Carrier Impersonation: How Fraud Groups Acquire MC Numbers

Every fictitious pickup begins with the same prerequisite: a motor carrier identity that passes the broker's vetting tools. In 2026, that identity is still anchored to an MC number — even after FMCSA's October 2025 phase-out, the underlying authority lives on under a USDOT number, and brokers' workflows, load-board listings, and TMS records still revolve around the legacy MC identifier ^[1].

The authority is the keystone. Without it, the impersonation toolkit — burner phones, spoofed emails, fake BOLs, leased warehouse space — has nothing to attach to. An underground economy has formed around supplying authorities that look real because, in most cases, they are.

This piece reconstructs the five methods organized fraud groups are using to acquire operational MC numbers in 2026, drawing on the FBI's April 2026 IC3 advisory, FMCSA's registration overhaul, the TIA's 2025 State of Fraud report, and field reporting from FreightWaves, FleetOwner, Trucking Info, and Overdrive. Each method has a different price, timeline, and risk profile — but all end in the same place: a broker's vetting screen showing a green check.

The market for valid authorities

FreightWaves' investigation into the underground MC market quoted asking prices from $20,000 up to $30,000 for a "seasoned" number with broker history attached ^[2]. Overdrive put the same figure at roughly $30,000 — a DOT identity, on the black market, is worth the price of a used Class 8 sleeper ^[3].

FreightWaves separately reported a 135% spike in questionable MC ownership-change filings in June 2025 — the fingerprint of acquisition fraud at scale ^[2]. Overhaul's Q1 2026 brief attributes the resulting deceptive-pickup surge, up 31% year-over-year, to this acquisition pipeline ^[4].

Method 1: Dormant authority reactivation

The cleanest method is buying a real operating authority from a defunct or near-defunct small carrier. The seller is usually a one- or two-truck operator who has stopped running freight — health issue, retirement, bankruptcy — but whose paperwork is still alive: BOC-3 process agent on file, no out-of-service orders, no recent crash record.

The fraud group buys the legal entity, not just the number. FreightWaves describes the bundle: phone number, email, business bank account, and a copy of the previous owner's CDL, allowing the buyer to operate undetected for weeks ^[2]. WTW's risk analysis confirms crime rings are buying MC numbers or dormant carriers to establish "legitimate-looking" freight businesses that act as fronts for theft ^[5].

Why this method dominates: the authority passes every standard vetting check. Highway, Carrier411, RMIS, FreightGuard — all see a real DOT number with real prior insurance filings, real inspections, and aging history that looks like a carrier that has been around for years ^[6]. The only red flags are a recent address change and insurance refresh, both below most brokers' thresholds when the number is otherwise clean.

• Typical cost: $20,000 to $30,000 in cash or cryptocurrency for a clean, broker-onboarded authority ^[2][3].
• Time to operational: One to three weeks, mostly insurance binder and address paperwork.
• Useful life before detection: Four to eight weeks of active load-running before broker complaints and FMCSA flags catch up.

FMCSA's March 13, 2026 bulletin reaffirmed that USDOT numbers are non-transferable and that unauthorized transfers trigger deactivation ^[7]. The structural problem: the agency has to detect the transfer first, and when the buyer keeps the seller's EIN, address, and bank account, there is nothing on the surface to detect.

Method 2: New authority filings using fabricated or stolen identities

The second-most common method is building a new authority from scratch using a synthetic or stolen identity. This is the textbook "chameleon carrier" pattern — a fraud group files a fresh FMCSA application under a fabricated officer name, a leased UPS Store address, and an EIN obtained through identity theft, then runs the authority hard for the 30 to 60 days before a detection signature develops ^[8].

The 2023-2025 version of FMCSA's Unified Registration System made this easier than it should have been. Investigations found registrants listing virtual addresses or P.O. boxes as their official place of business, alongside cases where a dozen carriers shared the same physical address or IP address — patterns a database query could have surfaced, but that no one was running ^[9].

