The New York Times has published the story of a strange international phishing scam: unknown actors targeting traditionally-published writers, posing as their agents or editors to obtain copies of their unpublished manuscripts.

Earlier this month, the book industry website Publishers Marketplace announced that Little, Brown would be publishing “Re-Entry,” a novel by James Hannaham about a transgender woman paroled from a men’s prison. The book would be edited by Ben George.

Two days later, Mr. Hannaham got an email from Mr. George, asking him to send the latest draft of his manuscript. The email came to an address on Mr. Hannaham’s website that he rarely uses, so he opened up his usual account, attached the document, typed in Mr. George’s email address and a little note, and hit send.

“Then Ben called me,” Mr. Hannaham said, “to say, ‘That wasn’t me.’”

Mr. Hannaham was just one of countless targets in a mysterious international phishing scam that has been tricking writers, editors, agents and anyone in their orbit into sharing unpublished book manuscripts. It isn’t clear who the thief or thieves are, or even how they might profit from the scheme. High-profile authors like Margaret Atwood and Ian McEwan have been targeted, along with celebrities like Ethan Hawke. But short story collections and works by little-known debut writers have been attacked as well, even though they would have no obvious value on the black market.

The phisher, or phishers, employ clever tactics like inserting or transposing letters in official-looking email addresses (like "penguinrandornhouse.com" instead of "penguinrandomhouse.com") and masking the addresses so they only show when the recipient hits "Reply". They know how publishing works and appear to have access to inside information, utilizing not just public sources like acquisition announcements in trade publications, but details that are harder to uncover: writers' email addresses, their relationships with agents and editors, delivery and deadline dates, even details of the manuscripts themselves. 

And they are ramping up their operations. According to the Times, the scam began appearing "at least" three years ago, but in the past year "the volume of these emails has exploded in the United States."

So what's the endgame? Publishing people are stumped. Manuscripts by high-profile authors have been targeted, but also less obviously commercial works: debut novels by unknowns, short story collections, experimental fiction. The manuscripts don't wind up on the black market, as far as anyone can tell, and don't seem to be published online. There have been no ransom demands or other attempts at monetization. 

One of the leading theories in the publishing world, which is rife with speculation over the thefts, is that they are the work of someone in the literary scouting community. Scouts arrange for the sale of book rights to international publishers as well as to film and television producers, and what their clients pay for is early access to information — so an unedited manuscript, for example, would have value to them.

I heard about the scam a couple of months ago, from an author who was targeted after their forthcoming book was announced on Publishers Marketplace. What they reported to me tracks with the information above, including the credible approach by what appeared to be the writer's own editor or agent (complete with authentic-looking email signature), a credible excuse for why they wanted the writer to send the manuscript again, and the altered sending address. The writer did send the ms., and didn't discover until they talked to their agent that they'd been tricked.

Penguin Random House and Simon & Schuster have sent out warnings, as have agents, one of whom offers this helpful advice:

If you receive an email requesting sensitive information or items (manuscripts, contracts, etc.) to be sent via email, or to follow a link to sign a document, please consider the following steps:

1. Carefully inspect the sender’s email address. Ensure the person’s name is spelled correctly and, most importantly, that the company’s domain name (which is located after the @ symbol in an email address) is spelled correctly.

2. Call the supposed sender to verify that the items/information requested in the email are legitimate.

3. Do not reply to the email. Message headers can look real but have hidden text triggered when “reply” is hit. Instead, start a separate email chain with the sender asking if they did, in fact, request that item/information from you.

4. Carefully look at the email header, which contains detailed information about the email – where it came from, who it was sent to, date, time, subject, etc.

To be clear, there's no connection here with the crude agent and publisher impersonation scams I've been writing about for the last year or so. This is a sophisticated scheme by a person or persons familiar with the publishing industry (including its lingo) who understands the ins and outs of acquisition and production and has access to inside information. There's also no obvious monetary angle--unlike the impersonation scams I've previously reported, where the whole point is to screw as many thousands of dollars out of unsuspecting writers as possible.

More reporting at Jezebel.