What Art Forgery Teaches Us About Cyber Deception

The Forger's Blueprint, Redrawn for the Digital Age

A recent piece from The Hacker News draws a striking parallel between the world of fine art forgery and modern cyberattacks, using the legendary impostor Elmyr de Hory as a lens. De Hory spent decades producing convincing fakes of Picasso, Matisse, and Modigliani — not by copying individual works, but by internalizing the style, the technique, and the contextual cues that made those artists recognizable. Experts, dealers, and museum curators were fooled repeatedly, not because they were careless, but because de Hory understood how trust is constructed and exploited it with surgical precision.

The analogy to today's threat landscape is not merely poetic — it is operationally instructive. The most dangerous adversaries facing businesses in 2026 are not brute-force attackers battering down firewalls. They are patient, methodical imitators who study their targets, replicate trusted identities, and exploit the very mechanisms organizations rely on to feel secure.

How Modern Threat Actors Forge Trust

De Hory's genius was understanding that forgery is fundamentally a confidence game — the forger doesn't need to be perfect, they just need to be convincing enough to bypass the skepticism of whoever is evaluating the work. Today's attackers operate on exactly this principle across several well-documented attack vectors:

• Business Email Compromise (BEC): Threat actors don't just spoof a CEO's email address — they study communication patterns, tone, vocabulary, and even the timing of messages. A well-crafted BEC attempt mirrors the authentic sender so closely that recipients override their own instincts. FBI data consistently shows BEC as one of the costliest cybercrime categories, with billions lost annually.
• Brand Impersonation: Phishing campaigns in 2026 frequently replicate the visual design, domain structure, and even SSL certificates of legitimate vendors. A fake DocuSign or Microsoft 365 login page is the digital equivalent of a forged Matisse — close enough to pass a casual inspection.
• Trusted Tool Abuse (Living off the Land): Advanced persistent threat (APT) groups increasingly operate using legitimate system tools — PowerShell, WMI, remote management software — so their activity is indistinguishable from normal administrative behavior. This is imitation at the infrastructure level: blending into the environment rather than announcing an intrusion.
• Deepfake and AI-Assisted Social Engineering: Synthetic voice and video technology now allows attackers to impersonate executives in real-time. In 2025 and into 2026, multiple organizations reported fraudulent wire transfers authorized after employees received what appeared to be video calls from their own leadership.

In each case, the attack succeeds not because of a technical vulnerability, but because the imitation was good enough to satisfy a human — or automated — trust evaluation.

What the Art World Learned — And What Security Teams Should Apply

The art authentication community eventually developed robust countermeasures against forgers like de Hory — not by relying solely on expert judgment, but by introducing independent, technical verification. Infrared reflectography, provenance chain analysis, pigment dating, and multi-expert peer review all became standard. The lesson: when the forgery is too good to detect by eye, you need instruments that operate on a different layer of reality.

Security teams can draw direct operational guidance from this evolution:

• Implement multi-factor and phishing-resistant authentication everywhere. Passwords and even traditional MFA are forgeable. Hardware security keys (FIDO2/passkeys) provide a cryptographic anchor that cannot be replicated by social engineering alone. Prioritize their deployment for privileged accounts and financial approval workflows first.
• Treat out-of-band verification as a procedural requirement, not a suggestion. Any request involving wire transfers, credential resets, or access escalation should require a separate, pre-established verification channel. A phone call to a known number. A Slack message to a verified account. Assume the primary channel may be compromised.
• Deploy behavioral analytics alongside signature-based detection. Deviations in login times, unusual data access patterns, and anomalous lateral movement are the forensic equivalents of anachronistic pigments on a supposed old master painting. UEBA (User and Entity Behavior Analytics) tools are purpose-built to surface these inconsistencies.
• Run regular social engineering simulations that include impersonation scenarios. Standard phishing simulations test link-clicking behavior. Escalate your program to include vishing (voice phishing), simulated executive impersonation, and deepfake awareness exercises. Employees cannot recognize an attack vector they have never encountered in a safe environment.
• Establish vendor and third-party identity verification workflows. Many supply chain compromises begin with impersonation of a trusted vendor. Formalize the process for confirming identity when onboarding new vendor contacts or responding to unexpected requests from existing ones.

The Strategic Implication: Deception Defense Is Not Optional

The art world's struggle with forgery offers one final, sobering lesson: de Hory operated successfully for decades before he was exposed, and even then, many of his works remain in circulation undetected. The implication for enterprise security is that some degree of successful imitation is inevitable — no detection system is perfect, and adversaries continuously refine their tradecraft in response to defensive improvements.

This reality argues for a defense-in-depth posture that assumes some attacks will bypass initial controls. Segmented networks limit blast radius when an impersonator gains a foothold. Incident response plans that include identity compromise scenarios ensure your team can move quickly when deception is discovered. Cyber insurance policies reviewed for social engineering and funds transfer fraud coverage provide a financial backstop when technical controls fall short.

The forger's art is patience and study. The defender's art is the same — understanding how trust is built, where it can be manufactured, and designing systems resilient enough to survive the inevitable imitation attempt.