TL;DR: Cybercriminals are compromising trucking and freight companies with RMM tooling, then using that access to hijack load boards, impersonate carriers, and steal physical cargo, with nearly two dozen campaigns observed since August 2025, according to Proofpoint. The pattern shows that trust in email, load boards, and remote access software now creates a direct fraud path into supply chain operations.
At a glance
What this is: Proofpoint tracks cyber-enabled cargo theft campaigns that use compromised accounts and RMM tooling to steal freight through fraudulent shipment bidding and operational manipulation.
Why it matters: Transportation and logistics teams need to treat load-board access, email trust, and remote access tooling as part of security governance because these controls now sit directly on the path to physical asset theft.
By the numbers:
- According to the National Insurance Crime Bureau, cargo theft leads to $34 billion in losses annually.
- According to NICB, cargo theft losses increased 27 percent in 2024, and losses are expected to increase another 22 percent in 2025.
- Proofpoint observed nearly two dozen campaigns since August 2025 targeting surface transportation entities to deliver RMMs.
👉 Read Proofpoint’s analysis of RMM-driven cargo theft campaigns in surface transportation
Context
Cargo theft has shifted from a purely physical crime to a cyber-enabled fraud problem. In this pattern, attackers use compromised accounts, malicious links, and remote access tooling to manipulate shipment workflows, which means identity, email trust, and access governance now affect real-world logistics outcomes.
For IAM, PAM, and identity teams supporting logistics or adjacent supply chains, the key issue is not only account compromise but operational misuse after access is obtained. The article shows how a fraudulent login can become load-board manipulation, carrier impersonation, and dispatch disruption, which is a governance problem rather than just an endpoint infection problem.
Key questions
Q: What breaks when attackers compromise a freight or load-board account?
A: A compromised freight or load-board account can let attackers post fake loads, hijack existing conversations, and change booking details under a legitimate carrier’s name. That turns a single identity failure into a business process failure, because brokers and carriers often trust authenticated users once the session is open. Organisations need transaction-level verification, not just login controls.
Q: Why do RMM tools help attackers in cargo theft campaigns?
A: RMM tools help because they look like normal remote support software while giving attackers persistent control of the victim machine. In cargo theft campaigns, that makes it easier to observe dispatch activity, harvest credentials, and manipulate freight workflows without relying on obvious malware. Security teams should treat remote access tooling as a governed privilege, not a convenience feature.
Q: How can security teams reduce the risk of email-based freight fraud?
A: They should add independent verification for load postings, payment changes, and booking updates instead of relying on email continuity alone. Attackers often exploit urgency and trust in existing threads, so controls need to check whether the request is authentic, not just whether the message came from a known conversation. This is especially important in logistics workflows with tight deadlines.
Q: Who is accountable when a cyber incident becomes cargo theft?
A: Accountability sits with the organisations that own the trust chain, not only the team that detected the compromise. Fleet operators, OEMs, brokers, and platform providers all have a role because each one can create or narrow the authority an attacker abuses. Governance frameworks such as NIST CSF and identity controls for non-human access help define that responsibility.
Technical breakdown
How RMM tooling becomes a delivery mechanism for cargo theft
Remote monitoring and management tooling is often legitimate software, which makes it useful for abuse. Attackers deliver installers by email or through impersonated web pages, then gain persistent interactive control over the victim machine once the user executes the file. Because the payload resembles normal administration software, it can blend into approved remote support activity unless organisations control what can be installed and from where.
Practical implication: Restrict unauthorised RMM installation and validate remote access software through allowlisting and endpoint control.
Why compromised load-board and email identities matter
The campaign works because freight marketplaces depend on trust between brokers, carriers, and dispatchers. Once an attacker compromises an account, they can post fraudulent loads, hijack existing threads, or respond to legitimate inquiries, turning identity compromise into business process abuse. The technical issue is not just authentication failure but the absence of strong verification around who is allowed to create, edit, and confirm freight transactions.
Practical implication: Apply stronger identity verification and transaction validation to load-board and dispatch workflows.
How reconnaissance and credential harvesting extend the breach
After the initial foothold, attackers use reconnaissance and credential harvesting tools to deepen access across the environment. That allows them to discover more messaging, scheduling, and dispatch systems, then operate with the victim’s own trust relationships. In identity terms, one compromised account can become a broader access bridge because the environment lacks tight privilege boundaries between business functions.
Practical implication: Separate dispatch, booking, and administrative access so one compromised account cannot expose the whole freight workflow.
Threat narrative
Attacker objective: The attacker’s objective is to steal and resell cargo by converting digital account access into fraudulent shipment control and physical goods theft.
- Entry begins when the attacker compromises a broker load-board account or delivers a malicious link that installs RMM software on a carrier device.
- Escalation follows as the attacker uses interactive remote access and credential harvesting to expand visibility into dispatch, booking, and communications systems.
- Impact occurs when the attacker bids on real shipments, alters bookings, and coordinates the theft of physical freight under the victim’s identity.
NHI Mgmt Group analysis
Cargo theft is now an identity governance problem as much as a fraud problem. The article shows that access to a load board or dispatcher mailbox can be enough to trigger real-world theft, which means identity proofing and transaction authority are collapsing into the same control point. That matters because logistics environments often trust authenticated users too readily once the session is established. Practitioners should treat shipment approval as a governed identity action, not a routine workflow step.
Remote access tooling has become a criminal operations layer, not just an IT support layer. RMM software gives attackers a way to hold onto compromised endpoints, observe business operations, and act through legitimate-looking administration channels. That changes the control question from “can we detect malware?” to “which remote tools are authorised, by whom, and for what business purpose?” Practitioners should anchor remote access governance to explicit allowlists and monitoring.
