Security News > 2020 > February > Fraudsters posed as art dealer, bilked museum for millions
"We got scammed!" said a London art dealer after business email compromise scammers inserted themselves into a months-long conversation about the sale of a £2.4 million John Constable painting, spoofing their emails to make it look like the messages came from Simon C. Dickinson Ltd. "No, we got scammed," said the Dutch museum Rijksmuseum Twenthe, which now has the work by the 19th century English landscape painter and whose money got whisked away by fraudsters who transferred the funds to a Hong Kong account.
According to Claims Journal, lawyers for the two organizations have pointed fingers at each other's clients, telling a London High Court that it was the other guy's duty to maintain email security or to independently confirm that the bank details it received were legitimate.
Rijksmuseum Twenthe, a museum based in Enschede, Netherlands, tried to file eight claims over the heist of its payment for the landscape painting, including that Dickinson owed it "a duty of care" to maintain reasonable email cybersecurity.
Oh, puh-leeez, said Dickinson's lawyer, Bobby Friedman, who told the court that the museum should have taken the basic step of independently confirming that the bank details received in an email were genuine.
As Naked Security's Paul Ducklin noted in the comments section of that article, grammatical perfection on its own isn't enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.