Phishing: How it works and how to protect your gallery

Stay ahead of the curve when it comes to cybersecurity. Learn how phishing works, how to spot an attack, and how to stay safe.

This is the first article in a series about common security threats that our gallery, fair, and auction partners face online. These articles will help you stay ahead of the curve when it comes to cybersecurity, giving you resources to protect yourself, your clients, and your business, and transact online with confidence.

What is phishing?

Phishing scams are recognized by the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) as one of the most common tactics used by cybercriminals to obtain log-in credentials to online accounts, including your email account, bank account, or Artsy account. The term “phishing” itself refers to the manner of the tactic: A cybercriminal will essentially fish for log-in credentials using fake emails or direct messages linking to web pages purporting to be a service you use, like your email provider, or even Artsy.

Here’s an example of an attempted phishing scam targeting an Artsy partner and their Artsy log-in credentials:

1. The phishing scam begins with an email. An employee at one of our partners receives an email (appearing to come from a collector) about an artwork they are interested in. The collector could be unknown to the employee, or they could appear to be a familiar patron. This email may be modified to appear to come via Artsy. The email lacks details about the specific work the supposed collector is interested in.
2. The employee responds. The employee responds to the email asking what work the collector is interested in. At this point, the cybercriminal (posing as a collector) responds with a link to the work. This link is made to look like an Artsy link. (Cyber criminals could also send this in their first email to the gallery.)
3. The employee clicks on the link. This link takes the gallery’s employee to a fake Artsy log-in page, and the employee attempts to log in. The fake log-in page can be quite convincing, but it is controlled by the cybercriminal. Now the cybercriminal has the gallery employee’s Artsy log-in.

Example phishing email.

While this tactic could involve using fake Artsy links and web pages, the scam itself takes place via email and does not involve any Artsy systems. A phishing scam could even come through other services you might be familiar with, often related to your email. Famously, the Democratic National Committee (DNC) email servers were hacked after a DNC employee was phished using a fake Google log-in page.

If a cybercriminal were to gain access to your log-in credentials, they have further avenues for fraud. They may also try your password on other sites you use (like your email account) in the hope that you use the same password across different services. They may review your communications with collectors and target them next.

These types of scams affect every business that is active online. For some time, it seems that the art world has received less attention from cybercriminals—but now, with a thriving online art marketplace and thousands of galleries doing business through digital platforms like Artsy, by email, and by phone, cybercriminals have realized that there are opportunities. Fortunately, there are tried-and-true ways of reducing the risk to online accounts, including your Artsy presence.

How to spot phishing scam attempts

Thankfully, phishing scam attempts are fairly easy to spot and avoid. Here are some things to look out for:

• Check the sender’s email address. Often, a cybercriminal will create an email address that looks similar to a legitimate email address by using spelling variations or different domain names to a real or familiar email address. Pay attention to the “from” email and look for typos, misspellings, and unusual domain names.
• Check the links in the email. Phishing scams depend on you clicking links blindly in emails without checking where they really lead. Check the links in the email by hovering your mouse over a link. You’ll see the web address that it truly leads to appear in the bottom corner of your browser.
• Check the URL on the log-in page. Once you are on a log-in page, pay attention to the URL. Often, it will be unusual, incorrect, or a variation of a URL you’re familiar with. All Artsy CMS pages contain “artsy.net” near the beginning of the URL.

Screenshot of the Artsy CMS log-in page with a URL containing "artsy.net"

If you receive an email from a service you use and you feel it could be a phishing attempt, it’s best to forward that email directly to the provider that it is impersonating. Any suspicious emails purporting to be from Artsy should be forwarded to trust@artsy.net. We’ll let you know if it is legitimate.

How to protect yourself

• Use strong, unique passwords. Use long passwords with upper- and lowercase letters, numbers, and special characters. Use a different password for each log-in. We recommend that you use a password manager like 1Password or LastPass to make it easy to use strong, unique passwords across all your accounts.

• Enable Two-Factor Authentication for log-ins. Two-factor authentication is an important security feature that can protect your log-ins, especially for systems like Artsy CMS. When you enable it, you add an extra layer of security to your account by requiring a one-time security code generated by an app or sent to you via SMS to be submitted each time you log in. Review How to Enable Two-Factor Authentication. 

• Log in using trusted information when you’re unsure. If you have any suspicions about an email, log in to the service using another URL or link you’ve used in the past. Or, you can contact the person or service provider directly through a web address, email, or phone number that you know is correct. For instance, if you received a suspicious email from Google, log in to your account through your normal log-in page rather than the one linked to in the email. If you receive an email about an Artsy inquiry, log in to your Artsy CMS through your usual URL and check the inquiry from there.
• Don’t log in to a service that you haven’t used before. It goes without saying, but if you do not have an account with the service in question, do not attempt to log in or respond to a suspicious email from that service provider.
• If you suspect you may have given away your password, change all your passwords immediately. If you suspect that any of your accounts have been compromised, change that account’s password immediately and then contact the service provider. If your email account has been compromised, you’ll need to change all passwords for all of your online accounts. If you ever suspect your Artsy account has been compromised, email us immediately at trust@artsy.net.

How Artsy is countering these threats

Ultimately, phishing attempts rely on tricking the user into giving away information, rather than any actual “hacking” in the conventional sense. This means that the best defense against phishing is a cautious, aware, and educated user. However, there are changes that Artsy is making to our platform to make it harder for anyone to steal your Artsy log-in credentials.

• Rapidly investigating any threats to partners. Our dedicated Trust and Safety team investigates threats as soon as they arise, taking steps to protect our partners. Report any suspicious communications to trust@artsy.net.
• Revealing URLs. Whenever someone sends a URL in Artsy Conversations, we reveal the full URL and do not allow it to be hidden in any way. Please be sure to scrutinize any links in direct messages and exercise caution.
• Strengthening passwords. We are strengthening password requirements for our partners to protect their CMS accounts.
• Removing limits on user log-ins. To prevent passwords from being shared, we are allowing all partners to have unlimited user log-ins.
• Making further improvements. We are also working on further technical improvements to protect you, your account, and the collectors with whom you transact on Artsy. We’ll share more information about these in coming weeks.

If you have any questions about the topics discussed here or about any communications you receive, please reach out to our Trust and Safety team at trust@artsy.net. We’re dedicated to helping you stay secure online and transact through Artsy with confidence.