals, our experience is that perpetrators are often based in jurisdictions that are effectively beyond the reach of most conventional legal enforcement mechanisms.”

Daniel Schnapp and Jason Gonzalez, partners at the law firm Nixon Peabody LLP, recommended that all art institutions and galleries prepare an incident response plan, which will guide an organization experiencing a cybersecurity breach through initial triage assessments, contacting an outside data security counsel, and insurance claims, as well as through reparative next steps such as identifying what aspect of security was breached and what data was accessed, and implementing changes to prevent such breaches in the future. Even with a plan like this in place, however, Schnapp and Gonzalez said financial recuperation is most likely only possible through insurance. The safest bet is implementing strategies to prevent breaches in the first place.

(Artsy’s gallery network has been the target of such attacks. In order to combat targeted hacks, Artsy has invested in its security procedures to protect partners, created a team dedicated to trust and safety, built best-practice resources, and communicated directly with both its users and employees so they have the tools to transact more securely online.)

Schnapp and Gonzalez recommend keeping meticulous inventory of data, only hanging onto data that is absolutely necessary, and encrypting sensitive email communications. Perhaps most important, though, is training employees to have good cybersecurity habits, including “not opening suspicious emails, not clicking on attachments, using and changing strong passwords, keeping anti-virus software updated, and not sharing their computing devices,” they said.

Mullen echoed this point, stressing that most fraud involves some element of human manipulation, and that gallery employees becoming more literate in the language of email hackers is essential to preventing breaches.

“Galleries should communicate confidential commercial information only by trusted methods,” Mullen said. “Staff should be educated to be wary of unsolicited emails asking to click on links or provide commercially sensitive information. Are you sure about the sender’s identity? Look closely at an email or web address—is it genuine or slightly out of sync with what you’d expect—e.g., an inserted hyphen or ‘.net’ instead of ‘.com’? The changes can be subtle. If a URL or web address for a transaction or payment portal is provided, is it secure? Note that ‘https’ on a website indicates the link to it is secure while ‘http’ does not. Sending transaction emails over public Wi-Fi is also not recommended.”

Ultimately, though, the most effective way to ensure secure transactions is often to hop on the phone to confirm any financial request with the other participant. As Schnapp and Gonzalez added: “Even making one phone call can have the effect of creating a deterrent.”

For additional information regarding secure online transactions, consult Artsy’s dedicated resource page.

Justin Kamp

Correction: An earlier version of this article misattributed a comment made by Daniel Schnapp and Jason Gonzalez.