The New York Times has published the story of a strange international phishing scam: unknown actors targeting traditionally-published writers, posing as their agents or editors to obtain copies of their unpublished manuscripts.
Earlier this month, the book industry website Publishers Marketplace announced that Little, Brown would be publishing “Re-Entry,” a novel by James Hannaham about a transgender woman paroled from a men’s prison. The book would be edited by Ben George.
Two days later, Mr. Hannaham got an email from Mr. George, asking him to send the latest draft of his manuscript. The email came to an address on Mr. Hannaham’s website that he rarely uses, so he opened up his usual account, attached the document, typed in Mr. George’s email address and a little note, and hit send.
“Then Ben called me,” Mr. Hannaham said, “to say, ‘That wasn’t me.’”
Mr. Hannaham was just one of countless targets in a mysterious international phishing scam that has been tricking writers, editors, agents and anyone in their orbit into sharing unpublished book manuscripts. It isn’t clear who the thief or thieves are, or even how they might profit from the scheme. High-profile authors like Margaret Atwood and Ian McEwan have been targeted, along with celebrities like Ethan Hawke. But short story collections and works by little-known debut writers have been attacked as well, even though they would have no obvious value on the black market.
The phisher, or phishers, employ clever tactics like inserting or transposing letters in official-looking email addresses (like “penguinrandornhouse.com” instead of “penguinrandomhouse.com”) and masking the addresses so they only show when the recipient hits “Reply”. They know how publishing works and appear to have access to inside information, utilizing not just public sources like acquisition announcements in trade publications, but details that are harder to uncover: writers’ email addresses, their relationships with agents and editors, delivery and deadline dates, even details of the manuscripts themselves.
And they are ramping up their operations. According to the Times, the scam began appearing “at least” three years ago, but in the past year “the volume of these emails has exploded in the United States.”
So what’s the endgame? Publishing people are stumped. Manuscripts by high-profile authors have been targeted, but also less obviously commercial works: debut novels by unknowns, short story collections, experimental fiction. The manuscripts don’t wind up on the black market, as far as anyone can tell, and don’t seem to be published online. There have been no ransom demands or other attempts at monetization.
One of the leading theories in the publishing world, which is rife with speculation over the thefts, is that they are the work of someone in the literary scouting community. Scouts arrange for the sale of book rights to international publishers as well as to film and television producers, and what their clients pay for is early access to information — so an unedited manuscript, for example, would have value to them.
I heard about the scam a couple of months ago, from an author who was targeted after their forthcoming book was announced on Publishers Marketplace. What they reported to me tracks with the information above, including the credible approach by what appeared to be the writer’s own editor or agent (complete with authentic-looking email signature), a credible excuse for why they wanted the writer to send the manuscript again, and the altered sending address. The writer did send the ms., and didn’t discover until they talked to their agent that they’d been tricked.
Penguin Random House and Simon & Schuster have sent out warnings, as have agents, one of whom offers this helpful advice:
If you receive an email requesting sensitive information or items (manuscripts, contracts, etc.) to be sent via email, or to follow a link to sign a document, please consider the following steps:
1. Carefully inspect the sender’s email address. Ensure the person’s name is spelled correctly and, most importantly, that the company’s domain name (which is located after the @ symbol in an email address) is spelled correctly.
2. Call the supposed sender to verify that the items/information requested in the email are legitimate.
3. Do not reply to the email. Message headers can look real but have hidden text triggered when “reply” is hit. Instead, start a separate email chain with the sender asking if they did, in fact, request that item/information from you.
4. Carefully look at the email header, which contains detailed information about the email – where it came from, who it was sent to, date, time, subject, etc.
To be clear, there’s no connection here with the crude agent and publisher impersonation scams I’ve been writing about for the last year or so. This is a sophisticated scheme by a person or persons familiar with the publishing industry (including its lingo) who understands the ins and outs of acquisition and production and has access to inside information. There’s also no obvious monetary angle–unlike the impersonation scams I’ve previously reported, where the whole point is to screw as many thousands of dollars out of unsuspecting writers as possible.
More reporting at Jezebel.
UPDATE 1/6/22: The book thief (dubbed The Spine Collector) may have been caught. The New York Times reports that the FBI has arrested Italian national Filippo Bernardini, charging him with wire fraud and aggravated identity theft. He was indeed a publishing industry insider: a rights coordinator for Simon & Schuster.
According to the Times, he not only scammed writers and editors, but also a scouting agency, using “impostor login pages that prompted his victims to enter their usernames and passwords, which gave him broad access to the scouting company’s database”.
Mr. Bernardini left few digital crumbs online, omitting his last name on his social media accounts, like Twitter and LinkedIn, where he described an “obsession for the written word and languages.” According to his LinkedIn profile, he obtained his bachelor’s in Chinese language from Università Cattolica in Milan, and later served as the Italian translator for the Chinese comic book author Rao Pingru’s memoir, “Our Story.” He also obtained a master’s degree in publishing from University College London and described his passion as ensuring “books can be read and enjoyed all over the world and in multiple languages.”
The question remains: why? None of the manuscripts Bernardini allegedly stole ended up on the black market, or illicitly appeared in print.
UPDATE 1/6/23: Filippo Bernardini aka The Spine Collector has pleaded guilty to one count of wire fraud (which carries a prison sentence of up to 20 years) and agreed to pay $88,000 in restitution. The Department of Justice’s press release is here.
The release includes interesting details: Bernardini impersonated “hundreds” of editors, agents, scouts, and others; acquired “over 1,000” manuscripts; and to further his scheme, registered “more than 160 internet domains that were crafted to be confusingly similar to the real entities that they were impersonating, including only minor typographical errors that would be difficult for the average recipient to identify during a cursory review.” He also created a webpage impersonating a well-known scouting agency in order to gain access to the agency’s database.
Some courtroom details, plus reactions from victims, here.
As noted in the update above, the question of “why” remains unanswered. We’ll have to wait for the Netflix biopic.