Sign up to our newsletter
The latest security news direct to your inbox
[A shorter version of this article was originally published – without illustrations – on the Anti-Phishing Working Group’s eCrime blog.]
Phishing attacks targeting academia aren’t the most high-profile of attacks, though they’re more common than you might think. Student populations in themselves constitute a sizeable pool of potential victims for money mule recruitment and other job scams, in fact anything that promises an easy supplemental income, unfeasibly cheap or free trendy gadgetry, and so on. But I’m talking about attacks against the institutions, rather than their ‘customers’: for example, targeted social engineering attacks as a means of accessing intellectual property. Some academic research has appreciable monetary value in its own right, and much of it is developed in partnership with and funded by businesses with a direct interest in monetizing it: that makes it of interest to people with an interest in getting in first.
What I’m describing here isn’t exactly phishing though, and in fact it’s not (always) unequivocal fraud: rather, it’s somewhere on the border between fraud and legitimate publishing.
While I’m often accused of an academic authorial style, and trail a couple of quasi-academic honorifics in my signature – I’m a Senior Research Fellow at ESET and a Fellow of what used to be called the British Computing Society (I hope you’re impressed!) – I’m not a regular denizen of the ivory halls of academia, but even I’ve become aware of a journal paper submission scam for which even a quasi-academic is apparently a suitable target. At any rate, I recently received a minor blizzard of emails offering me the opportunity to submit a paper to one of over 50 open access, peer-reviewed online journals, and to join them as an editorial board member or reviewer, all of them signed by ‘Will Smith’. I hadn’t realized how versatile that man really is: actor, rapper, academic publisher…
As it happens, people do ask me to write, edit or review for them from time to time, but they’re usually rather more precise about which site or publication they want me to contribute to, rather than letting me choose from a variety of publications in disciplines of which I have no experience whatever. They’re also usually aware of the areas where I can claim to have some experience and expertise. So, for instance, any mail that arrives addressed to Dr. Harley is either archived straightaway in /dev/null or retained somewhere in case I want to entertain my readers at some point with some suitably caustic commentary.
And many of them don’t expect to pay me for my efforts. Which, as it happens, is often fine: people who write blogs and papers that are published by a security company often also write on behalf of the same company for reputable third parties like the Anti-Phishing Working Group and (ISC)2, local press, specialist security magazines such as Infosecurity Magazine, and so on. It can work well for everyone: the third party gets a wider spread of expertise than if it only used in-house staff, especially if the writer is already established. And the security company and the author get a wider audience and are seen as a force in the knowledge-sharing research community, not just a marketing operation with an undistinguished product. And if the author isn’t being paid by the site or periodical – though sometimes he is, of course – that’s OK, because the company he works for considers the coverage it gets justifies its paying for his time.
However, it didn’t take much time and research to realize that in this case it was my money that was (primarily) wanted, rather than my unpaid time, let alone my expertise or my reputation, such as they are. After all, Mr. Smith doesn’t seem to know what my field of expertise actually is. And it turns out that if you want to be an editor or reviewer, you first have to submit a paper. And to have that paper accepted incurs a processing charge. The cost of processing (copyedit, proofreading, and publication on acceptance) is up to $500. (But with a very substantial discount if I submit before an arbitrary deadline – a little research shows that the deadline is constantly moved, like those furniture stores that always have a sale on, so you never have to pay the full prices they quote.) It turns out that some similar organizations charge 3-4 times that much, though again they often offer impressive discounts.
Welcome to the seamier side of Open Access. Not that OA is in itself fraudulent. In principle, it provides unrestricted access to scholarly, peer-reviewed journal articles. Instead of the reader paying for access (for example, by paying a yearly subscription fee or for individual articles), the business model is largely reliant on the cost of publishing being borne by the author (or the institution he or she works for).
OA is actually quite a complex and varied model, but for many academics, publications constitute an essential performance metric, a numbers game that boosts their claim to tenure and gives them an advantage in the job market. For academic departments, publications are often an argument for increasing their budget. Research information is both a core product and a marketing asset, so it can work very well, though the experience of some academic institutions suggests that it can be a very expensive way of publishing, over time. On the other hand, while there are certainly big name publishers that pay nothing for articles that subsequently appear in high-priced scientific periodicals or as single for-fee articles on a web site (to be fair, periodicals that have a limited audience may well have to be pretty expensive in order to recoup the production costs), the kudos may justify the cost of generating the article. In some cases, the publisher may allow a free (pre-proofing/formatting) version of the article to be made available. In one OA model, on the other hand, the generation of a professionally proofed and formatted article for your institutional repository is pretty much what you’re paying for.
Hertford Bridge (Bridge of Sighs), New College Lane, Oxford
So far so good. There’s nothing intrinsically dishonest about OA. But there are journals whose review process is less rigorous than you’d expect – and I won’t even mention the security publisher whose editorial staff have stopped spamming me with requests for articles since it published a nonsensical article (not mine!) apparently intended to reveal how lax its reviewing is. What may be more surprising is how many journals flying the Open Access banner have little or no content, or cheerfully include articles from disciplines different to the one indicated by the journal title, or include names on editorial and review boards of people who have never agreed to participate, or whose credentials are seriously misrepresented. Clearly some of that behaviour is in some degree fraudulent or at least dishonest. (And this isn’t a criticism of OA, as such – the history of publishing in general is littered with fakes and publishing scams, but that doesn’t invalidate the whole publishing industry.)
That said, I guess it’s not a scam if you get what you want out of it: if the vanity-press-like model of buying your bibliography by the yard the way some people buy books for their study attracts you as a way of padding your résumé, you may consider it worth the money. But if you obtain and maintain your position or your budget by buying credibility at the expense of those who earn theirs, isn’t an academic employer being cheated, and the academic community as a whole being short-changed? Personally, I don’t see this as much different to buying an academic or vocational qualification over the Internet rather than going through the educational process that we expect the holder of such a qualification to have undergone.
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow
Photographs courtesy of Small Blue-Green World.
Author David Harley, ESET