To guard against identity theft, academic publishers have been using institutional email addresses to verify authors and reviewers are who they say they are. Now, however, findings appearing in a preprint last month on arXiv.org suggest bad actors have found a way to breach this defense – and are routinely doing so.
From a pool of thousands of reviewer profiles set up as part of AI conferences in 2024 and 2025, staff at the nonprofit OpenReview, a platform connecting authors with reviewers, found 94 profiles involving fake identities. In all but two cases, the impostors had used “round-trip-verified” email addresses belonging to the domains of “reputed” universities, the authors write. (The remaining two used “.edu” domains of defunct institutions.)
Impersonating someone else using an institutional email address “adds another layer of challenge in the detection” of bad actors, said first author Nihar B. Shah of Carnegie Mellon University in Pittsburgh, who also sits on OpenReview’s board.
Shah told us a presenter at the International Congress on Peer Review and Scientific Publication earlier this month had encouraged greater reliance on institutional emails to help combat paper mills. The new findings suggest “that is not entirely foolproof and so we should try to use multiple different ways together for identity verification.”
Fraudsters already try to impersonate reviewers to make sure articles they or their accomplices wrote get favorable reviews. Other forms of identity theft are also a growing threat to academia. Researchers may find their names on papers they never wrote, or entire journals may be hijacked, swindling authors into paying for useless publications.
To create a fake institutional email, fraudsters rely on institutions allowing members and visitors to create email aliases, according to the preprint.
“The dishonest researcher gained access to an email of a trusted institution, and created email alias(es) resembling someone else at that institution. Alternatively, the dishonest researcher may ask a co-conspirator at another institution to create such an alias,” the authors write.
Once an email address was secured, the impostor then signed up to review using the other person’s identity, they add.
Embedded in the review system, “the dishonest researcher under this fraudulent identity attempts to get assigned to review papers authored by their true identity. This can sometimes be accomplished by expressing interest in reviewing the paper during bidding. This may alternatively be accomplished by increasing their perceived suitability as a reviewer for the paper by carefully tuning the false reviewer profile or some text in their own paper.”
Some impostors created multiple fake reviewer profiles, the authors note, or teamed “up with another dishonest researcher to favorably review their co-conspirators’ work in exchange for some quid-pro-quo.”
Nobody knows how common identity theft is in academia. Among thousands of legitimate reviewers, the 94 fake profiles are “a relatively small number,” said Andrew McCallum of the University of Massachusetts Amherst, an author of the preprint and the creator of OpenReview. “But of course, even one case is very concerning.”
In a joint interview, Hylke Koers, chief information officer of the International Association of Scientific, Technical, & Medical Publishers, or STM, and his colleague Richard Northover, product manager for identity and access at STM, welcomed the new findings from OpenReview.
“They’re very specific about some of the scenarios through which institutional email addresses can still be used for fraudulent purposes,” Koers told us. “I think there’s a call to action for publishers there, but also for research institutes and other parts of the research community to all step up and be much more vigilant about these kinds of scenarios.”
As we wrote in May in a Q&A with Koers, new guidance from the trade organization “suggests identifying “good” and “bad” actors based on what validated information they can provide, using passport validation when all else fails, and creating a common language in publishing circles to address authorship.”
Northover, who also worked on the recommendations, emphasized the need to make individual risk assessments and not be “so restrictive that you would exclude many legitimate scholars from participating.”
“You don’t go from … nothing to everybody needing to provide their retina scan and fingerprints,” he told us. “One example of something that you can use instead of, or as well as, institutional email addresses, would be ORCID with trust markers,” independently verified information such as institutional affiliation and publication record.
Shah and McCallum said they believe identity theft is happening across different academic fields, with certain ways of picking referees – asking authors for suggestions or relying on open calls, for instance – being particularly ripe for abuse.
Based on his experience with AI conferences, Shah said he estimates about one in 200 reviewer profiles could be fake. Given that reviewers and authors are increasingly being paired using artificial intelligence, he added, developers “should make sure that the AI is far more robust to any kind of gaming.”
As to the 94 fake profiles in OpenReview’s system, they “were all blocked before they could do any real damage,” Shah told us.
Like Retraction Watch? You can make a tax-deductible contribution to support our work, follow us on X or Bluesky, like us on Facebook, follow us on LinkedIn, add us to your RSS reader, or subscribe to our daily digest. If you find a retraction that’s not in our database, you can let us know here. For comments or feedback, email us at [email protected].