Three years ago on Quora, someone asked what writers do to keep their manuscripts from being stolen. One of the top answers reads as follows:
> You’re joking, right? It’s hard enough to get people to read your novel once it’s out on Amazon, much less reading it before it’s finished…unless you’re George RR Martin, nobody is trying to get your unpublished, unedited manuscript.
That optimistic piece of advice doesn’t really hold true anymore, if it ever did. In a scheme reminiscent of some sort of comic book supervillain, Filippo Bernadini was arrested at JKF International Airport on Wednesday. The reason? He stands accused of allegedly impersonating publishing professionals to obtain unpublished manuscripts. Charges include “wire fraud and aggravated identity theft”. The wire fraud aspect alone carries a potential maximum sentence of 20 years.
From the FBI indictment:
> …an indictment charging FILIPPO BERNARDINI with wire fraud and aggravated identity theft, in connection with a multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books.
This particular scheme had been rumbling along since “at least” 2016, and the accused individual worked in the publishing industry.
According to the FBI, multiple fake email accounts were created, impersonating real people in the publishing space. Not only that, but also publishing houses and talent agencies. Alongside this were “more than 160 internet domains”. The domains copied real entities, with deliberate use of slight typos in email addresses to further replicate the genuine article. These are common phishing tactics used by regular phishers, but here we can see it being deployed in a more targeted fashion.
There’s at least one example given of a Pulitzer prize-winning author tricked into sending a forthcoming manuscript to an imitation of a real well-known editor and publisher.
“Hundreds” of distinct people were impersonated in order to obtain manuscripts the phisher had no business accessing.
There’s also mention of gaining access to a New York literary scouting company, via bogus mails to employees and a fake domain for them to log into. Once they logged in, credentials were forwarded on to add another string in the “massive scam” bow.
This was all happening up until or around July 2021. It remains to be seen how the case will pan out for the accused, but it doesn’t sound great for him so far. It seems likely that this in-depth account of authors being contacted by fictitious publishers from August of last year is related to the above. If it isn’t, well, I guess we have two separate fake literary agent saboteurs to contend with.
A lot of the security issues in this story boil down to phishing, and phishing countermeasures. Most of the tips for authors for keeping their manuscripts safe tend to focus on backing up files. While some do mention security compromise, a few of the tips make me a little nervous. With that in mind:
Again, these tips are really for everyone and all kinds of files. They're not specific to budding or even professional writers. However, they can still make full use of them. And you don’t even have to be George R.R. Martin to do it.
The post Sophisticated phishing scheme spent years robbing authors of their unpublished work appeared first on Malwarebytes Labs.