How Carriers Prevent Identity Theft and Freight Fraud

Your operating authority is the most valuable thing you own, and it sits in a public database anyone can read. Your MC number, your DOT number, your legal name, your insurance status: all of it is queryable on the FMCSA SAFER site by anyone with a browser. That is by design, and it is also the root of the fastest-growing theft problem in trucking. A criminal does not need to steal your truck to steal your freight. They only need to convince a broker that they are you.

This is the shape of modern freight fraud, and it is getting worse fast. CargoNet recorded $725 million in cargo theft across the industry in 2025, up roughly 60% year over year, spread across 2,646 reported incidents that averaged $273,990 per event. The biggest driver of that jump is not guys with bolt cutters in a truck stop parking lot. It is strategic theft and double-brokering: paperwork crimes where someone wearing your identity books a load, picks it up, and vanishes. This post is about the attack surface that exposes you to that, and the concrete things you can do to shrink it.

How carrier identity theft actually works

Start with what a fraudster is trying to accomplish. They want to book a real load from a real broker, take possession of real freight, and convert it to cash before anyone notices. To do that, they need to look like a carrier in good standing at the moment of booking. The cheapest way to get there is to borrow yours.

The raw material is free. Your MC and DOT numbers, your authority status, your insurance on file, the cities you run: a fraudster pulls all of it from SAFER in thirty seconds. From there they spin up a lookalike: an email address one character off from your real domain, a phone number with a voicemail greeting that uses your company name, a certificate of insurance lightly edited to match. They register on a load board or reply to a posted load presenting as you. A broker runs your MC, sees a clean, established carrier, and books it. The freight goes to a pickup, gets reconsigned to a different address, and disappears. You find out weeks later when the broker calls asking where their shipment is, or when a debt collector calls about a load you never hauled.

The reason this works is that the broker's verification step is shallow by default. Running an MC number confirms the authority exists and is active. It does not confirm that the person in the inbox actually controls that authority. That gap, between "this MC is real" and "this is the real holder of this MC," is the entire game. Everything you do to defend yourself is about closing that gap before a load gets booked under your name.

Where your identity leaks

Identity theft is not one attack. It is a cluster of related ones, and they share entry points. Knowing where the leaks are tells you where to put the locks.

The first surface is your public authority record itself. You cannot hide your MC number, but you can monitor it. The second is your email and domain: if a fraudster controls a domain that looks like yours, or worse, gets into your actual inbox through a phished password, they can negotiate as you in your own voice. The third is double-brokering, where a party who may have legitimate broker authority takes your load and re-posts it to an unvetted carrier without telling anyone, leaving you holding liability you never agreed to. The fourth is your money pipeline: factoring and quick-pay relationships, where a fraudster who intercepts your invoices or impersonates your back office can redirect a payment that was rightfully yours.

Here is how the common threats map to the defenses that actually move the needle:

None of these defenses is exotic. They are hygiene. The carriers who get hit are almost never the ones who did everything right and got unlucky; they are the ones who left a door open because nobody owned the job of checking it.

Lock down email first

Almost every identity-theft scheme runs through email at some point. The rate confirmation, the load offer, the "updated remittance instructions," the back-and-forth that closes a booking: it all moves through an inbox. If a criminal owns or convincingly fakes that channel, they own the negotiation. So the highest-leverage thing a small carrier can do is treat email like the load-bearing system it is.

Two-factor authentication on your email account is non-negotiable, and the same goes for your domain registrar, your load board logins, and your factoring portal. A stolen password is worthless to an attacker who cannot also pass the second factor. Beyond 2FA, get your domain's email authentication configured: SPF, DKIM, and DMARC are the three records that let receiving servers tell a real message from your domain apart from a forgery. Most carriers have never touched these, which is exactly why spoofing their domain is easy. Setting them up is a one-time job, usually an hour with whoever manages your DNS.

