Hijacked journals are still a threat — here’s what publishers can do about them
A long-standing problem that affects publishers and authors alike, journal hijacking can damage reputations and steal article-processing fees
Late last year, Liverpool University Press (LUP), a UK-based publisher, received a concerning e-mail. A prospective author had contacted the editors asking how much it would cost to publish an article in one of its journals, the International Development Planning Review (IDPR).
This raised suspicions among the editors, because the IDPR doesn’t charge any publication fees. The message also contained a link to the IDPR’s website — but the URL was incorrect. When the editors clicked it, they discovered a counterfeit website with the journal’s branding and an e-mail address that they’d never seen before. The journal had been hijacked.
Hijacked journals are a form of cybercrime in which a malicious third party creates a cloned website to impersonate a legitimate publication. The forgery replicates the original journal’s important details, from its title to its archive and international standard serial number, a code that identifies the publication. The purpose of a hijacking is to generate money quickly by charging illegitimate article-processing fees to unsuspecting researchers. Although the hijackers often publish papers that have been submitted to the fraudulent site, these works are not peer-reviewed nor considered legitimate.
A blogpost in April presented the challenges that LUP faced as a result of the hijacking, including the burden placed on its small editorial team. The intention, according to Clare Hooper, director of journals publishing at LUP, is to alert researchers to the “growing problem of copycat journal websites”.
Journal hijacking is not a new phenomenon, but it hasn’t received the same attention as other predatory publishing practices. And yet the impacts are significant: hijacked journals can damage the reputation of publishers, suck up niche journals’ already limited resources, pollute the scientific record and negatively affect scientists’ careers.
Researchers who have been affected by journal hijacking told Nature Index that they hope to raise the alarm and educate others who might be unaware of the practice. They’re also concerned by the lack of urgency from technology companies and scientific databases to respond effectively to reported hijackings.
A difficult problem
Anna Abalkina, an economics researcher at the Free University of Berlin, has been tracking down hijacked journals for the past four years. In collaboration with the media organization Retraction Watch, she helps to maintain a database of hijackings, which now documents more than 250 cases and is growing ever larger. “Every month, a number of legitimate journals are hijacked,” she says.
Some of the earliest cases date back to 20111, but the overall strategy hasn’t changed much: create a decent enough cloned website to dupe researchers into paying exorbitant publication fees. The fake IDPR journal, according to researchers contacted by Nature Index, charged between US$200 and US$2,000 per article.
Another consequence is the influx of submissions received by the legitimate journal. The IDPR’s co-editor, Dan Hammett, a researcher in human geography at the University of Sheffield, UK, says that in early December the journal started to receive an increase in low-quality papers that wouldn’t typically fit its remit. By January, he was seeing “submissions on cricket matches, on dog training, on all sorts of randomness”.
It put a considerable strain on the journal’s sole editorial assistant, who had to sift through the submissions — which took up about 50% of their time, Hammett says.
It’s not clear how researchers were encountering the fake journal. Some scientists told Nature Index they’d found the incorrect listing late last year in Scopus, a widely used academic database. It’s also possible that Google was directing them to it. When Nature Index conducted a search for ‘IDPR journal’ in early May, two of the top five results still pointed to the hijacked website, although the correct website was listed first. Microsoft’s Bing search engine did not include a listing for the fake journal on the first page of results.
LUP attempted to have the illegitimate site removed from the Google search results, writing to the tech giant in February with a request to delist the website. But the publisher wrote in its blog post that Google had “not been particularly helpful” and ignored assertions that LUP owns the journal and all associated copyrights.
On 2 July, LUP posted an update describing how further investigation suggested that the hijacked journal was being used for citation manipulation. It also wrote that Google had agreed to delist the fraudulent site. At the time of writing, it still showed up in two out of the top five search results.
A lack of help
When it comes to hijackings, grappling with fraudulent links seems to be a common struggle. Early last year, the Scandinavian Journal of Information Systems (SJIS) was hijacked. Sune Dueholm Müller, an information scientist at the University of Oslo, was the journal’s editor-in-chief at the time, and discovered that hackers had changed the URL listed on Scopus, sending researchers to the counterfeit website.
Müller says he spent months contacting Scopus, trying to get the URL amended, but did not get a response. This led him to contact the president of Elsevier, the Dutch publisher that runs Scopus, on LinkedIn. But the damage had already been done. “They have managed to publish hundreds of articles in our name,” he says.
Scopus did eventually change the link. Then, he says, a week later, Scopus rewrote its policy on home-page links, removing them from the directory altogether. This was just a month after Abalkina published research showing that at least 67 hijacked journals had links listed on the database since 2013, with 41 still active as of last September2.
A spokesperson for Scopus told Nature Index: “After careful consideration because of concerns that were raised, home-page links were removed from Scopus last year.” In relation to Müller’s claims about a lack of urgency in rectifying the SJIS’s listing, the spokesperson said: “Linking to unauthentic journal websites was already under investigation. Being aware of the escalation by the editor of SJIS, we contacted him prior to the implementation of the change.”
Müller reached out to Google Scholar’s support team last November and December, and says he did not get a response. Fake publications from the hijacked SJIS are still listed on the website at the time of writing. Google and Google Scholar support did not respond to a request for comment. He also escalated the issue with Gmail, which the hijackers used to communicate with scientists, and PayPal, which they used to collect payments — as described in a paper published in October3 — as well as a number of enforcement agencies, but has not heard back.
Müller has spoken to several people who have been affected by his journal’s hijacking and has seen the impact on researchers. He mentions a PhD student at a Thai university who had unknowingly published her work in the hijacked journal. When the administrator of the PhD office contacted Müller to confirm whether the student’s paper had been published, he had to inform them that the hijacked version was not a legitimate publication. As a result, the PhD student could not graduate. “It’s heartbreaking,” Müller says. “I’m 100% certain that these people fell into a trap.”
Hammett is also concerned about early-career researchers, particularly those in low-income countries, who are duped into submitting work to fraudulent journals. “It could have profound implications for hirings, promotions, career development and so on,” he says.
Combating journal hijacking
How can researchers, publishers and editors avoid journal hijacking? The first step, says Abalkina, is for journal publishers and editors to take the time to build a strong and secure website. She references one journal, Seybold Report, which lacked any online presence when it became the target of hijackers on five occasions, she says. The journal has since launched a website. Abalkina also advises contacting Retraction Watch to help keep her hijacked journal database up to date, and encourages researchers to use it as a resource.
Hammett says smaller journals could register different domain names that redirect to a single URL, to make it more difficult for hijackers to register a convincing fake URL, but he acknowledges that this can be costly. He adds that it’s worth ensuring that platforms and databases linking back to journals are updated. One of the problems that the IDPR encountered was that it had not monitored and updated its URL on third-party platforms, which meant that the hijackers registered the fraudulent site undetected.
There are also tools to combat predatory publishing practices that could assist researchers. For instance, the website Think Check Submit provides a checklist to assess journal quality before submitting manuscripts. Integrating the checklist into research workflows could be beneficial.
Müller says communicating openly and transparently after a hijacking also helps to raise awareness. Although Hammett is not convinced that much can be done to prevent hijackings, he says it is important to get on the front foot and adds that addressing a hijacking should not affect a journal’s credibility. “It shouldn’t put people off submitting to the correct journal, but hopefully it will make people think twice about checking where they’re submitting,” he says.
doi: https://doi.org/10.1038/d41586-024-02399-1
Nature Index’s news and supplement content is editorially independent of its publisher, Springer Nature. For more information about Nature Index, see the homepage.
This story originally appeared on: Nature - Author:Jackson Ryan
