Phishing on a Digital Binary Warning Abstract

Sophisticated phishing scheme spent years robbing authors of their unpublished work

Three years ago on Quora, someone asked what writers do to keep their manuscripts from being stolen. One of the top answers reads as follows:

You’re joking, right? It’s hard enough to get people to read your novel once it’s out on Amazon, much less reading it before it’s finished…unless you’re George RR Martin, nobody is trying to get your unpublished, unedited manuscript.

That optimistic piece of advice doesn’t really hold true anymore, if it ever did. In a scheme reminiscent of some sort of comic book supervillain, Filippo Bernadini was arrested at JKF International Airport on Wednesday. The reason? He stands accused of allegedly impersonating publishing professionals to obtain unpublished manuscripts. Charges include “wire fraud and aggravated identity theft”. The wire fraud aspect alone carries a potential maximum sentence of 20 years.

Throwing the book at crime

From the FBI indictment:

…an indictment charging FILIPPO BERNARDINI with wire fraud and aggravated identity theft, in connection with a multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books.

This particular scheme had been rumbling along since “at least” 2016, and the accused individual worked in the publishing industry.

According to the FBI, multiple fake email accounts were created, impersonating real people in the publishing space. Not only that, but also publishing houses and talent agencies. Alongside this were “more than 160 internet domains”. The domains copied real entities, with deliberate use of slight typos in email addresses to further replicate the genuine article. These are common phishing tactics used by regular phishers, but here we can see it being deployed in a more targeted fashion.

Nice award. Can I have your next book, please?

There’s at least one example given of a Pulitzer prize-winning author tricked into sending a forthcoming manuscript to an imitation of a real well-known editor and publisher.

“Hundreds” of distinct people were impersonated in order to obtain manuscripts the phisher had no business accessing.

There’s also mention of gaining access to a New York literary scouting company, via bogus mails to employees and a fake domain for them to log into. Once they logged in, credentials were forwarded on to add another string in the “massive scam” bow.

This was all happening up until or around July 2021. It remains to be seen how the case will pan out for the accused, but it doesn’t sound great for him so far. It seems likely that this in-depth account of authors being contacted by fictitious publishers from August of last year is related to the above. If it isn’t, well, I guess we have two separate fake literary agent saboteurs to contend with.

What can writers do to keep their work safe?

A lot of the security issues in this story boil down to phishing, and phishing countermeasures. Most of the tips for authors for keeping their manuscripts safe tend to focus on backing up files. While some do mention security compromise, a few of the tips make me a little nervous. With that in mind:

  • The Nathan Bransford article I’ve linked to above invites that the “technically disinclined” to email themselves a copy of their manuscript, but I’d be wary of emailing documents to myself or others in plain text. I also appreciate that there are some situations where you may be left with “email or nothing”. In those situations, you should make use of a tool which can encrypt your files before you attach them, such as WinZip. Be aware though that some forms of encryption are more secure than others.
  • It also suggests placing documents in cloud storage. This puts a copy of your work in a different geograhpy than you laptop, which is good if there’s a fire, or you’re hit with ransomware, but it also means there’s another place your work can be stolen from. If someone manages to guess your cloud login, and you don’t have 2FA enabled, they have your documents. To prevent this, I suggest you enable two-factor authentication on your cloud accounts, and consider encrypting your files before uploading them.
  • If you really don’t like the idea of leaving documents on your desktop, store them on an external drive. The usual caveats apply: Encrypt, encrypt, encrypt. On the very remote chance someone breaks in and steals it, or more likely, you lose it somewhere, it’ll help keep the files safe from prying eyes.

Again, these tips are really for everyone and all kinds of files. They’re not specific to budding or even professional writers. However, they can still make full use of them. And you don’t even have to be George R.R. Martin to do it.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.