Costa Book Awards and RSL targeted by cyber criminals as publishers up security

The Costa Book Awards, the Commonwealth Foundation and The Royal Society of Literature have all been targeted by cyber criminals, it has been revealed, as publishers around the world step up their internet security.

In April, The Bookseller revealed the Rathbones Folio Prize had mistakenly transferred the £30,000 prize money through PayPal to a fraudster posing as the winning author Valeria Luiselli. Various other prizes were also targets of foiled cyber fraud including the Forward Prizes, the Baillie Gifford and the Society of Authors’ Translation Prizes.

Several other prizes have now confirmed they have also been targeted, though have not fallen victim to the scams. One of the industry’s biggest, the Costa Book Awards, which has prize money of up to £30,000, was emailed by scammers several times. “The Costa Book Awards have received phishing emails connected to prize winnings in the past. However, these were quickly identified as hoax emails and deflected,” a spokesperson said.

Cyber hoaxers also hit the Commonwealth Short Story Prize, worth £5,000. “We were targeted in the same way as some others - the winning author was impersonated by scammers on email to request payment of the prize money via PayPal.” Emma D'Costa, senior programme officer at the Commonwealth Foundation told The Bookseller.

The Royal Society of Literature (RSL), which manages the £10,000 Encore Award confirmed an email “which sounds similar in nature to those sent to other literary prize bodies” had also been received by them. Communications manager Annette Brooke said: “We have processes in place to mitigate against phishing scams and it was clear that the email wasn't from our winner.” The RSL informed the winner Patrick McGuinness and no further attempts were made after May last year.

It is understood the increased awareness of scams over the last month has prompted extra vigilance from the Goldsmiths Prize among others.

Publishers are also stepping up their protection to prevent scammers accessing authors’ manuscripts, as happened at the Frankfurt Book Fair in 2018 and intensified in the weeks afterwards with Margaret Atwood's The Testaments (Chatto) targeted in 2019. Penguin Random House UK revealed last month it was recruiting a new permanent role for security awareness and Deborah Haworth, the publisher's director of information security, has now confirmed that a candidate will be appointed by the end of May.

The Bookseller also understands that Penguin Random House US has also seen the frequency and complexity of cyber-attacks increase during the Covid-19 pandemic and plans further expansion in security training and technology. It has invested in several different levels of proactive threat intelligence monitoring to protect its authors and to advise on ongoing scams, providing rapid action where necessary.

Many agencies and publishers are understood to be increasingly relying on password protection when sending manuscripts, among other measures although scammers have attempted to gain passwords through impersonation as recently as in the last few months. Manuscripts by extremely high-profile authors as well as lesser-known literary writers are among those targeted by fraudsters posing as literary agents, scouts and editors with some manuscripts unwittingly submitted.

The increased attempts over the pandemic fits with the broader picture across the UK. The National Cyber Security Centre (NCSC) took down more online scams last year than in the previous three years combined with a 15-fold increase in the number of scams removed from the internet, as hackers reportedly tried to take advantage of the pandemic.

Computer security expert Professor Alan Woodward, of the University of Surrey, said this type of specialised cyber crime is an example of "spear phishing" and likens it to when criminals see a property is for sale, intercept the negotiations and pose as the solicitor in emails to access bank details. “I can imagine the case [in the literary community] is a direct analogue of this scam,” he told The Bookseller. “It all relies on social engineering and particularly when we already trust someone, such as solicitors and the email is close enough to the trusted parties’ normal emails to pass a quick check."

This method echoes many of the attacks made on agents and scouts whose identities have been impersonated. An anonymous literary agent said: “Our email addresses were cloned and used to contact scouts and international publishers requesting new and confidential manuscripts from UK and foreign language writers.”

There is mystery over the missing manuscripts, however, because it is unclear how the phishers benefit as it is not believed the books have been leaked online. Woodward believes it may instead be related to the general threat of extortion. “Intellectual property in general that is stolen in ransomware attacks tends not to be sold off but pushed into the public domain for free access. In the case of manuscripts that would effectively render it valueless. It’s just part of the extortion threat.”

Another literary agent told The Bookseller they believe the scammers may be obtaining unpublished work early for a high bidder who wants early access. There have also been suggestions the scammers could be connected with the film and TV industry or are owners of pirate PDF sites. A literary scout said: “I think it's someone with detailed knowledge about the foreign rights part of publishing—on a pretty experienced scout or co-agent level. They also seem to be part of official email chains, as they tend to copy email signatures, fonts, and all kinds of details that you can only know about if you've seen the person's emails yourself.”

Another agent said: “People find it so frustrating that they can't work this out. It is someone with a great deal of knowledge of how the industry works — knowing about literary scouts, translators, and how something very specific like a rights department operates. Initially when it was confidential commercial manuscripts being targeted, people thought it was film scouts or insiders trying to get manuscripts for their clients. But that doesn't really add up.”

Woodward added: “If I thought it would help I’d also tell people to stop sharing information online that can be used by scammers but so many people are not criminally minded and don’t see the harm. Sadly the criminals are ever vigilant, endlessly inventive and horribly convincing.”

An NCSC spokesperson said that anybody who thinks they have received a scam email should forward this to report@phishing.gov.uk for investigation. Suspicious text messages should be forwarded to 7726. For more information, visit the NCSC's guidance on phishing.