Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight
· BleepingComputerWritten by Ben Wilkens, director of cybersecurity, NMFTA
Working in cybersecurity, you are well aware of the playbook that ransomware operators use. Stolen credentials, established persistence, network recon, pivoting to a high-value target cash out. These techniques are well documented; we have attack frameworks and well-documented kill chains for their techniques. What you may not have been exposed to is that same playbook being used to steal freight.
Entire truckloads of goods are re-routed, disappearing from the legitimate logistics ecosystem and reappearing on the black market. Bottled water, eggs, crab legs, energy drinks, Legos, sneakers, pharmaceuticals, pistachios, you name it, it’s been stolen by organized criminals taking the ransomware playbook and applying it to the transportation industry for different purposes.
In 2025, Verisk CargoNet reported approximately $725 million in cargo crime losses across North America. The FBI internet Crime Complaint Center (IC3) reported roughly 21 billion in cybercrime losses for the same period. While these two numbers are each staggering in their own right, they only represent reported losses.
Too often stolen freight and cyberattacks both go unreported, especially when suffered by private companies on the smaller end of the size spectrum. These two numbers also are increasingly part of the same conversation.
The cargo losses we are seeing in the transportation sector are not the result of movie-style hijackings by armed marauders. They are the result of a successful phishing email that results in a fraudulent pickup of a load of pharmaceuticals by a truck destined for a criminal warehouse. Industry estimates indicate that the majority of cargo crime in the United States now involves a cyber-enabled component.
For a security community that is used to thinking of stolen goods and cargo crime as a physical security issue, this issue is forcing a paradigm shift. These threat actors are sophisticated. Many of them are in fact international organized crime groups operating from outside the United States.
Their techniques are immediately recognizable to anyone who has been involved in incident response related to traditional cybercrime.
A Familiar Kill Chain
A walk through of a typical cyber-enabled cargo crime starts the same way as many other cybercrimes; Reconnaissance. Public sources such as United States Department of Transportation (USDOT) numbers, Federal Motor Carrier Safety Administration (FMCSA) registry information, motor carrier (MC) numbers, insurance details and employees are all researched.
Phishing emails go out to members of the operation’s staff in dispatch, or in customer service or accounting; those with access to sensitive information. Credentials are stolen, and email compromise results. Sounds familiar so far.
This is where the two playbooks diverge. This is where the attack migrates from the cybersecurity world and into the operations space. Instead of using the compromised credentials to pivot into a corporate system and drop a ransomware payload, the attacker uses a compromised email account to listen in no shipment notification, new load tenders, bill of lading for shipments underway.
They will then inject themselves into these communications, from this trusted email account, and make subtle changes. A pallet count here, a destination there, sending falsified information to alter a planned route and redirect a legitimate load of freight to a different delivery location; one they control.
Alternatively, they may register a new, fraudulent carrier with the FMCSA using stolen but valid identification details from a legitimate fleet. The attacker then books real loads from real load boards under that false identity. These loads are often picked up by professional truck drivers who have no idea that they are being used as pawns in this crime, they think they are hauling freight for legitimate companies.
Once the load is delivered to the criminal warehouse, it is immediately broken down into other shipments or cross-docked to another truck under more falsified paperwork and laundered directly back into the supply chain. Many of the consumables stolen this way will be sold within hours and consumed within days due to shelf life limits, making the process of investigating these crimes and recovering freight an uphill battle at best.
By the time that the legitimate shipper, broker, or motor carrier figures out what happened, their freight is gone, the fraudulent carrier has disappeared, and they are left holding the bag for what can amount to catastrophic financial liability; a single tractor trailer loaded with pharmaceuticals can carry a price tag in the millions. A single load of pistachios? Hundreds of thousands of dollars. These are not losses that the average small to midsized fleet is equipped to handle.
NMFTA Cybersecurity Conference Tackles Cyber-Enabled Cargo Crime
Join your peers for the NMFTA 2026 Cybersecurity Conference to learn about real-world threat intelligence, research, and practical strategies focused on securing connected freight systems, combating cyber-enabled cargo crime, and strengthening transportation security across the supply chains.
An Industry-Wide Problem
The defensive playbook here is not one that is unfamiliar to most cybersecurity professionals. Phishing-resistant multi-factor authentication, out-of-band verification before any critical changes to banking information, routing details or shipping documents. Strong vendor management processes, email security. None of this is novel. Why then is this problem so widespread? Unfortunately, these types of controls are under deployed in the transportation industry, particularly among the small and midsized fleets that a massive percentage of the freight in this country.
A trucking company with only a hundred or two trucks generates as much cyber risk as a much larger professional services firm, but they typically operated on very thin margins and a fraction of the security budget that is found in many other industries. Many of these fleets simply don’t have the headcount or the budget to roll out a sophisticated cybersecurity program. Integrations are put in place for speed and efficiency, vendors offer new tools that promise gains operationally but when not implemented in a secure environment, leave gaps that the threat actors exploit.
This is why these numbers are where they are today. The attackers have figured out that the transportation sector represents a soft target with high-value, low risk, perishable and easy to launder payouts. They have figured out that the legal and regulatory consequences of stealing cargo are much less severe than attacking the financial sector or a hospital.
They have figured out that many fleets don’t report attacks because the reputational damage of being known as “one of those fleets that lost freight” feels like more of an impact than absorbing significant losses in silence.
The result? The same schemes work week after week against fleet after fleet.
Where the Industry is Making Gains
Last year, the National Motor Freight Traffic Association (NMFTA) published a Cybersecurity Cargo Crime Reduction Framework that specifically mapped cybersecurity controls to the cargo crime threat vectors that they can address.
This guidebook is built around six categories that will be familiar to any threat analyst: Organized crime, insider threats and collusion, social engineering and deception, identity theft and fraud, and technical exploitation. The framework is free to download. So is NMFTA’s Road to Resilience series of guidebooks for fleets ranging from individual owner operators to midsized fleets.
These guides adapt traditional cybersecurity standards like NIST CSF, CIS Controls, etc. for an audience that lacks cybersecurity expertise and resources, providing clear, digestible guidance on how to secure a transportation operation.
NMFTA also oversees and manages the Freight Fraud Prevention Hub, a central resource where motor carriers, third-party logistics providers (3PLs), brokers, and shippers, and professional truck drivers can find educational materials, resources, and guidebooks on how to prevent freight fraud and cyber-enabled cargo crime.
For security practitioners who operated outside of the transportation sector, there is an invitation worth considering. A critical infrastructure vertical needs your skills. Join your peers from the transportation sector at the NMFTA 2026 Cybersecurity Conference, September 29-October 2 in Long Beach, CA. This is the only event in North America dedicated to cybersecurity in the transportation sector. With both executive and technical content and even hands-on experience and tabletop exercises and topics ranging from cyber enabled cargo crime to heavy vehicle OT security there is no other conference like this.
If you are looking for a place to put on your cybersecurity super-hero cape and take up a worthy cause, fighting cyber-enabled cargo crime in the transportation sector may just be where you belong!
Learn more at nmftacyber.com.
Sponsored and written by NMFTA.