The load was a refrigerated trailer of frozen seafood worth roughly $310,000, posted on a public load board by a midsize Midwest broker on a Monday morning in March. By the following Sunday it had been picked up by a real driver, delivered to the wrong warehouse, broken down into half-pallets, and sold into three states. The "carrier" the broker thought it had hired had never owned a truck.

That sequence — bait, impersonation, double-broker handoff, address change, pickup, breakdown — is the working playbook of the 2026 double-brokering scheme. The names below are composites; the mechanics are not. Each step is reconstructed from FBI, CargoNet, FreightWaves, FleetOwner, and Trucking Info case material.

$725M 2025 U.S. cargo theft losses
+31% deceptive pickup, Q1 2026
+36% freight identity theft YoY
~93k fraud-linked entities tracked

For scale: U.S. cargo theft losses in 2025 reached roughly $725 million, a 60% jump from 2024 [1]. Deceptive pickup schemes rose 31% year-over-year in Q1 2026 [2], and freight identity theft — the upstream enabler — was up 36% over the same period [3]. The FBI's April 2026 IC3 advisory called the underlying problem "cyber-enabled strategic cargo theft" and tied it directly to load-board manipulation and compromised carrier accounts [4].

The cast

Four real-economy parties and one fictitious one move the load:

Day 0 — Monday, 8:14 a.m. CT: the post

Pinewood posts the load: 42,000 lbs of frozen Atlantic salmon, Minneapolis pickup Tuesday, Phoenix delivery Friday. Reefer, $4,850 line haul. Within minutes the listing is being scraped by automated agents working for several different fraud groups — what CargoNet has called the front end of a "systematic, scalable criminal methodology" [5].

The fraud group's filter is selective: commodity-grade product that moves easily through cash secondary channels (food, beauty, electronics, building materials), and a value high enough to be worth the operational risk but not so high it triggers enhanced controls. Salmon at $310,000 sits in the sweet spot. Within 90 minutes a bid is in Pinewood's inbox.

Day 1 — Tuesday, 9:02 a.m. CT: the hijacked identity

The bid arrives from "Carolina Reefer Lines, Inc." — MC, DOT, certificate of insurance, and W-9 attached. Every document looks correct because every document is correct: the MC and DOT belong to the real Carolina Reefer. The fraud group obtained access via a credential harvesting campaign two months earlier and then used the FMCSA registration system to update the contact email and phone on the carrier's record. FMCSA has publicly acknowledged "presumed fraudulent activity where erroneous information about a registered entity is being used" and is rebuilding its registration stack under Motus specifically because of this [6].

The email domain on the bid is carolinareeferlines-dispatch.com — a one-character variant on the real carolinareeferlines.com. The phone is a 704 area code VoIP, matching the carrier's home geography. The COI is real. Only the bank account on the payment instructions PDF doesn't match, and Pinewood will not need that for several days.

The callback that confirms nothing

Pinewood's compliance analyst runs the bid through standard checks. MC active. Authority current. Insurance verified. She pulls the number off the bid email and calls. A dispatcher picks up, identifies the company, references the salmon load by lane, asks for the rate con. Eight minutes, sounds professional.

This is the most under-recognized failure point in the modern broker stack. The analyst called the number on the email, not the number listed in FMCSA SAFER — which is the explicit FMCSA fraud guidance [7]. If she had pulled SAFER she would have seen a phone she'd never seen, because the fraud group had quietly updated the SAFER record too. Even SAFER, in early 2026, is not always a clean source of truth; that gap is exactly what Motus is being built to close [6]. The Transportation Intermediaries Association has hammered the same point: a phone number on an email is not verification, an MC number on a load board is not verification, and an insurance certificate can be fabricated [8].

The rate confirmation goes out at 10:41 a.m. CT.

Day 2 — Wednesday, 7:30 a.m. ET: the re-post

By the time Pinewood is opening Wednesday's email, the fraud group has already done the second half of its work. The load is back on the same load board — and on two others — at a lower rate, with the drop address edited.

Tri-County Hauling, in Tennessee, has a driver finishing a deadhead in Chicago and looking for a westbound reload. The posting hits Tri-County's TMS at 7:42 a.m. at $4,200, $650 under the original line haul. The lane fits, the reefer is empty, the rate is workable. Tri-County takes the bid.

