Email Hijacking and Pickup-Point Fraud Surge in 2026 Cargo Theft

How are cargo thieves using email hijacking to steal loads in 2026?

Cargo thieves are breaking into carrier email systems, creating fake addresses inside the carrier's own domain, and bidding on loads as if they were legitimate drivers. The same method is being used to commit double-brokering fraud — intercepting communications between a broker and a real carrier, then inserting a fraudulent carrier into the transaction. Traditional vetting steps miss the scam because the email address looks legitimate and the thief is operating from inside the carrier's own system.

"The level of sophistication right now is increasing, whether [cargo thieves] are trying to have a domain name that looks exactly the same or going a step further and hacking into computers to where they can essentially have a team-viewer level access of what you're doing," said Keith Drotenko, a cargo theft expert quoted in a recent industry analysis. "And then they could go and do things from your computer, as if they're you, and then delete any trace of emails or anything that they did."

The mechanics of the email infiltration scam

Thieves gain access to a carrier's email account — through phishing, credential stuffing, or malware — and monitor incoming load offers. Once inside, they create a new email address within the carrier's domain or use the compromised account directly to respond to brokers. The broker sees an email from what appears to be the verified carrier and tenders the load. The thief picks up the freight with a stolen or rented truck, and the legitimate carrier never knows a load was booked under their name until the broker calls asking why the truck didn't show.

In double-brokering variants, the thief intercepts the rate confirmation between broker and carrier, alters the pickup instructions, and sends a fraudulent carrier to the shipper. The real carrier arrives to find the load already gone. The broker pays the legitimate carrier, and the shipper's freight disappears.

Scott Cornell, a transportation crime analyst, confirmed the trend: thieves are "accessing a carrier's email, intercepting communications, creating their own email address within the carrier's email, and then bidding on loads." The method circumvents traditional carrier vetting because the USDOT number, MC number, and insurance certificate all check out — the thief is impersonating a real, authorized carrier.

Pickup staff are the weakest verification point

Cargo remains most vulnerable at the moment of pickup, where warehouse and dock workers have the highest turnover and the least training on fraud patterns. "The weakest link, though, is still going to be at the point of pickup," Drotenko said. "That's where you have the highest turnover. Those people aren't the ones who are going out to the conferences; they're not the ones learning about the latest trends or what to look for."

Shippers should train pickup staff to verify driver identity against the rate confirmation — checking the driver's CDL, the truck's VIN and plate, and the carrier's MC number on the door decal. A phone call to the broker to confirm the driver's name and truck number before releasing the load adds a layer that email hijacking cannot defeat. When the thief is operating from inside a carrier's email, the rate confirmation will look legitimate — but the driver standing at the dock will not match the name on the carrier's insurance certificate.

Tight freight markets increase risk

The 2026 freight recession has tightened capacity and increased pressure on brokers to move loads quickly. Drotenko warned that economic stress erodes verification discipline: "At the end of the day, when you're between a rock and a hard place in a tight market, you just don't have the luxury of getting to say no to a lot of carriers to find a good one."

Brokers under pressure to cover loads may skip steps — accepting a carrier's email response without a follow-up phone call, or failing to verify the carrier's active authority and contact information against FMCSA records before tendering. Thieves exploit that urgency. A broker who calls the carrier's listed phone number — not the number in the email signature — will catch the impersonation before the load moves.

Thieves monitor industry forums and adapt

Cornell noted that cargo thieves track industry discussions on social media and adjust their methods in real time. "The industry has a habit of posting its solutions on social media," he said. "The intent is good; the intent is 'we want to help each other prevent theft.' The problem is the bad guys keep an eye on us. They watch us, and they know what we do."

When brokers and carriers publicly share the specific verification questions they ask — "We always call the carrier's main line and ask for the driver's cell phone" — thieves prepare answers. Cornell recommended sharing fraud intelligence through private channels — carrier groups, broker associations, law enforcement networks — rather than open forums.

What to verify before releasing a load in 2026

Shippers and brokers should add three checks to their pickup workflow:

1. Call the carrier's FMCSA-listed phone number — not the number in the email — and confirm the driver's name, truck number, and pickup appointment before the driver arrives. If the carrier has no record of the load, the email was compromised.

1. Verify driver identity at the dock. Match the driver's CDL to the name on the rate confirmation. Photograph the truck's VIN, plate, and door decal showing the MC number. A thief using a rented truck will not have the correct MC on the door.

1. Use multi-factor authentication on email accounts. Thieves gain access through stolen passwords. MFA blocks most credential-based intrusions. Carriers should also monitor sent-mail folders for messages they did not send — a sign the account has been compromised.

The sophistication of email-based cargo theft in 2026 means verification must happen at multiple points — broker to carrier, shipper to driver, and carrier to their own email security. A single phone call to the carrier's listed number, before the truck arrives, stops most impersonation scams.