'Spear phishing' scams continue post-Frankfurt

The global rash of phishing targeted towards the publishing industry is continuing after the Frankfurt Book Fair, with at least one targeted company calling on the New York attorney general to mount an investigation, The Bookseller has learned.

Literary scouts Jane Southern and Erin Edmison revealed that they had professional contacts who had been tricked into submitting manuscripts, after receiving the scam emails, known in the cyber trade as “spear phishing”. Bonnier Rights has also issued a warning to contacts after receiving three fake emails in three weeks.

The news follows previous reports in The Bookseller during the Frankfurt Book Fair featuring instances of fraudsters targeting Penguin Random House offices in the US and UK, Pan Macmillan and other companies, and impersonating industry figures such as scout Catherine Eccles of Eccles Fisher Associates. The Bookseller understands that literary agencies in the UK have also been targeted, among them Rogers, Coleridge and White (RCW).

Southern, based in Bedford in the UK, said she had been left feeling “upset and angry” by the repeated attempts to impersonate her and access manuscripts from across the world. “Being a one-man-band, it is hard when something like this happens,” she said.

She shared the fraudulent emails with The Bookseller, which included statements such as "I heard about this title on submission in the US. Don't think I received it, as I'm a UK literary scout but I would like to see it for my clients. Can you please share the manuscript?" She tracked the domain to the US, to an internet domain registrar GoDaddy, the same company apparently used by the scammer impersonating Edmison.

Southern told The Bookseller: “The first one happened in March this year, just before the London Book Fair. There have been around 10 approaches since then, but these are only the ones which have been brought to my attention - there will have been many more."

Edmison, of Edmison/Harper Literary Scouting in the US, revealed she was recently notified of three separate frauds in her name in one day alone, in a similar situation to Southern and Eccles, which saw her email address changed a few letter, from ‘Edmison’ to ‘Edrnison’.

"This has happened to other people in past years and I think particularly around book fairs and then seemed to go away,” Edmison told The Bookseller from her office in New York. “This September it started happening to me a lot. I thought that this would end after Frankfurt, but just today I heard from three people who had received emails from ‘me’, asking for manuscripts, and none of them were really me. When I was at FBF, I heard from a number of agents [that someone was phishing my account] and then someone said ‘I was so interested you wanted to see that manuscript I have in Farsi’… and I said, ‘That wasn’t me’.

A rights director at a literary agency, who wishes to remain anonymous, agreed the situation had worsened. "I’ve experienced the phishing firsthand over the years, but this year was particularly intense," the agent said. "On one day I received three phishing emails requesting material for a new deal that had not yet been publicly announced. I knew enough to ask around and figure out that they were fakes. Two of the emails were from ‘scouts’, and one from a ‘publisher’. I’m sure it’s not an easy situation for anyone whose email is being used falsely."

RCW's m.d. Peter Straus (pictured right) told The Bookseller that the agency had been targeted with the cyber criminals posing as agency employees. "This is the pattern, yes, they impersonate a member of staff’s e mail address to attempt to get manuscripts," he said. "We understand this is happening with others too."

Bonnier Rights’ head of agency Elisabet Brännström has also grown concerned by the rate of phishing emails she has received. “We had the phishing emails from three directions at all once in office over the course of two weeks  - to me personally they came from two UK scouts but there were also emails from a US scout we believe - requesting the same manuscript each time.” 

There is no evidence on who is behind the scams, with unsubstantiated speculation that it could be from individuals in the world of film or TV production world or piracy e-book websites.

Edmison said: “Some people believed it’s connected with e-book piracy, this seems to make the most sense but it also seems so strange, how much money can there be in e-book piracy? Some think it is someone in the film industry… I stopped believing that when [the scammer] asked a rights director for a manuscript in Hungarian. No film person wants to read a manuscript in Hungarian...The person has asked for literary manuscripts as well as a small, US debut and YA books, pretending to be me."

