Hackers stole $4.7 million from a Dutch art museum in a business email compromise scheme.

The unknown cyber criminals had been sniffing emails between the Rijksmuseum Twenthe art museum and art dealer Simon Dikinson as the two parties worked out the sale of a painting by 19th century landscape artist, John Constable.

After tracking months of negotiations, the hackers impersonated Dickinson through spoofed emails and convinced the museum to send £2.4 million ($4.7 million) to a Hong Kong bank account in exchange for the painting 'A View of Hampstead Heath: Child’s Hill, Harrow in the Distance'.

By the time the fraud was detected, Constable’s landscape had already arrived at the Dutch museum.

Although it was not determined which party had their email systems compromised, the museum tried unsuccessfully to sue Dickinson for damages over the incident earlier this year.

The art dealer’s lawyer argued that the museum should have taken reasonable steps to ensure that the emails pertaining to the large transaction were legitimate, Bloomberg reported.

Know your seller

Developer of an upcoming anti-money laundering app for the art world, Susan Mumford, said the bank account to which the Dutch museum was sending money should have triggered alarms.

“To send £2.4 million to Hong Kong when the dealer is based in London brings up an immediate question and anyone sending a sizeable fund these days should be double checking,” Mumford told the Telegraph.

"This kind of fraud is becoming really common and is one of the biggest risks to art dealers today, but I haven't come across a case where such a large sum has been transferred to the wrong account.”

Mumford’s suggestion was that organisations shouldn’t be wholly reliant on digital communications when moving large sums of money.

“Putting measures in place is essential. You need to verbally confirm with a dealer whether the bank details are correct,” she said.

"You need to make sure it's two individuals who know each other's voices. If you do that and also have cyber insurance, you've taken really good measures. If you do neither then you don't have a leg to stand on."

The dispute over the painting is ongoing with the Dutch museum still holding onto it without the dealer ever having received the money.

Emails compromised

Business email compromise (BEC) scams are increasingly common as people get more used to spending money online.

In 2018 alone, it was estimated that Australian businesses lost more than $60 million from this type of scam.

NSW Police recently charged two men over their alleged involvement in an email scam syndicate that has stolen millions from unsuspecting businesses.

Earlier this year, an ice rink in Sydney’s South West fell victim to a BEC scam year after receiving changed payment details for a new ice resurfacer it was purchasing.

As with the Dutch museum, a director from the Canterbury Olympic Ice Rink apparently did not question the fact that its UK-based supplier, Marshall’s International, was suddenly requesting payment into a Hungarian bank account.

The co-op ice rink realised its loss of $77,000 months later when the supplier followed up about the missing payment, and has claimed that the supplier is responsible for damages as it said the incident came from Marshall’s compromised email system.