The "broker" posting the load identifies itself as Carolina Reefer Lines doing a partner haul. The rate con emailed to Tri-County puts Carolina Reefer in the broker slot. This is the textbook double-brokering pattern documented in TIA's framework and in FreightWaves' long-running coverage of the issue [9]. Tri-County has done its own checks; the "broker" looks legitimate because the MC and DOT belong to a real carrier. Tri-County is not, in this moment, doing anything wrong.

Day 3 — Thursday, 6:00 a.m. CT: pickup and the address-change email

Tri-County's driver arrives at the Minneapolis cold storage on schedule. The dock clerk checks the BOL against the original Pinewood rate con in the TMS — carrier name matches, load number matches, CDL valid. The salmon is loaded. The driver heads southwest on I-94 toward Phoenix.

At 11:18 a.m. CT, while the driver is somewhere west of Sioux Falls, an email comes into Tri-County's dispatch inbox. Subject: Consignee change — Load #PWCL-44192 — Phoenix → Fontana. The body, in lightly broken English, says the Phoenix consignee had a refrigeration failure and the load needs to divert to a partner cold storage in Fontana. New address attached. New BOL recipient attached. Signed by the same "dispatcher" Tri-County has been emailing all week.

The email is from the fraud group, which has now been controlling the carrier-broker relationship from both sides for forty-eight hours. The FBI's IC3 advisory describes exactly this maneuver: posing as the compromised carrier, criminal actors "double-broker the load to partially unwitting drivers, providing manipulated bills of lading, and changing the destination of the load" [4]. FleetOwner documented the identical email-spoofing pattern in its 2026 case round-up [10].

Tri-County's dispatcher pushes the new address. The driver re-routes south at the next interchange. The load is now on its way to a warehouse that does not appear in any of Pinewood's systems.

Day 5 — Saturday, 3:40 p.m. PT: the drop

The driver arrives at "Westgate Cold Storage" in an Inland Empire industrial park Saturday afternoon. The exterior looks normal: a yard, a dock, a guard shack. Two men in safety vests wave the trailer to a door, scan the BOL, and accept the load on the manipulated paperwork. They sign as the consignee. The driver gets a signed POD and drives off.

From Tri-County's perspective, the load delivered cleanly. The driver reports completion to the Tennessee dispatcher, who reports to "Carolina Reefer Lines," who — being the fraud group — reports completion to Pinewood. Pinewood marks the load delivered. The Phoenix consignee is still expecting Friday's delivery, soothed by the fake dispatcher's routing-delay story.

Within hours of the trailer leaving Westgate's yard, the salmon is being moved to a second truck. The Westgate dock door will either continue to receive stolen loads for several more weeks or be abandoned within 72 hours, depending on the fraud group's operating discipline.

Days 5–6: the parallel supply chain

The salmon does not enter a black market. It enters a parallel supply chain that runs alongside the legitimate one. FreightWaves' multi-year reporting on fraud rings has consistently shown the same pattern: networks of related shells, shared phone numbers, shared addresses, shared payment rails, run as a business and not as a heist [11]. The carrier identity platform Highway has tracked fraud-linked entities ballooning from roughly 17,000 in early 2025 to over 90,000 by late 2025 and into the 93,000 range by early 2026 — most of which, on inspection, resolve to a much smaller number of operators behind a wall of paperwork [12].

For this load, the breakdown is mundane. Pallets get split into half-pallets. A portion sells for cash to two independent grocery chains by Sunday night. A portion moves east Tuesday in a clean trailer to a Phoenix wholesaler who knowingly sources from gray channels. A final portion is exported within the week. By the time the Phoenix consignee calls Pinewood on Monday morning, the freight is already in three customers' freezers.

The point of the modern double-brokering scheme isn't to hide the freight. It's to spend the freight before anyone notices it is missing.

The aftermath: weeks, not hours

Pinewood learns it has a problem Monday morning, six days after the post. It calls Carolina Reefer using the number on the rate con; the line is disconnected, because the fraud group has rotated VoIP — a pattern documented in FleetOwner's 2026 round-up [10]. Pinewood pulls SAFER, finds the real Carolina Reefer in North Carolina, and calls. The real carrier's owner learns, in this phone call, that her MC number has been used in a $310,000 theft. Within a week she is fielding calls from her own customers, who are seeing her MC on loads she never bid on.

Tri-County Hauling submits its invoice. The fraud-group email bounces. The "broker" listed on Tri-County's rate con, traced through SAFER, is a real carrier that didn't broker the load and won't be paying. Tri-County is out the line haul.

