The New York Times has published the story of a strange international phishing scam: unknown actors targeting traditionally-published writers, posing as their agents or editors to obtain copies of their unpublished manuscripts.
Earlier this month, the book industry website Publishers Marketplace announced that Little, Brown would be publishing “Re-Entry,” a novel by James Hannaham about a transgender woman paroled from a men’s prison. The book would be edited by Ben George.
Two days later, Mr. Hannaham got an email from Mr. George, asking him to send the latest draft of his manuscript. The email came to an address on Mr. Hannaham’s website that he rarely uses, so he opened up his usual account, attached the document, typed in Mr. George’s email address and a little note, and hit send.
“Then Ben called me,” Mr. Hannaham said, “to say, ‘That wasn’t me.’”
Mr. Hannaham was just one of countless targets in a mysterious international phishing scam that has been tricking writers, editors, agents and anyone in their orbit into sharing unpublished book manuscripts. It isn’t clear who the thief or thieves are, or even how they might profit from the scheme. High-profile authors like Margaret Atwood and Ian McEwan have been targeted, along with celebrities like Ethan Hawke. But short story collections and works by little-known debut writers have been attacked as well, even though they would have no obvious value on the black market.
The phisher, or phishers, employ clever tactics like inserting or transposing letters in official-looking email addresses (like “penguinrandornhouse.com” instead of “penguinrandomhouse.com”) and masking the addresses so they only show when the recipient hits “Reply”. They know how publishing works and appear to have access to inside information, utilizing not just public sources like acquisition announcements in trade publications, but details that are harder to uncover: writers’ email addresses, their relationships with agents and editors, delivery and deadline dates, even details of the manuscripts themselves.
And they are ramping up their operations. According to the Times, the scam began appearing “at least” three years ago, but in the past year “the volume of these emails has exploded in the United States.”
So what’s the endgame? Publishing people are stumped. Manuscripts by high-profile authors have been targeted, but also less obviously commercial works: debut novels by unknowns, short story collections, experimental fiction. The manuscripts don’t wind up on the black market, as far as anyone can tell, and don’t seem to be published online. There have been no ransom demands or other attempts at monetization.
One of the leading theories in the publishing world, which is rife with speculation over the thefts, is that they are the work of someone in the literary scouting community. Scouts arrange for the sale of book rights to international publishers as well as to film and television producers, and what their clients pay for is early access to information — so an unedited manuscript, for example, would have value to them.
I heard about the scam a couple of months ago, from an author who was targeted after their forthcoming book was announced on Publishers Marketplace. What they reported to me tracks with the information above, including the credible approach by what appeared to be the writer’s own editor or agent (complete with authentic-looking email signature), a credible excuse for why they wanted the writer to send the manuscript again, and the altered sending address. The writer did send the ms., and didn’t discover until they talked to their agent that they’d been tricked.
Penguin Random House and Simon & Schuster have sent out warnings, as have agents, one of whom offers this helpful advice:
If you receive an email requesting sensitive information or items (manuscripts, contracts, etc.) to be sent via email, or to follow a link to sign a document, please consider the following steps:
1. Carefully inspect the sender’s email address. Ensure the person’s name is spelled correctly and, most importantly, that the company’s domain name (which is located after the @ symbol in an email address) is spelled correctly.
2. Call the supposed sender to verify that the items/information requested in the email are legitimate.
3. Do not reply to the email. Message headers can look real but have hidden text triggered when “reply” is hit. Instead, start a separate email chain with the sender asking if they did, in fact, request that item/information from you.
4. Carefully look at the email header, which contains detailed information about the email – where it came from, who it was sent to, date, time, subject, etc.
To be clear, there’s no connection here with the crude agent and publisher impersonation scams I’ve been writing about for the last year or so. This is a sophisticated scheme by a person or persons familiar with the publishing industry (including its lingo) who understands the ins and outs of acquisition and production and has access to inside information. There’s also no obvious monetary angle–unlike the impersonation scams I’ve previously reported, where the whole point is to screw as many thousands of dollars out of unsuspecting writers as possible.
More reporting at Jezebel.
UPDATE 1/6/22: The book thief (dubbed The Spine Collector) may have been caught. The New York Times reports that the FBI has arrested Italian national Filippo Bernardini, charging him with wire fraud and aggravated identity theft. He was indeed a publishing industry insider: a rights coordinator for Simon & Schuster.