FMCSA's response is the Motus registration platform, rolling out to all regulated entities through Q2 2026. Motus sits on an IDEMIA-backed identity-proofing layer that requires applicants to verify a government ID with a live facial scan — the same rail TSA uses for Known Traveler enrollment ^[10][11]. The premise is that a fabricated officer cannot produce a matching face and a matching ID.

That premise has limits. Stolen-identity filings — where the fraud group uses a real victim's real ID, with their real face, and merely lies about the business behind it — defeat the proofing layer because every document and biometric is genuine. The victim usually doesn't find out until a wage-garnishment notice or an FMCSA audit letter arrives months later.

• Typical cost: $300 federal filing fee plus $1,500-$3,000 in process-agent, insurance, and identity-document acquisition costs.
• Time to operational: Eight to twelve weeks under Motus, versus three to six weeks under the legacy URS workflow.
• Useful life before detection: Short — typically 30 to 60 days before broker complaints or FMCSA pattern-flags trigger review.

Method 3: Compromising legitimate small carriers via phishing

The fastest path to a working authority isn't buying one — it's stealing the credentials of someone who already has one. The FBI's April 30, 2026 IC3 Public Service Announcement laid out the methodology in unusual detail: threat actors impersonate brokers via email, sending links for a fake carrier-broker agreement or a "review your service ratings" prompt, with spoofed URLs that redirect to a phishing page imitating a broker portal ^[12]. The page hosts a malicious executable that silently installs legitimate remote-management software, giving the attackers total, undetected access to the carrier's email and dispatch systems.

From there the carrier's identity is operational instantly. The attackers don't need to change the MC's registered contact info. They read inbound rate confirmations, accept loads the way the legitimate carrier would, and re-broker each load to an unwitting third carrier with a manipulated BOL and changed destination. The legitimate carrier discovers the breach when accounts payable shows phantom loads, or when an angry broker calls about a missing delivery.

FleetOwner's investigation documented that thieves are creating their own email addresses inside the carrier's email infrastructure — a subdomain or alias the owner doesn't notice, which the attackers use to bid on loads without touching the primary inbox ^[13]. Cloudflare's Cloudforce One research separately documented an active phishing campaign targeting the carrier population, using freight-themed bait and credential-harvesting kits sold on dark-web markets ^[14].

• Typical cost: $200-$2,000 for a phishing kit, hosting, and target list, depending on tier.
• Time to operational: Hours from initial credential capture to first fraudulent bid.
• Useful life before detection: Days to weeks; ends when the legitimate carrier discovers compromised email or a broker dispute escalates.

This method is corrosive in a way the others aren't: it generates reputational damage, broker chargebacks, and insurance disputes for the legitimate carrier that they didn't cause and often cannot quickly disprove.

Method 4: Gray-market authority brokers

Between the black market and the FMCSA registration system sits a layer of intermediaries who specialize in moving authorities under cover of legitimate business transactions. Some advertise openly — FreightWaves and Overdrive documented MC numbers listed for sale on Facebook Marketplace and Reddit, with dedicated websites facilitating transactions ^[2][3]. Others operate as registered "compliance" or "authority transfer" consultants, structuring sales as stock transactions of the underlying corporate entity so the registration moves with the legal entity.

The stock-sale workaround is what FMCSA cannot close without rule change. Operating authority is a property of a legal entity; when that entity is sold as a going concern, the authority moves with it. That's how legitimate acquisitions work, and FMCSA has no statutory basis to distinguish a real acquisition from a synthetic one engineered to move the authority. Overdrive notes the agency will "consider whether violations exist" when receiving reports of dormant-registration sales — but "consider whether" is the operative phrase ^[15].

Gray-market brokers serve two functions. First, they pre-screen sellers — ensuring no out-of-service orders, no active disputes, and a clean recent inspection history. Second, they handle the paperwork choreography — bill of sale, FMCSA notification, insurance assignment — well enough that the transfer looks legitimate to anyone reviewing the filing later.

• Typical cost: $25,000-$45,000 all-in, including the underlying authority plus the broker's facilitation fee.
• Time to operational: Two to four weeks; the broker absorbs most of the friction.
• Useful life before detection: Longest of any method — months, sometimes over a year, because the paperwork trail is structured to survive scrutiny.

