February 20, 2020

Confrontation Based On Deception: $3.1 Million Swindled During Negotiations Over John Constable Painting

Business email compromise 2020 example

Art theft has been around for centuries.

The first documented art theft happened in the 15th century. In 1473, Hans Memling was robbed by Polish pirates of his altarpiece triptych called “The Last Judgment”, while traveling to Florence by ship. That work of art now belongs to the National Museum in Gdańsk.

While that seems harsh, one fairly recent case will give it a run for its money. 

Criminals recently duped Rijksmuseum Twenthe, a museum based in the Netherlands to transfer them £2.4 million ($3.1 million) for an iconic work of John Constable, that was in the possession of Simon C. Dickinson Limited, an art dealer in London.

What’s interesting, the artwork itself was not stolen. The Rijksmuseum is holding on to it, refusing to return it to the dealer, who didn’t get any money. Both sides are fighting in court now, claiming they have been scammed.

A View Of Hampstead Heath: Child’s Hill, Hackers In The Distance 

So how could this happen?

The Twenthe museum and a London art dealer handled their negotiations via email, trading messages back and forth for months. 

During the negotiation process, cybercriminals gained access to one of the party’s systems and looked over messages to find a suitable moment to make the power move. More specifically, send spoofed emails that looked like they came from Simon C. Dickinson Limited, but with their own Hong Kong bank account details.

This is not a new move by any means, but a derivation of a wide-spread fraud. 

You can read about it in more detail in the article “The Annual PSA From The FBI: Three More Letters That Stand Behind A $26 Billion Scam”. The Business Email Compromise scam, described in that article, was reported in 177 countries, with the most popular banks for fraudulent transfers being from China and Hong Kong.

The aftermath of this particular case is fascinating - the museum sued Dickinson, stating that the dealer should have known about the fraud, and making a point that “by saying nothing, they said everything”. 

The museum’s lawyer Gideon Shirazi made a point that Dickinson had to maintain reasonable email cybersecurity. To parry this, Dickinson’s lawyer told the court that the museum had to confirm that the bank details mentioned in the email were genuine. 

At the end of the day, the art dealer can’t sell the piece elsewhere, as the museum intends to keep it, and the undisclosed owner can not be paid.

Who’s Right? Who’s Wrong?

This unfortunate event highlights the dangers of cybercrime in the art world, which is regrettable for both the museum and Dickinson, especially when both are victims in this instance,” shared Emma Ward, Dickinson’s managing director.

Did the museum have to confirm the bank details? Sure. 

Should have Dickinson maintained email security? Absolutely.

If we are allowed to put on the lawyer’s hair wig, we can state that although both sides have a point, but also both should maintain email security, and both need to verify the bank details when transferring such sums. The easiest way to thwart this scam is to avoid relying on email alone and run the information through an independent communication channel. 

If you want to double down on your BEC-preventing efforts, do the following:

  • Monitor financial accounts regularly.
  • Always check email addresses - they can give away a spoofer. 
  • Do not disclose login credentials or personal data in emails, or websites you are redirected to from email URLs.
  • Put the two-factor authentication on all your accounts, ensure that your passwords are strong, don’t use the same passwords across multiple services.
  • Keep yourself informed about the latest email threats waiting for you in the inbox.

“The Art of War” has a tremendous piece that applies perfectly to cybercrimes and people subjected to them:

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.

If you know neither the enemy nor yourself, you will succumb in every battle.” - Sun Tzu. 

While these words and five aforementioned pointers will make you less vulnerable to BEC/EAC, more education is necessary to help you stay unharmed online.

As this article is partially related to art, it only feels right to tell you about “The Art of Email Security”, a book that allows privacy-oriented users of different Internet proficiency to get familiar with the best practices of email security. 

Written in a friendly manner that is free of fear, uncertainty, and doubt (used so prevalently in cybersecurity), this material could help people make the right call when dealing with a slippery email slope, full of phishing hooks and cyber crooks. 

As Stephen Sondheim once said, art, in itself, is an attempt to bring order out of chaos.

My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for contacting me!

I will get back to you as soon as I can.

Contact me


My blog couldn't proceed your request right now.

Please try again a bit later.

Thank you for subscribing!

I added you to my emailing list. Will let you know as soon as I have something interesting.

Subscribe for email updates