Cybersecurity Checklist for Carriers

Not too long ago, the biggest security concern for your trucking business was physical theft—protecting your cargo, equipment, or even the items inside your cab from being stolen. While those types of crimes still occur, cybercrime is what’s plaguing today’s carriers. For truckers, cyberattacks can result in stolen payments, hijacked accounts, and disrupted operations.

Cybercrime, one of the fastest-growing threats globally, impacts businesses of all types and sizes, including freight carriers and independent owner-operators. And falling victim to these scams can cost you significantly. In fact, in 2024, global data breaches cost businesses an average of $4.88 million per incident.

Protecting your business from these risks has never been more important. The good news? You don’t need a big IT team or a hefty budget to start boosting your carrier cybersecurity. Implementing a few practical steps can go a long way toward keeping your systems secure and your operations on track.

Understanding cyberthreats in the freight industry

With so many devices required to connect with freight partners, manage loads, and move freight efficiently, the freight industry has become an appealing target for hackers. Cybercriminals hack into systems to steal identities, intercept payments, and gain access to your private data for malicious purposes.

Why the freight industry is targeted

The freight industry is especially prone to cyberattacks due to:

1. Big Payouts: These types of scams are profitable for criminals. If they steal your login information, they can pose as a real company and intercept to steal money from financial transactions.
2. Fast-Paced Communication: Moving freight requires email or text communications. In these messages, you could be sharing anything from shipment updates to payments and price negotiations. While theindustry is used to this frequent type of communication, there’s still a risk of clicking a malicious link or giving away information on accident.

Types of online scams

Cybercriminals use various scams to gain access to your accounts or information. Here’s a breakdown of the most common ones.

Phishing

More than 90% of cyberattacks start with phishing. Cybercriminals use email to trick you into revealing sensitive information. These emails can be incredibly convincing, often appearing to come from a familiar website, a trusted company, a co-worker, or even your boss. The key to not falling for these scams is education. By understanding their tactics, you can respond with caution and protect yourself from becoming a victim.

In phishing emails, the scammer might ask that you provide any of the following information:

• Date of birth
• Home address
• Social Security number
• Credit card details
• Phone number
• Log in details
• Passwords or information to reset a password

Criminals can use this information to impersonate you. They may apply for credit cards or loans, open bank accounts, or even log in to your load board account. Phishing occurs when you act on a fake email that demands urgent action or asks you to do something, such as:

• Click an attachment.
• Connect to a new Wi-Fi hotspot.
• Update a password.
• Respond to a contact request via social media.

Smishing

Cybercriminals are increasingly turning to text-based scams, or smishing, to reach drivers directly on their phones. These messages look urgent and are designed to trick you into sharing sensitive information, clicking on a link, or downloading harmful software. Like email phishing, these messages may seem like they’re coming from trusted sources, creating urgency or fear to trick you into an undesired action.

Smishing could look like receiving a text message about a suspicious transaction urging you to take action, such as verifying your account.

Other common smishing attacks include:

• Tech support scams: You receive a message that there’s a problem with your device or account, and it tells you to contact a tech support number. Calling the number may actually cause charges on your account, or the person acting like a technician could request remote access to your phone or computer, leading to theft.
• Service cancellation alerts: A cybercriminal warns you that your subscription or service will be canceled due to a payment issue. They urge you to click the link to “resolve” the problem, which actually takes you to a phishing page.
• Malicious app downloads: Scammers send you a text promoting an entertaining or supposedly useful app. Clicking the download link installs viruses or malicious malware on your device.

Quishing

QR code phishing, or “quishing,” is a scam where fake QR codes are used to trick people into visiting dangerous websites or downloading harmful software. Since QR codes are widely used for things like menus, payments, and logins, they’ve become popular for cybercriminals to exploit. Attackers often embed these malicious QR codes in unexpected places, such as emails from trusted sources or public advertisements.

Common quishing tactics include:

• Fake payments: Scammers use QR codes on parking tickets or invoices, leading to fraudulent payment sites.
• Identity theft: Quishing can redirect users to fake login pages to steal sensitive information like usernames and passwords.
• Malware distribution: Some QR codes automatically download harmful software onto devices.

Signs of quishing attacks include:

• Unexpected emails: Be wary of emails with QR codes from unknown sources.
• Unusual requests: Avoid urgent requests to scan QR codes.
• Altered codes: Inspect physical QR codes for signs of tampering.

When unsuspecting victims scan these fake codes, they’re often redirected to phishing websites designed to steal sensitive information like passwords and credit card details. These scams are particularly effective because they can bypass traditional email filters and security software, making them a growing threat to carrier cybersecurity.

How to identify suspicious messages and protect yourself

While it can be difficult to tell a legitimate message from a scam, there are signs that should alert you that a message may be fraudulent. If an email or text seems suspicious, do the following to confirm legitimacy:

1. Hover over email links: Phishing and smishing messages usually come from unknown senders. However, scammers can also make their email look like a legitimate source. Be wary of these messages from people or email addresses you don’t know. You can hover over the link to see if it reveals anything strange. If it seems unusual or reveals an unfamiliar site, err on the side of caution by not clicking on the link.
2. Be suspicious if you’re asked for personal information: Always be skeptical of messages asking for sensitive personal information, such as your Social Security number, bank account number, or passwords. Unknown sources that urgently ask for personal information are a red flag. If the message creates a sense of urgency or fear, it’s best to do your due diligence.
3. Look for grammatical errors: Scam emails or texts often include poor grammar and misspelled words.
4. Be wary of strange QR code requests: To protect yourself from quishing, it is important to be aware of the risks and take steps to avoid becoming a victim. Never scan a QR code from an untrusted source or strange email address.

