The Strict Callback Rule: Why Phone-Based Driver Verification Stopped Working in 2025

For most of the past decade, the question "is this driver real?" had a standard answer in freight broker SOPs. You looked up the carrier's MC number on SAFER, you wrote down the phone number listed in the FMCSA record, and you called it. If the person on the other end confirmed they had dispatched a driver named Mike with truck number 4412 to your pickup window at 0900, you wrote the load and went home.

That control had a name on most desks: the strict callback rule. In 2026 it is mostly a fiction. Brokers still dial registered phone numbers. They still get someone on the line who says, "Yes, Mike is on his way." And the freight still walks off the dock with a person who has no employment relationship with the carrier the broker thinks they hired.

The strict callback rule wasn't beaten by one clever attack. It was hollowed out, in roughly eighteen months, by four converging mechanisms that together turned the registered phone number from a fraud control into a fraud channel.

How the defense was supposed to work

The strict callback rule's logic was simple and, for years, sound. FMCSA-registered phone numbers are, in principle, tied to a real business entity that has filed for operating authority, paid filing fees, and maintained an active record in the federal registration system. If a fraud group wanted to defeat a callback, they had to either compromise the carrier's actual phones, persuade FMCSA itself to change the number on file, or sit between the broker and the carrier in real time.

None of that was trivial in 2018. All of it is trivial in 2026.

The control was already showing strain when CargoNet's Q1 2026 brief landed in April. The report described impersonation-based theft as a "systematic, scalable criminal methodology" rather than an opportunistic scam, and called out the toolkit explicitly: credential harvesting, phishing, remote access tools, compromised business email accounts, internet-based phone systems, and the very industry applications used to verify identities ^[1]. The list reads less like a description of fraud and more like a description of a normal SaaS company's operating stack — which is, of course, the point.

Mechanism one: VoIP spoofing at industrial scale

The cheapest and most common way to defeat a callback is also the oldest: make the number you control appear to be the number the broker is dialing. Caller-ID spoofing through VoIP services has been technically possible since the early 2000s. What changed in 2024 and 2025 is volume, automation, and the fact that load board fraud groups began running it as a routine line item rather than an exotic tactic.

Highway's Q2 2025 Freight Fraud Index, published in late July 2025, reported that the platform blocked more than 42,000 fraudulent inbound calls in a single quarter — a 37% jump over Q1 2025 ^[2]. The Q3 2025 index, released that October, flagged 62,531 fraudulent phone numbers and recorded 149 unauthorized FMCSA contact changes in the quarter ^[3]. The Q3 brief made the implication explicit: spoofed or VoIP numbers were "increasingly used to solicit load details or submit fraudulent contact changes that enable account takeover."

Trade press picked the pattern up in parallel. Truck News documented spoofed-number cargo theft incidents in which fraudsters used burner VoIP lines to impersonate dispatchers, including cases where the spoofed number matched the carrier's registered area code closely enough to defeat a casual eye-check ^[4]. Once spoofing is cheap, the strict callback rule becomes structurally equivalent to no callback at all: the broker dials a number, talks to someone who answers in the carrier's name, and learns nothing about whether the person on the other end has any relationship with the actual carrier.

Mechanism two: account takeover of the FMCSA portal itself

The second mechanism is more damaging because it corrupts the source of truth that the strict callback rule relied on. If a fraud group can change the phone number on the carrier's FMCSA record, the broker who carefully looks it up on SAFER will dial straight into the fraud group's call center — and the call will look textbook-clean.

FMCSA itself acknowledged the scale of this in its 2025 fraud guidance, describing a "significant upswing in presumed fraudulent activity where erroneous information about a registered entity is being used, resulting in cargo and monetary theft" ^[5]. The agency suspended online PIN requests in late 2024 after concluding that the existing process was being routinely exploited to hijack accounts. Carriers, in some cases, did not realize their portal contact information had been changed until a broker called them about an unfamiliar load.

Hylant's analysis of FMCSA profile compromise described a clean attack path: phishing or social engineering harvests the carrier's portal credentials or DOT PIN, the attacker rewrites the company's phone and email fields, and the carrier's own identity then becomes a vehicle for fraud routed past their visibility ^[6]. The countermeasure FMCSA shipped in April 2025 — mandatory identity verification via IDEMIA for new motor carrier applicants, capturing a government-issued photo ID and a live facial selfie — addresses new registrations but does not retroactively reverify the millions of existing accounts that the strict callback rule trusts ^[7].

Highway's Q3 2025 figure of 149 unauthorized FMCSA contact changes in a single quarter is, by itself, a quiet but devastating statistic. Every one of those changes broke the strict callback rule for whatever broker subsequently relied on the updated record.

Mechanism three: business email compromise that rewrites contact data

The third mechanism is the one the FBI's Internet Crime Complaint Center singled out for a Public Service Announcement on April 30, 2026. The PSA, titled "Cyber-Enabled Strategic Cargo Theft Surging," described attackers gaining unauthorized access to broker and carrier computer systems through spoofed emails, fake URLs, and compromised business email accounts, with the explicit goal of impersonating legitimate businesses to hijack freight and reroute deliveries ^[8]. The IC3 included an example of the modal email-spoof pattern — a free-provider lookalike like dispatch.FBITrucking@[provider].com substituted for the real dispatch@FBITrucking.com — which is enough to plant the wrong phone number inside a broker's TMS without the broker realizing it.