Pinewood files a CargoNet incident report, an insurance claim, and an FBI IC3 complaint [4]. In aggregate, those filings are now driving federal attention to this category. In the individual case the recovery odds are poor: industry post-mortems and law-enforcement debriefs put the recovery rate for impersonation-driven thefts in the single digits to low teens by value [13].

The structural failure points

What makes this scheme reliably repeatable is not technical sophistication. The hijacked MC, the typo-squatted domain, the VoIP phone, and the address-change email are all decades-old fraud primitives. What makes them work every time in 2026 is that the broker-carrier handoff is the only segment of the freight transaction that still trusts a phone number and an email address as verification of identity.

Three points failed in the case above:

  1. Vetting trusted load-board-supplied contact data. The analyst called the number on the bid email, not one she sourced independently. TIA and FMCSA have both been explicit that this single step is responsible for a disproportionate share of broker-side fraud losses [7][8].
  2. Re-posting visibility was zero. Pinewood had no way to see the same load it had just contracted being re-posted at a lower rate within hours. Tools to detect this exist; adoption among small and midsize brokers remains uneven.
  3. No physical-identity check at pickup. The driver at the Minneapolis dock was a real driver carrying real paperwork, and the clerk had no way to verify he was the driver the contracted carrier had dispatched. The contracted carrier had never dispatched anyone. That gap — between "the carrier I hired" and "the human standing at the dock" — is the cheapest defensive line nobody is consistently holding.

The Senate's SAFER Transport Act, introduced February 2026, names fictitious pickups, double brokering, and hostage loads as targeted criminal activity [14], and FMCSA's Motus registration overhaul will eventually make the upstream identity layer harder to spoof [6]. Both are real progress; both are slow. Neither helps a broker with a load posted today.

The takeaway

The reconstruction above is uncomfortable for one specific reason: every party except the fraud group did roughly what the industry has trained them to do. The broker vetted, called to confirm, ran the rate con. The shipper checked the BOL against the TMS. The driver picked up legitimately and followed dispatch. The consignee had no role until the load failed to arrive. The 2026 double-brokering scheme is engineered to survive each of those checks individually, because each check, taken in isolation, accepts adversary-supplied data as verification.

The reason recovery is rare, the reason the federal response is slow, and the reason these schemes keep paying out is the same reason: the place where identity is supposed to be confirmed — the dock door, the phone call, the email — is the place where the adversary has had the most time to prepare. The shipping side of the freight industry will spend the next twenty-four months either rebuilding that confirmation layer or continuing to absorb the losses.

Sources

  1. Cargo Theft Surged 60% in 2025, $725M in Estimated Losses — Carrier Management, Jan 22, 2026
  2. U.S. Cargo Theft Dipped in Q1 2026 While Deceptive Pickup Schemes Jumped 31% — Overhaul / PRNewswire, 2026
  3. Freight Fraud Hits Record High in Q1 2026: Half of All Incidents Tied to Carriers With Clean Records — GlobeNewswire, May 2026
  4. Cyber-Enabled Strategic Cargo Theft Surging — FBI Internet Crime Complaint Center (IC3) PSA, Apr 30, 2026
  5. New 2026 cargo theft schemes expose vulnerabilities in vetting, email systems, and pickups — FleetOwner, 2026
  6. FMCSA's new motor carrier registration system (Motus) is designed to prevent fraud and identity theft — TheTrucker.com
  7. Broker and Carrier Fraud and Identity Theft — FMCSA
  8. Double Brokering Marches On: Strategies and Tactics for Risk Mitigation — Transportation Intermediaries Association (TIA)
  9. Inside the investigation into a double-brokering scheme — Long-Haul Crime Log — FreightWaves
  10. Cargo Theft's New Playbook: Strategic Fraud, Double Brokering, and Cybercrime Hit Trucking — Trucking Info / Heavy Duty Trucking
  11. Former employees shed light on sophisticated double-brokering network — FreightWaves
  12. The Future of Carrier Identity: Combating Fraud and Double Brokering — Highway
  13. Cargo Theft — National Insurance Crime Bureau (NICB)
  14. Bill seeks to fight freight fraud tactics including double brokering and hostage loads — CDL Life, Feb 2026
  15. FBI details double-brokering cargo theft scheme in felony charges for trucker — Overdrive