Working in cybersecurity, you know the playbook ransomware operators use: stolen credentials, established persistence, network recon, pivot to a high-value target, cash out. What most security teams have not internalized yet is that the same playbook is now being used to steal freight — and the transportation sector is losing badly.
Entire truckloads of goods are being re-routed, vanishing from the legitimate logistics ecosystem and reappearing on the black market. Bottled water, eggs, crab legs, energy drinks, Legos, sneakers, pharmaceuticals, pistachios — all of it has been stolen by organized criminals applying the ransomware playbook to a different vertical.
The Numbers
In 2025, Verisk CargoNet reported roughly $725 million in cargo crime losses across North America. The FBI''s Internet Crime Complaint Center (IC3) logged roughly $21 billion in cybercrime losses in the same period. Both numbers are reported losses only — meaning both substantially understate reality. Private companies on the small end of the spectrum routinely absorb losses in silence rather than disclose breaches.
Industry estimates indicate that the majority of cargo crime in the United States now involves a cyber-enabled component.
A Familiar Kill Chain
A typical cyber-enabled cargo crime opens with reconnaissance. Public sources — USDOT numbers, FMCSA registry data, MC numbers, insurance details, employee directories — are all researched.
Phishing emails go out to dispatch staff, customer service reps, accounting personnel — anyone with access to sensitive shipment data. Credentials are stolen. Email accounts are compromised. This is exactly the front half of any commodity ransomware operation.
This is where the playbook diverges. Instead of pivoting into a corporate system to drop a ransomware payload, the attacker uses the compromised mailbox to listen — shipment notifications, new load tenders, bills of lading for shipments underway.
Then they inject themselves into ongoing communications from the trusted email account and make subtle changes: a pallet count here, a destination there, falsified routing information that redirects a legitimate load to a delivery location they control.
The Fraudulent Carrier Variant
In a second variant, the attacker registers a new, fraudulent carrier with FMCSA using stolen but valid identification details from a legitimate fleet. They book real loads from real load boards under that false identity. The pickup is performed by a professional driver who has no idea they are being used; they believe they are hauling for a legitimate broker.
Once delivered to the criminal warehouse, the load is broken down into smaller shipments or cross-docked under more falsified paperwork and laundered back into the supply chain. Consumables are sold within hours and consumed within days, making recovery effectively impossible.
By the time the legitimate shipper, broker, or motor carrier realizes what happened, the freight is gone, the fraudulent carrier has disappeared, and someone is holding the bag for catastrophic financial liability. A single trailer of pharmaceuticals can run into the millions. A trailer of pistachios — hundreds of thousands. These are not losses the average mid-sized fleet is equipped to absorb.
Why The Industry Keeps Losing
The defensive playbook is not novel. Phishing-resistant MFA, out-of-band verification before any change to banking, routing, or shipping documents, real vendor management, hardened email security. None of this is new.
So why is the problem widespread? The controls are under-deployed in the transportation industry, particularly among the small and midsized fleets that move a massive share of U.S. freight.
A trucking company with 100 to 200 trucks generates as much cyber risk as a much larger professional-services firm, but it typically operates on much thinner margins and a fraction of the security budget. Integrations get put in place for operational speed; vendors offer tools that promise efficiency gains; security gaps go unaddressed.
Attackers have figured out that transportation is a soft target with high-value, low-risk, perishable, easy-to-launder payouts. They have also figured out that the legal and regulatory consequences of stealing cargo are far less severe than attacking a hospital or a bank, and that most fleets won''t even report incidents.
Where The Industry Is Making Gains
The National Motor Freight Traffic Association (NMFTA) has published a Cybersecurity Cargo Crime Reduction Framework that explicitly maps cybersecurity controls to the cargo crime threat vectors they address. The guidebook is free. So is NMFTA''s Road to Resilience series, which adapts NIST CSF and CIS Controls for fleet operators that do not have a CISO on staff.
NMFTA also manages the Freight Fraud Prevention Hub, a central resource for motor carriers, 3PLs, brokers, shippers, and drivers.
The Ask For Security Practitioners
If you operate outside transportation, this is a critical-infrastructure vertical that needs your skill set. Cyber-enabled cargo crime is a discipline-blending problem: threat intelligence, identity, vendor risk, fraud, and physical operations all in one stack. The fleets that fix it first will pull market share from the ones that don''t.
