by the SFWA Safety Committee
Listen, so there’s this prince in Nigeria who really needs—
Hey, wait, where are you going???
I’m joking, of course. If there’s one scam we all know, it’s the classic Nigerian Prince swindle, a modern iteration of the even more classic Spanish Prisoner scam that dates back to the 19th century. Well, I say we all know, but as recently as 2019, the scam was still raking in over $700,000 a year. And according to a number of information security companies, the flexibility of this particular gambit has helped it thrive within the growing use of “generative AI” software such as ChatGPT.
But the Nigerian Prince is one of countless scams. Many InfoSec companies report that hoax or “phishing” scams are the most common type of cyber crime, taking many forms—including that of book publishers, agents, and publicists. Writer Beware is an incredible resource for learning some of the latest scams targeting writers (particularly predatory agencies and publishers), but we must also equip ourselves with some basic knowledge. Forbes reports that “…in 2022, there were 300,497 phishing victims with a total loss of $52,089,159 in the U.S. alone.” A 61% increase from the previous year. And that’s the reported incidents. One pernicious aspect of scams is that some victims are so ashamed of being fooled, they choose not to report.
How do phishing scams work?
A phishing scam poses as a trusted source to fool a user into handing over either sensitive information or control of their device. This could be an email that looks like it came from Amazon, a text message from a supposed delivery company, or a pop-up on a web browser urging you to download “the latest update” so you don’t get hacked (a download that actually opens a backdoor for hackers).
How can I spot a phishing scam?
These scams get more prolific and convincing all the time (thanks, AI), but there are a few things you can watch out for:
Trust nothing you didn’t ask for
Companies like Apple, Google, and Amazon are never going to email or call you out of the blue and ask for sensitive information like your credit card number, password, or social security number. If someone approaches you unprompted, it’s suspect.
Familiarity is NOT Security
Websites get hacked all the time. If you go to your favorite book blog site and something pops up claiming that your browser is out of date, don’t click on that. If you’re worried your browser is actually out of date, instead go directly to the software update center (app store, etc.) on your computer or device to check. Don’t just assume that your beloved fan site is as safe today as it seemed yesterday. This is how things like “bot networks” spread from one person to the next, until the hacker commands a veritable army of unwitting accomplices that they then use to perform a Denial of Service attack where your computer becomes a bot used to take down a much bigger fish than you.
Don’t believe what you read
Here, check out this Federal Trade Commission article at ftc.gov/phishing to learn more about phishing—HA! Just kidding! If you clicked on that link, you’d actually be taken to the SFWA Safety page instead, where you’d immediately be put in danger of learning more about safety!!!
A hyperlink can be made to look like anything. If you’re on a computer, you can hover your cursor over the link without clicking on it, and most applications will show you what the link actually points to. If you’re on a touch screen like a phone, it’s best just to leave it alone, especially if you’re not certain of the source.
And that brings me to another thing you shouldn’t believe. Email addresses and phone numbers can both be spoofed. Just because an email says it comes from Amazon doesn’t mean it actually does. If something is unexpected or suspicious, some email services might flag them. Some might not. If you’re not sure, nearly all email services have a drop-down option to “show original” or “view header,” and that is where you can always see the true email address. If you see an email from “Penguin Random House,” you may look at the original/header and somewhere in the text you see something like:
The website “random-penguin.us” is not the real publisher’s address, as a quick search will tell you. Now you know for certain that, alas, an editor at PRH is not actually contacting you out of the blue, offering to pay you a million dollars for your manuscript (provided you pay a “small submission fee,” of course).
Generally speaking, if something seems too good to be true, it probably is.
Seriously, update your device
I cannot tell you how many people ignore that red number on their settings app. “Well, I don’t need all the latest features,” my beloved family members insist. Fine, but you do need the many security patches they put out whenever a new vulnerability has been discovered. Many phishing scams prey upon devices that haven’t been updated in a timely fashion.
What do I do if I’ve been hooked?
First, don’t beat yourself up! As I said before, the perpetrators get better all the time. I worked for an InfoSec company for years and, more than once, even I have nearly gotten tricked! Phishing scams use social engineering tactics to prey upon our fears and distraction.
After you’ve kindly forgiven yourself, change your passwords for everything, and monitor everything, including your credit cards. For extra peace of mind, if you can afford to, you may want to pay for a credit monitoring service for six months or so.
Lastly, consider reporting the fraud to ReportFraud.ftc.gov (that’s a real FTC link, btw). It may be embarrassing, but it may also protect others from the same fate.
The SFWA Safety Committee maintains the Safety Resources on SFWA’s website at www.sfwa.org/safety. These resources contain useful information for creators maintaining an online presence and touch on safety considerations for in-person events for both attendees and event planners. We are here to help individuals and organizations navigate the speculative fiction publication industry with increased consideration for safety.