Method 5: Identity-document fraud at the FMCSA filing stage

The fifth method targets the FMCSA filing process itself, defeating the new identity-proofing layer by presenting fabricated or modified documents that the system accepts. This is the method most directly threatened by Motus, and the one whose effectiveness will be the leading indicator of whether the new system is working.

FMCSA partnered with IDEMIA in April 2025 to perform identity-document capture and verification using facial recognition and document scanning at registration ^[10][11]. IDEMIA is the same identity-proofing rail used by TSA and a number of state DMVs, and it materially raises the bar on document fraud. Generative-AI-driven forgery can produce convincing static images of driver's licenses and passports, but those images fail the liveness, document-tilt motion, and facial-match checks IDEMIA layers on top.

What it doesn't defeat: a real ID in a real hand. The TIA's April 2025 State of Fraud report found 22% of broker respondents reported losses exceeding $200,000 in the previous six months and noted the persistent gap between registration-stage safeguards and actual fraud at the dock ^[16]. Identity-proofing at filing prevents synthetic identities. It does not prevent a fraud group from recruiting a real individual willing to file under their own name for a few thousand dollars, then walk away once the authority is active.

• Typical cost: $2,000-$5,000 to recruit a "front" filer, plus standard registration costs.
• Time to operational: Eight to twelve weeks under Motus.
• Useful life before detection: 60 to 120 days, until insurance or audit-trail patterns flag the entity.

Identity-proofing at filing closes the synthetic-identity loophole. It does nothing about a real person willing to put their face on a fraudulent application — and that recruitment problem is at most a thousand-dollar problem for an organized group.

What the FMCSA response actually changes

FMCSA's two-track response — eliminating MC numbers as separate identifiers and rolling out Motus with IDEMIA-backed identity verification — is the most aggressive structural intervention in carrier registration in decades. The October 2025 MC retirement consolidates fleet identity under USDOT numbers, narrowing the attack surface ^[1]. Motus, scheduled for full rollout in Q2 2026, layers identity proofing onto every new application and eventually every existing registrant ^[11].

Carrier-side reaction has been mixed. Trucking Info argues the new rules give legitimate carriers a way to "stand out" amid the fraud noise by passing identity checks that synthetic operators cannot ^[17]. TIA, which has spent two years pushing FMCSA on these vulnerabilities, has been more measured: the safeguards address the registration stage, but the fraud is increasingly happening downstream, at the broker handoff and the dock-side pickup ^[16].

The structural reason this is hard to fully fix is straightforward. FMCSA's authority is over registration, not over what happens to that registration once it's in legitimate hands. A real carrier can sell their legal entity. A real person can file and then transfer operational control. A real broker can be phished. None of these defeat the registration system; they bypass it. The hard cases — laundered stock sales, recruited front filers, phished legitimate carriers — will persist regardless of how strong the proofing layer becomes.

FMCSA has signaled it will respond with database-side analytics: pattern-flagging on rapid ownership transfers, anomalous insurance refreshes, and shared address or IP footprints across recent filings. Whether those signals turn into enforcement depends on agency resourcing, and the trucking press is skeptical the current budget can keep up ^[9].

The takeaway

Carrier impersonation is durable because operating authority is a transferable property of a legal entity, and fraud groups have learned to acquire it through five distinct supply chains — each priced, timed, and tooled differently. Dormant resale is the volume play. New filings under stolen identities are the high-throughput play. Phishing legitimate carriers is the cheap-and-fast play. Gray-market brokers are the durable play. Document fraud at filing will narrow most under Motus, but won't disappear.

Anyone modeling fictitious-pickup risk for the next twenty-four months should assume registration-stage controls will get materially better, and that the fraud will migrate downstream — toward the broker handoff and the dock-side pickup, where the operating authority is no longer the bottleneck. The bottleneck becomes the human at the dock, the BOL in their hand, and whether anyone on the shipper's side can verify either. For where stolen loads go once that handoff fails, see the parallel supply chain piece.