The Federal Bureau of Investigation is publishing this Public Service Announcement (PSA) to warn the public of cyber threat actors increasingly using sophisticated, cyber-enabled tactics to impersonate legitimate businesses to hijack freight, steal high-value shipments, and reroute deliveries, resulting in a surge of strategic cargo theft. Cyber threat actors target US transportation and logistics sectors, including companies with interests in shipping, receiving, delivering, and insuring cargo. Since at least 2024, cyber threat actors have gained unauthorized access to the computer systems of brokers and carriers — typically via spoofed emails, fake URLs, and compromised carrier accounts. The cyber actors pose as victim companies and post fraudulent listings on load boards1 to deceive shippers, brokers, and carriers into handing over goods, which are redirected from their intended destination and stolen for resale. In 2025, estimated cargo theft losses in the United States and Canada surged to nearly $725 million, (60 percent increase from 2024), while confirmed cargo theft incidents increased by 18 percent. The average value per theft rose 36 percent to $273,990, driven by more selective, high-value targets.
How the Scheme Works
Threat actors2 conducting cyber-enabled strategic cargo thefts use a multi-step process, often as follows:
- Compromise Initial Victim Accounts: Cyber threat actors impersonate and spoof brokers via email, sending links for a carrier broker agreement or to review and address poor service ratings. The links are frequently shortened, spoofed URLs. Once clicked, the targeted user is redirected to a phishing website imitating the legitimate one. The phishing website hosts a malicious executable file, which downloads other legitimate remote monitoring and management software, giving the cyber threat actors total, undetected access to the brokers' or carriers' systems.
- Post Fake Loads Online: Criminal threat actors access trucking load boards, where they impersonate brokers using compromised carrier accounts to post additional fake loads — sometimes in the tens of thousands. Legitimate carriers bid on the fake loads and contact the threat actors, who provide the malicious carrier broker agreement and compromise the carrier's computer systems.
- Bids on Real Loads: Posing as the compromised carrier, criminal threat actors accept shipments and double-broker3 the load to partially unwitting drivers4, providing manipulated bills of lading, and changing the destination of the load. To legitimize their access, criminal threat actors change the legitimate carrier's contact information with the Federal Motor Carrier Safety Administration and update insurance information to permit loads the legitimate carrier previously did not accept. The compromised carrier may not realize they are compromised until brokers contact them about missing loads booked under their authority but without their knowledge.
- Theft of Cargo: Loads are cross-docked5 or transloaded6 to complicit drivers, who redirect the cargo from its intended destination and steal it for resale. Criminal threat actors posing as a carrier sometimes reconnect with the broker to demand a ransom for the location or additional details of the load.
Spotting Indicators of Cyber-enabled Cargo Theft Schemes
- Contact from brokers, dispatchers, or carriers about shipments made in a company's name that were not authorized by the company.
- Emails spoofing legitimate company domains using free email providers (for example dispatch.FBITrucking@[provider].com instead of dispatch@FBITrucking.com).
- Requests to download documents or forms from shortened or spoofed web links.
- Emails claiming negative service reviews with links to "review" or "resolve" complaints; those links can also lead to malicious downloads.
- New or unauthorized mailbox rules (for example, forwarding to external addresses, autodeletion, or hidden folders).
-
Emails from domains or free service providers mimicking legitimate ones through minor changes, such as:
- Extra punctuation (fb-i.gov).
- Different top-level domains (fbi.com, fbi.us).
- Added prefixes or suffixes (thefbi.gov, fbiemail.gov).
- Misspellings (fbii.gov, fdi.gov).
-
Threat actors communicated with brokers and carriers via email and telephone:
- Email addresses are spoofed or altered with the addition of a name of position-related title in front of the legitimate email address.
- Telephones numbers are voice over internet protocol (VOIP), used by applications, or used for short periods of time; some applications have been observed in contact with overseas phone numbers.
Tips to Protect Yourself or Your Business
- Independently verify shipment requests and pickups using secondary methods prior to releasing any loads.
- Implement multi-channel verification to prevent criminal infiltration of legitimate transactions and freight diversion.
- Recognize that familiar names or email addresses alone do not confirm authenticity; validate unexpected communications through a two-factor authentication process.
- Maintain thorough documentation — including photos of drivers, licenses, vehicles, license plates, cab numbers, truck numbers, Department of Transportation and Motor Carrier numbers, and contact and communication details — of all parties. This documentation aids investigative efforts and may help disrupt ongoing strategic cargo theft schemes.
Report It
If you believe you have been the victim of a cyber-enabled strategic cargo theft scheme similar to that described above, in addition to filing police reports for stolen cargo with your local police department, file a complaint with the Internet Crime Complaint Center (IC3) at www.ic3.gov, or by contacting your local FBI Field Office.