Then there is the human layer, which is where most breaches actually start. Phishing is still the number one way criminals get a foothold, because it is cheaper to trick a dispatcher into typing their password into a fake login page than to break anything technical. Make a habit, across everyone who touches the inbox, of checking the actual sender address rather than the display name, of being suspicious of any message that creates urgency around money or banking, and of never clicking a login link in an email when you can navigate to the site directly. If a broker's "updated payment instructions" arrive by email, confirm them by calling a number you already had on file, not the one in the message. That single phone call kills most payment-redirection fraud outright.

Verify the broker before you verify the load

Carriers spend a lot of energy proving themselves to brokers and almost none checking the broker back. Flip that. Before you commit a truck, you want three things to line up: the broker's identity, their authority, and their reputation for actually paying. The fraudsters live in the gap where carriers skip this because the rate looks good and the clock is ticking.

Start with the rate itself, because it is your earliest warning. If a posted rate is meaningfully above market for the lane, treat it as a red flag, not a win. Strategic fraud routinely baits carriers with rates that are too good precisely because a generous number gets people to skip their checks. Anchor your instinct in real economics: ATRI put the marginal cost of operating a truck at roughly $2.26 per mile in 2024, and broker margins run around 13.5% on average per DAT. A rate that implies the broker is making nothing, or losing money, to move your truck is not generosity. It is bait. When something is priced to override your judgment, that is the moment to slow down.

Then verify the counterparty. Confirm the broker's MC and that their authority is active and bonded. Cross-check the contact details against what is on file rather than trusting what is in the email signature. Be alert for the tells of double-brokering: vague or shifting pickup details, a rate con whose names do not match who you have been talking to, reluctance to put the actual shipper or consignee in writing, pressure to dispatch immediately. If the deal feels like it is being rushed past your normal checks, that pressure is the product. This is also where an AI dispatch layer earns its keep: a tool like Numeo Spot runs these verification signals inline at booking time, surfacing a sketchy broker, a re-brokered load, or an off-market rate in the same screen where you are deciding, so the check happens automatically instead of depending on whether a tired dispatcher remembered to run it at 11pm.

Protect your authority and your money pipeline

The last two surfaces are the ones carriers think about least and lose the most on: your authority record and your factoring relationship. Both are slow-burn targets, which is exactly why they get neglected until something goes wrong.

Monitor your own MC and DOT the way you would watch a bank account. Check your SAFER record periodically for changes you did not make, and pay attention to any sign that someone is operating under your numbers: brokers calling about loads you never booked, collections notices for freight you never touched, or a sudden change to your registered contact info. The FMCSA treats using another carrier's USDOT number without authorization as a criminal act, and if you suspect your identity has been used, you want to report it immediately to FMCSA, your insurer, and any load board or broker involved, before the fraud compounds. Speed matters here. The faster you flag it, the less gets booked under your name.

Your factoring and payment relationships deserve the same paranoia you apply to email, because they are where stolen identity turns into stolen cash. Keep a tight, verified list of who at your factoring company can change banking details, and insist that any change to remittance information be confirmed by a phone call to a number you already trust. A fraudster's endgame is usually a redirected payment; a verbal confirmation on a known line is a cheap, boring control that defeats it. If you run quick-pay through brokers, the same rule applies: a new set of payment instructions arriving out of band is guilty until proven innocent.

Make verification the default

Carrier identity theft is winning right now because the defenses are unglamorous and nobody owns them. Your MC is public and will stay public; that is fixed. What you control is everything downstream: 2FA and email authentication so your inbox cannot be hijacked or spoofed, a habit of verifying the broker and the rate before the load, active monitoring of your own authority, and locked-down factoring contacts so a stolen identity cannot become a stolen payment. None of it is expensive. It is mostly attention, applied consistently, at the moment a load gets booked.

That last part is the hard part, because the moment a load gets booked is also the moment everyone is busiest and most willing to skip a step. Pushing the verification into the workflow itself, so the fraud signals show up automatically while you are deciding, is how good carriers make security the default instead of a thing they remember to do. Run your booking through a layer like Numeo Spot and the check happens whether or not anyone was paying attention. That is the difference between hoping you do not get hit and knowing you checked.