Cargo theft is changing, and the risk is now inside the truck

Scott Cornell has worked enough cargo theft cases to know that the most dangerous schemes rarely announce themselves. They usually appear disguised as something routine. Cornell, Chief Risk Officer at SPG Cargo & Logistics, joined me recently on the Fraud Watch podcast to discuss what the industry is now calling the Trojan Driver scam.

What stood out most was not just the method itself, but how he described uncovering it. There was no dramatic breakthrough. It started with small inconsistencies across cases that almost made sense on the surface. the case that didn’t quite add up The first incident did not immediately raise alarms. At first glance, it looked like a standard theft.

But Cornell noticed details that did not fit. The truck was parked somewhere the driver could not explain. The stop did not match the route. Basic identifying information came back inconsistent. Communication became difficult. None of those issues alone proved anything. Together, they painted a very different picture. At the time, it still looked isolated.

What changed everything was when Cornell started discussing it with others in the industry. First in smaller groups, then publicly at a conference. Within days, more companies began reporting similar situations. Different freight. Different carriers. Same types of inconsistencies. That was the moment it stopped looking random. It became a method. window.

googletag = window. googletag || {cmd: []}; googletag. cmd. push(function() {googletag. defineSlot('/21776187881/FW-Responsive-Main_Content-Slot1', [[300, 100], [320, 50], [728, 90], [468, 60]], 'div-gpt-ad-1709668545404-0'). defineSizeMapping(gptSizeMaps. banner1). addService(googletag. pubads()); googletag. pubads(). enableSingleRequest(); googletag.

pubads(). collapseEmptyDivs(); googletag. enableServices(); }); googletag. cmd. push(function() {googletag. display('div-gpt-ad-1709668545404-0'); }); The idea behind the Trojan Driver is not entirely new.

Organized theft groups have spent years trying to place insiders inside warehouses, brokerages, and distribution centers to gain access to shipment information and target intel. What changed was the role of the insider. In older schemes, the insider gathered information while someone else handled the theft.

There was separation between intelligence and execution. That separation created risk for the people running the operation. The Trojan Driver removes that separation completely. The insider is the driver. They do not just know what freight is moving. They control where it goes and when control changes hands.

Cornell believes this shift happened because the industry improved at detecting traditional fraud methods. As onboarding and carrier vetting became more sophisticated, organized theft groups lost easy access through fake carriers and identity manipulation. Instead, they adapted by targeting the hiring process of legitimate trucking companies.

why it spreads slowly Cornell does not believe this will become the industry’s dominant theft method overnight. Unlike phishing or identity fraud, the Trojan Driver model takes time. Drivers have to get hired. They have to build trust. They have to wait for the right load assignment and the right opportunity.

Ironically, that patience is part of what makes the method difficult to stop. Cornell describes it as an opportunity-based tactic. Theft groups keep it available and use it when conditions align, while continuing to rely on other fraud methods in between. The strategy is intentional.

A diversified approach keeps the industry from adapting too quickly to one specific threat. The comparison to phishing attacks is hard to ignore. Early social engineering scams were easy to detect and difficult to scale. Over time, they evolved into one of the most common forms of cybercrime.

The Trojan Driver scam appears to be much earlier in that cycle, which means the industry still has a chance to get ahead of it. the structural problem This is where Cornell points to the larger issue. From a broker’s perspective, the responsibility is usually limited to vetting the trucking company itself.

If the carrier passes every check, there is often no practical way for a broker to identify a compromised driver in real time. The exposure exists inside the carrier’s hiring and screening process. That creates a major gap. window. googletag = window. googletag || {cmd: []}; googletag. cmd. push(function() {googletag.

defineSlot('/21776187881/fw-responsive-main_content-slot3', [[728, 90], [468, 60], [320, 50], [300, 100]], 'div-gpt-ad-1665767553440-0'). defineSizeMapping(gptSizeMaps. banner1). addService(googletag. pubads()); googletag. pubads(). enableSingleRequest(); googletag. pubads(). collapseEmptyDivs(); googletag. enableServices(); }); googletag. cmd.

push(function() {googletag. display('div-gpt-ad-1665767553440-0'); }); Shippers, brokers, and carriers all operate within separate responsibilities. That structure made sense when threats stayed within clear boundaries. It becomes far