Cybersecurity for trucking carriers—best practices

Phishing and smishing scams are common used to target freight professionals, but with these security best practices, you can reduce your chances of becoming a victim:

• Avoid clicking suspicious links: Always verify the sender’s identity before you click on a link or open an attachment in an email. Look carefully at the “from” address, searching for discrepancies or irregularities.
• Be cautious of unsolicited offers: Be careful of unsolicited emails or texts or those that seem strange or irrelevant to your business. Also, be suspicious of any message that offers something unexpected or comes across as demanding. If you receive an unexpected offer or prize notification, it’s likely a scam.
• Never share sensitive information online: It’s best practice to never share personal information on your phone or computer. Legitimate companies won’t request this type of information through text or email.
• Report suspicious messages: If you receive a strange text or email, report it to your IT department or the authorities.
• Create strong passwords: Create unique and strong passwords for your logins. Strong passwords are long and random and usually include a mix of uppercase and lowercase letters, numbers, and symbols. Don’t include your name, birthday, or family details, as scammers could guess them.
• Use multifactor authentication (MFA): When possible, use MFA and other security tools to enhance your protection.
• Check the domain: Make sure the domain is authentic before clicking links or inputting personal information. (For example, confirm you are visiting Truckstop.com and NOT info-truckstop.com or Truckstop.blog.)
• Verify QR codes: Only scan codes from trusted sources and verified email addresses. Be sure to check the URL after scanning a code but before clicking on the link to counter quishing attacks.

ELD hacking

Another point of security vulnerability occurs with the use of federally mandated electronic logging devices (ELDs) used to log your hours of service. Off-the-shelf electronic logging devices can be very limited in terms of the security they can provide and can be a vulnerability with dire consequences. These attacks are designed to infiltrate fleets and cause major disruptions, such as sending malware that causes trucks to behave in unexpected, unwanted, and dangerous ways.

How does ELD hacking happen?

Researchers have identified cybersecurity gaps in popular ELDs, determining they could potentially be accessed using Wi-Fi or Bluetooth to disrupt a truck’s operation. Cyberattacks can be made by hacking into a truck’s system via an unsecured ELD in seconds while driving alongside it. For example, a bad actor could hack a truck’s accelerator pedal by driving by it.

Researchers found that they could infect a fleet of trucks with malicious malware by accessing and getting into a single ELD. In fact, malware on one truck could spread to other trucks while traveling on a highway or waiting at a distribution center, truck stop, rest stop, or other location, creating “truck-to-truck worms,” wireless cyberattacks.

How to secure your truck against ELD vulnerabilities

It’s critical for smaller trucking companies and owner-operators to have a good understanding of common ELD vulnerabilities and to pay attention to any suspicious activity, no matter how small it seems. At the very least, consider where the vulnerabilities are and consult with technology experts about how to block holes in security:

• Keep your ELD updated: ELDs may require periodic security updates that include patches for newly discovered vulnerabilities.
• Don’t use weak default passwords: Change your password to a stronger one—the longer, the better. Use random letters and characters, like a string of mixed-case letters, numbers, and symbols, or a passphrase of four to seven random words.
• Avoid exposed public Wi-Fi and Bluetooth connections: Avoid exposed Wi-Fi and Bluetooth connections to keep hackers from getting into your system.
• Avoid vulnerable firmware: Some ELDs have insecure firmware that can be easily reverse-engineered and modified by attackers.
• Keep your business software updated: Defects in software and apps can give criminals an opening.
• Utilize multifactor authentication: Use a text code, authenticator app, or biometrics in addition to your password.

What to do if you get hacked or identify a scam

If you suspect a cybercrime, report it to the Internet Crime Complaint Center. The site is monitored by the FBI and contains educational resources on the latest and most threatening scams. If you suspect a security breach on the Truckstop platform, email security@truckstop.com to report fraudulent activity.

Carrier cybersecurity checklist

The following checklist is a crucial part of cybersecurity for carriers. Follow it to protect your business:

• Check for misspelled email addresses or domain names.
• Be wary of messages creating a sense of fear or urgency.
• Be cautious of unsolicited offers.
• Look for grammatical errors, misspellings, and language irregularities.
• Verify unexpected requests for sensitive information.
• Hover over links and be cautious with unsolicited attachments and links.
• Verify the legitimacy of tech support requests.
• Be cautious of requests to download apps via text message.
• Look for threats or warnings of account closures.
• Keep software updated.
• Avoid public Wi-Fi.
• Choose ELDs with enhanced security features or add security features.
• Use multi-factor authentication in addition to your passwords.
• Never use weak default passwords. Create strong, unique passwords for all devices and systems.