According to the Times, he not only scammed writers and editors, but also a scouting agency, using “impostor login pages that prompted his victims to enter their usernames and passwords, which gave him broad access to the scouting company’s database”.
Mr. Bernardini left few digital crumbs online, omitting his last name on his social media accounts, like Twitter and LinkedIn, where he described an “obsession for the written word and languages.” According to his LinkedIn profile, he obtained his bachelor’s in Chinese language from Università Cattolica in Milan, and later served as the Italian translator for the Chinese comic book author Rao Pingru’s memoir, “Our Story.” He also obtained a master’s degree in publishing from University College London and described his passion as ensuring “books can be read and enjoyed all over the world and in multiple languages.”
The question remains: why? None of the manuscripts Bernardini allegedly stole ended up on the black market, or illicitly appeared in print.
The DOJ’s announcement of the arrest is here. The indictment is here.
UPDATE 1/6/23: Filippo Bernardini aka The Spine Collector has pleaded guilty to one count of wire fraud (which carries a prison sentence of up to 20 years) and agreed to pay $88,000 in restitution. The Department of Justice’s press release is here.
The release includes interesting details: Bernardini impersonated “hundreds” of editors, agents, scouts, and others; acquired “over 1,000” manuscripts; and to further his scheme, registered “more than 160 internet domains that were crafted to be confusingly similar to the real entities that they were impersonating, including only minor typographical errors that would be difficult for the average recipient to identify during a cursory review.” He also created a webpage impersonating a well-known scouting agency in order to gain access to the agency’s database.
Some courtroom details, plus reactions from victims, here.
As noted in the update above, the question of “why” remains unanswered. We’ll have to wait for the Netflix biopic.
You might want to check https://inspiriumconsultancy.com/
The company is owned by a certain Mike Ramsey AKA Mike Gornz from the phils. In asia, We got scammed and was told that John Sacchi is interested with our book and he is an executive in Lions Gate. He made a skype call through us pretending to be John Sacchi.we paid $12,000.
Part of being an author is paranoia. Your imagination works and so, tells you all that's possible and therefore, you take measures to prevent it. Authors should, when possible, own their own domain. Further, keep rigorous records regarding origination/content of your works, should there be a dispute.
Lastly, when looking for an agent, look up their record/email address/contact info online and double-check it before initiating contact. It's a simple thing to call a publishing house and simply ask if a particular agent still works for them, then verify the email addy. Use a public email to contact agents, BUT, give them a private email to reply to you. Always communicate with them from that private email once a dialogue is established.
Your email to the public (your fans, critics, and on your blog, social media) should be different from the email used for your agent and that too, should be different from the email used for banking, etc.
This will alert you — and them — should an impersonator attempt fraud using your identity. Prevention is always easier and better, than cure.
Timely reminder – thanks. I had sent a few emails to various publishers who have responded using the title, however a few days ago I received an email and checked the e-address which seemed legit, but something was still niggling. In a generic worded email it just referred to 'your book' instead of its title.
In the past I have googled for the sender's website and if it is a genuine site I have sent a message via the Contact page – sometimes the return email to the Contact message I have received is genuine so I reply as normal; but there have been occasions when I have got a "not us" response so I block as spam the sender of the original email.
Received an email similar to this a few months ago, regarding a graphic novel of mine published a short time before by UK publisher. Because the sender's address was misspelled, it came into my spam folder and I didn't see it for a while. I quickly deleted it and blocked the sender. I didn't realize it was a "thing".
How deep is this "Swamp" in the publishing world with these "Things" that creep and crawl in and out of this polluted " Swamp." What a corrupt world we live in. I find it hard to trust, that is why i have not published other books I had finished several years ago. I have written to people in high places about these professional Swampy Crooks, only to receive deafening silence about injustices in our publishing world. Who do you turn to in this uncaring world about these Swamp sharks. Thank God for People Victoria of Writer Beware.
Thank you for this informative article! It is a mystery, but I had one of my unfinished fanfics stolen in its entirety and reposted, with the thief even putting a "copyright" on it (dated years after I'd first posted it on ff.net) so I guess I shouldn't be surprised by anything anymore.
I just heard about this yesterday. It's a great mystery and I want to know how it turns out. But I feel for those writers. That's an awful kind of theft.
I remember hearing about "books" that seemed to be generated by bots and taking whole sections of separate novels and pieces of fiction, and smashing them together
Perhaps they're trying to refine these 'bots'?