Van Gogh Museum targeted by cyber attack that replicated official website and stole credit card details

Fake site was rapidly taken down and no more than 50-plus people apparently fell victim to the scam

The director of the Van Gogh Museum, Emilie Gordenker, removing a reproduction of the painting Self-Portrait with Grey Felt Hat by Vincent Van Gogh at the museum in Amsterdam. Photograph: Valeria Mongelli/AFP
The director of the Van Gogh Museum, Emilie Gordenker, removing a reproduction of the painting Self-Portrait with Grey Felt Hat by Vincent Van Gogh at the museum in Amsterdam. Photograph: Valeria Mongelli/AFP

One of Europe’s most popular art galleries, the Van Gogh Museum in Amsterdam, has been targeted by a cyber attack that replicated the official website and stole the credit card details of dozens of customers who purchased online tickets.

The attack, known as “malvertising”, is the first of its kind against the art market in the Netherlands, according to the Dutch Museums’ Association, which confirmed that the Van Gogh museum was the first to have its website “cloned”.

It could have been much worse. The fake site was rapidly taken down and the fact that no more than 50-plus people apparently fell victim to the scam was testimony, said experts, to the fact that institutions were constantly vigilant, improving their protection and prevention systems.

“We passed on every report to the police and to Google both from customers who handed over their credit card details and those who were merely suspicious and decided to warn us,” said a museum spokesperson.

READ SOME MORE

The Van Gogh Museum, which has the largest collection of Vincent van Gogh’s paintings and drawings in the world, attracts about two million visitors a year – an ever-increasing proportion of whom book their tickets online. The museum is now urging those interested in paying a visit only to book their slots on the official website, vangoghmuseum.nl.

The success of malvertising of this kind depends on making the fake website look as similar to the real one as possible so that customers don’t give it a second glance. In this case the site did not ask for cash transfers to pay for tickets but first confirmed the availability of a selection of time slots and then asked for credit card details to reserve those slots.

“I heard that a particular exhibition at the museum was sold out but then [I] read in English – on what turned out to be the fake site – that there were some tickets available,” said one purchaser. “I figured maybe they’d kept some back for tourists.”

No such luck. Some purchasers realised they had been had when they saw the tickets they received on their phones were dated 2017. Others were contacted by their credit card companies to say their cards had been blocked because they were the victims of a scam.

The real Van Gogh Museum website does not ask purchasers to enter credit card details. Some customers even had an inkling of this: “I wanted to go to the exhibition so much that I just thought: I’ll go ahead,” said one.

Sign up for push alerts and have the best news, analysis and comment delivered directly to your phone

Peter Cluskey

Peter Cluskey

Peter Cluskey is a journalist and broadcaster based in The Hague, where he covers Dutch news and politics plus the work of organisations such as the International Criminal Court