Edmison is concerned at how the emails and often target the most senior people in companies purporting to be from her. “Someone even emailed Jonathan Galassi [president and publisher of Farrar, Straus and Giroux] as me, asking for a manuscript, which was mortifying. He didn't send it.”

What is concerning many of the people involved, is how the scammer/s appear to have inside knowledge of the trade, including which manuscripts are doing the rounds. “The most disturbing thing is that it is someone with knowledge of the industry," Edmison (pictured below) said. "They know who my contacts are. They also know things, such as how I abbreviate a name of a contact of mine to ‘MP’. They could have learned these things from hacking into my inbox but this seems unlikely; anyone with the sophistication to hack into Gmail wouldn't need to run a scam like this (plus, they'd have all the manuscripts they need from my inbox). There are some things they know that feels like either someone is feeding them information or they have somehow seen my messages.”

Similarly Brännström (pictured below) believes the cyber attacks came from someone who attended FBF. “I don’t have a theory who it could be, more than that I noticed that the emails we got during the Frankfurt book fair were sent from a mobile phone (the previous ones were from a desktop as they had the correct email signatures and fonts) so I’m guessing it was someone who was at the fair," she said. "What I don’t understand is why the person didn’t feel they could just request the material through the regular channels – if they’re in the industry, I’m sure we would have been happy to share the manuscript.”

Southern said: “It seems to be someone with knowledge of the industry, but their approach is scatter-gun: for example the Monday after Frankfurt they contacted a Swedish agency four times in that one day, requesting the same title. Another scout was tricked into submitting material, thinking it was me, and only realised their mistake when we met face-to-face.”

The scammer has contacted organisations internationally pretending to be Edmison including contacts based in Sweden, Holland, Italy and Spain as well as the UK and America.

The industry also runs risk of high fines under new EU data rules. Any company which unwittingly discloses a manuscript through this scam could constitute the "unauthorised disclosure of the personal data of the author or any other person identified in the book” which could lead to financial penalties of 20 000 000 EUR or 4% of total worldwide annual turnover under the new GDPR rules around data protection and privacy, according to law firm Harbottle & Lewis.

Organisations in the UK which suffer data breaches in this way should also report under the GDPR rules to the Information Commissioners Office within 72 hours, the law firm said, unless the breach is unlikely to “result in a risk to the rights and freedoms of the affected individuals”. Where there is a high risk of this happening, the publisher or agency must also notify the authors themselves.

Cyber security expert Professor Alan Woodward from the University of Surrey told The Bookseller: “Phishing is still rife but much as turned to so called Spear Phishing. This is where attacks are much more targeted.

“Phishing as a whole is thankfully on the wane as many of the better brands have now embraced technology that prevents their email addresses from being spoofed… However, the scammers are a crafty bunch. They often use domain names that are just ever so slightly different from the real domain names.”

He offered the following advice for companies targeted by cyber criminals: “As a sender employ anti-spoofing technology such as SPF [Sender Policy Framework] or DKIM [Domain Keys Identified Mail]. As a recipient, practice your ABC: Assume nothing, Believe nothing, Check everything. And there is a D: if in doubt Delete it. It sounds slightly paranoid but sadly email is simply not secure enough even today for you not to practice ABC.”

The Bookseller understands that the situation in America has intensified to such an extent that at least one representative in the publishing industry, who wishes to remain anonymous, has approached the New York attorney general’s office urging an investigation.

In the UK however, the Publishers Association and the Society of Authors said that the issue had not been raised by its members and president of Association of Authors' Agents Lizzie Kremer said that no one had mentioned the issue to her but that “we are all aware and being cautious”.

Following the internal staff newsletter circulated in PRH US on 11th October, the company has filters in place and its teams are regularly working to block phishing emails from the system.

The Bookseller has also contacted various publishers for comment, as well as GoDaddy and the Attorney General of New York Office.