Freight workflows expose a trust verification gap that traditional email security does not close. The attack succeeds because the target industry relies on time pressure, repeated correspondence, and low-friction confirmation steps. Once attackers insert themselves into that chain, they can exploit the organisation’s own operating assumptions. Practitioners should add independent verification for load creation, load confirmation, and account recovery rather than relying on email continuity alone.
Surface transportation operators need a named concept for this pattern: dispatch identity abuse. This is the misuse of valid freight identities, booking accounts, and communications channels to manipulate physical shipments. The concept sits at the intersection of identity verification, access control, and operational resilience, and it explains why security teams should not separate cyber controls from cargo handling processes. Practitioners should map dispatch identity abuse into their fraud and IAM threat models.
OWASP NHI thinking is still relevant here because compromised service-like access can become operational abuse. While the primary victim is a human-operated logistics account, the broader lesson is that any credentialed workflow endpoint can become a pivot if its privileges are not bounded. That is exactly the kind of control failure NHI governance tries to stop in machine-access contexts. Practitioners should apply least privilege and lifecycle controls across every account that can trigger business transactions.
What this signals
Dispatch identity abuse is the right shorthand for this pattern. It captures how a valid business identity can be converted into cargo fraud, and it forces security teams to think about shipment approval as a governed transaction rather than a routine communication step. For teams that already manage [The 52 NHI breaches Report](https://nhimg.org/52-non-human-identity-breaches) or remote-access risk, the lesson is that operational trust is now a security control surface.
The programme-level signal is that transport organisations need tighter lifecycle control over any account that can influence freight movement, including recovery rights, mailbox delegation, and third-party remote tools. That maps well to the identity control themes in the [Ultimate Guide to NHIs](https://nhimg.org/the-ultimate-guide-to-non-human-identities) and the broader access governance model used in identity security programmes.
For threat modelling, this activity is closely aligned with adversary techniques tracked in the [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org), especially credential access, lateral movement, and impact. Practitioners should use those tactics to test where a compromised logistics identity could change a shipment outcome before the damage becomes physical.
For practitioners
- Restrict unapproved remote access tools Block installation of any RMM or remote support software that is not explicitly approved by IT and security administrators, and monitor for installers delivered through email or landing pages that impersonate freight documentation. Tie enforcement to endpoint policy and application control.
- Verify load-board and dispatch actions out of band Require a second verification step for new load postings, booking edits, and carrier payment changes when those actions originate from recently used or newly recovered accounts. This reduces the chance that a compromised identity can complete fraudulent freight transactions.
- Harden email-thread trust checks Detect and flag injected links, sender changes, and anomalous replies in active freight negotiation threads. Treat ongoing conversations as high-risk trust channels rather than safe continuity, especially when a booking or pickup deadline is involved.
- Segment dispatch privileges from administrative access Ensure that dispatchers, brokers, and back-office administrators do not share the same recovery paths, mailbox permissions, or load-board rights. Limit the blast radius so one compromised identity cannot alter bookings, device assignments, and shipment coordination in the same session.
Key takeaways
- Cyber-enabled cargo theft turns compromised identity into physical asset loss, so freight workflows now require security governance as well as fraud controls.
- Proofpoint’s data shows nearly two dozen recent campaigns targeting surface transportation entities, which suggests the threat is active, scalable, and operationally mature.
- The most effective countermeasures are authorised remote tool control, independent shipment verification, and tighter privilege separation across dispatch and booking processes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0040 , Impact | The campaign uses compromised access, movement across business systems, and freight theft outcomes. |
| NIST CSF 2.0 | PR.AC-4 | Freight booking abuse shows why access permissions must be limited and validated by role. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is central when remote access can change physical shipment outcomes. |
| CIS Controls v8 | CIS-5 , Account Management | Account governance is the control surface for compromised freight identities and delegated access. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy should define who may use remote tools and shipment systems. |
Map freight-fraud scenarios to credential access, lateral movement, and impact techniques during detection design.
Key terms
- Remote Monitoring and Management Tool: Remote monitoring and management tools are legitimate administration products that let operators manage endpoints and users at a distance. In abuse cases, attackers deploy them to gain persistent interactive control, blend into normal IT activity, and move from initial access to broader operational manipulation.
- Load Board: A load board is an online marketplace used by brokers and carriers to post, bid on, and book freight shipments. Because it is built on trust, identity compromise on a load board can directly affect real-world shipping decisions, payments, and asset movement.
- Dispatch Identity Abuse: Dispatch identity abuse is the misuse of legitimate transportation accounts, mailbox access, or booking privileges to alter shipment outcomes. It is a governance failure that combines identity compromise, workflow trust, and fraud, often resulting in cargo theft rather than only digital intrusion.
- Account Takeover: Account takeover is unauthorized use of a legitimate account after an attacker obtains valid access through stolen credentials, tokens, or trusted integrations. The key security problem is that the resulting activity often looks normal to logs and controls, which makes containment and attribution harder than in a forced-entry breach.
What's in the full report
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- The specific campaign sequencing used to move from compromised account to fraudulent freight booking and cargo theft.
- Examples of RMM payloads and installer behaviour observed across the campaign cluster.
- IOC listings, payload staging domains, and detection-signature references for network and endpoint teams.
- The report's timeline evidence linking activity back to earlier transport-sector targeting patterns.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity in the context of access control and lifecycle risk. It helps security practitioners translate identity principles into governance decisions across both human and machine-accessed workflows.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org