BleepingComputer's coverage of the PSA tied it to a financially motivated cybercrime group, Diesel Vortex, that had been running phishing campaigns against freight and logistics operators since September 2025, using a documented portfolio of 52 imitation domains ^[9]. The economics make sense: the cost of registering a domain and sending phishing email is a rounding error against the average single cargo theft event of $273,990 that Verisk and CargoNet documented for 2025 ^[10].

The relevance to the strict callback rule is that once a fraud group has access to the carrier's email — or to a broker's own email thread with the carrier — they can quietly submit a "contact update" or a "new dispatcher number" and the next callback the broker places lands at the fraud group, with no spoofing required at all. The Q3 Highway brief noted that fraud rings often "blend into legitimate email threads to intercept rate confirmations, impersonate dispatchers, and redirect payments." The phone number is just one more field they edit on the way through.

Mechanism four: OSINT and timing

The fourth mechanism is less technical and more procedural. Fraud groups now study how brokers actually run their callback workflow — which shifts call dispatch, which use after-hours answering services, which require a manager's sign-off, which accept a text-message confirmation as a substitute. The reconnaissance is straightforward open-source work: LinkedIn profiles for broker ops teams, podcast interviews with VPs of operations, vendor case studies that describe a brokerage's internal stack. The result is a fraud group that knows, for a specific brokerage, when the callback window opens and closes.

This is the part of the picture least captured in raw statistics, but it surfaces consistently in trade-press post-mortems. Inbound Logistics described 2025-2026 freight fraud as having "matured into a layered operation" that combines technical compromise with social engineering of staff ^[11]. FreightWaves' "Impersonation Attacks Are Here To Stay" coverage made the same point in different words: the fraud groups are no longer running smash-and-grab schemes, they are running long-cycle reconnaissance, and the phone callback is something they plan around ^[12]. If the fraud group knows the brokerage requires a callback within 30 minutes of dispatch, they make sure their VoIP number rings during that exact window.

Dark Reading's coverage of CargoNet's data captured the consequence cleanly: physical cargo theft now gets a routine "boost from cybercriminals" who handle the social and technical preparation as a service, allowing the actual freight haulers downstream to operate on something closer to a legitimate-looking schedule ^[13]. The strict callback rule, designed to interrupt an improvisational scam, was never built to detect a planned operation.

A control that worked against opportunistic scams was always going to lose against a workflow. The strict callback rule didn't get hacked. It got out-engineered.

What forwarders are migrating toward

The interesting question isn't whether the strict callback rule is dead. By any honest reading of the 2025 data it is. The interesting question is what defenses brokers and forwarders are actually moving the verification burden onto, and which of those defenses look durable.

Four shifts are visible in the trade press and in vendor product announcements over the past twelve months:

1. Continuous monitoring of FMCSA record changes

Rather than treating the SAFER lookup as a one-time confirmation, more sophisticated brokers now subscribe to daily-change feeds. CarrierOK and similar tools surface changes to addresses, phone numbers, emails, and insurance status the day they occur, on the theory that a fresh contact change is itself a fraud signal worth interrupting a load over ^[14]. The strict callback rule treated the FMCSA record as ground truth; the new posture treats sudden edits to that record as the alert.

2. Multi-source identity correlation

Highway's Identity Engine, and similar platforms, no longer rely on a single contact-data field. They cross-check the carrier's phone number against historical patterns, shared numbers across multiple MC numbers, and known VoIP-provider blocks. The Q3 2025 brief noted that the platform now actively reroutes spoofed or high-risk inbound calls before they reach broker sales teams, rather than letting humans adjudicate them at all ^[3].

3. Dock-level driver identity verification

Verified Carrier's April 2026 launch of "Verified Pickup" — a stated attempt to create "a continuous chain of verified identity from motor carrier registration through the physical moment freight exchanges hands" — was the most explicit acknowledgment yet that the contract-stage controls are insufficient and that the verification burden has to migrate to the dock ^[15]. GenLogs' nationwide network of roadside sensors making the same argument from the road-network side: the carrier's claim to digital existence is validated by observed physical operations ^[16]. For a deeper picture of why dock-stage verification matters specifically, see our earlier piece on where stolen freight goes after pickup and why recovery rates stay under twenty percent.

4. Treating phone calls as low-trust by default

The most pragmatic shift, visible in TIA's 2026 guidance, is the explicit demotion of the phone callback from a verification step to one signal among several. TIA's carrier-vetting recommendations now emphasize separation of duties, multi-step approvals, and verification of payment destination at the moment of dispatch — none of which the strict callback rule even attempted to address ^[17]. The implicit message is that no single field — phone number, email, MC number — is trustworthy on its own, and that controls have to be designed around the assumption that any one of them is compromised.

The takeaway

The strict callback rule was a good control for the threat environment it was designed for. Against an opportunistic scammer with a burner phone and a clumsy fake bid, dialing the FMCSA-registered number interrupted the scam at the most expensive point in their workflow. Against a 2025-vintage fraud group running compromised email, hijacked portal accounts, spoofed VoIP lines, and reconnaissance on the brokerage's call patterns, the callback isn't a control at all. It's a checkbox that fraud groups have learned to satisfy as a routine cost of doing business.

What remains is a quieter and less comfortable conclusion. Phone-based identity verification was always a stand-in for a control the freight industry didn't actually have — namely, the ability to confirm that the human standing at a pickup dock corresponds to the human the carrier has on the dispatch list. The strict callback rule pretended to bridge that gap from a desk hundreds of miles away. The fraud wave of the past eighteen months has shown the bridge was made of paper. The brokers and forwarders that adapt fastest in 2026 and 2027 will be the ones who stop trying to rebuild that bridge and start treating the dock itself as the place verification has to happen.