How Art Galleries and Museums Can Protect Themselves Against Hackers

Last year, The Art Newspaper broke the news of a wave of cybercriminal attacks on gallerists and dealers worldwide. Hackers targeted several London gallerists including Laura Bartlett, Simon Lee, Thomas Dane, and even Hauser & Wirth, among others. US-based dealer Tony Karman was also a victim of a similar attack.

A common trend was apparent in the scheme. Hackers used what is known as a man-in-the-middle attack. The scam involved the infiltration of the art dealer’s email account. The criminals monitored ongoing correspondences and hijacked messaging whenever the gallery sent a PDF invoice to a client. Posing as the gallerists, the cybercriminals sent a duplicate invoice from the gallery’s email address and instructed the clients to disregard the first invoice. The unsuspecting buyers would then wire the money to the account listed in the fraudulent invoice.

The question now is what galleries should do to protect themselves from such scams.

Antivirus and Encryption Software

Implementing extra security measures such as anti-virus programs and encryption software is always a great protective measure.

However, galleries should opt for persistent, up-to-date, “full-spectrum” computer system vaccinations instead of free downloadable programs. The latter may not have the latest malware databases to purge their systems, and may not be eligible for periodic updates.  The former, on the other hand, may come with long-term updates of the latest security and encryption measures.

Password Protection

Hackers write programs that apply dictionaries with millions of passwords to force entry into the computer systems of individuals and organizations. So-called “brute force attacks” have a startlingly high success rate of infiltrating computers. The three biggest reasons the attacks are so fruitful is that:

  1. Individuals use simplistic passwords they can remember;
  2. Users do not change their passwords frequently enough;
  3. They use the same passwords across applications.


For greater security, galleries can set the password length to 20 characters, chosen at random. Password vault software such as Dashlane and LastPass can help users generate and maintain lengthy complex passwords.


Hackers often use a method called email spoofing. They alter parts of an email to trick users into believing it comes from a legitimate source. These scammers pose as chief executives or business owners and send forged messages to the business’s accounting manager.

This was what London-based dealer Simon Lee recently had to deal with. Their accountant received an email from someone within the company, instructing her to pay an invoice immediately.

Expo Chicago also suffered the same ordeal. Unlike the former, though, they were able to detect the bogus email. Before wiring the payment, the accountant opted to confirm the details of the invoice with the president of the company, Tony Karman.

Apart from extra security measures, an effective way to prevent cyber fraud is education. Employees can be taught how to detect these cyber-attacks. Better yet, companies should consider implementing more robust processes and procedures that involve responses to electronic requests.

Strengthening Corporate Governance

Requests for the disbursement of funds — no matter who the requestor is — should be verified in person or by phone.  This sort of “two-step” verification is a common option offered to bank customers. After a customer logs into their account online, they choose to receive a numeric code sent to their email account or to their mobile phone by SMS. They then enter the code to verify that it is indeed the owner of the account signing in.

Sometimes, though, the most effective measures against hackers do not involve the application of more hardware or even of software, but of the wetware with which are all endowed — our common sense.