Motor Carrier Cybersecurity Protocol Checklist

Target dispatchers, carrier sales reps, and AP staff with a simulated rate-confirmation or fuel-card-portal phishing lure. Record the click rate and book one-on-one remediation for anyone who entered credentials. Dispatch and AP are the highest-value targets for ACH-fraud and load-fraud attackers.

Cover the patterns: spoofed rate cons from look-alike domains, last-minute pickup-location changes via text, requests to move freight to a third-party warehouse, and double-brokered loads where the actual broker on the BOL differs from the rate con. Driver should call dispatch on the company-issued number before re-routing or releasing freight.

Carrier-payee impersonation and factoring-company NOA spoofing are the top loss vectors. Require a call-back to the phone on the carrier's W-9 or factoring NOA — never the number on the change-request email — before updating remit-to in QuickBooks, McLeod, or RTS.

Confirm MFA is enabled for every user in McLeod / Tailwind / AscendTMS, DAT, Truckstop, Comdata, EFS, WEX, and the ELD admin console. Account-takeover on load boards is the entry point for posting-hijack and double-brokering attacks.

Pull the user list from the TMS and verify every account is scoped to its actual job — dispatchers shouldn't have carrier-payment edit rights, and brokers shouldn't have driver-DQ access. Remove unused roles inherited from prior staff.

Cross-check the HR separation list against active users in TMS, ELD (Motive / Samsara / Geotab), fuel cards, load boards, and email. Disable within 24 hours of separation — terminated dispatchers retaining DAT access is a known leak path for load fraud.

If after-hours dispatch uses a shared login for the TMS or load board, rotate the password every quarter and after any staffing change. Better long-term: convert shared logins to individual accounts so audit trails identify the actual user.

Confirm USDOT and MC are active, authority is not revoked, insurance on file matches the COI in the carrier packet, and the entity name matches the W-9. New authority under 90 days old plus a recent address change is a common fraud-shell pattern.

Use the phone number on the FMCSA snapshot — not the number on the carrier packet or rate-con reply email. Verify the dispatcher you've been emailing is actually employed there. Impostor brokers and impostor carriers both rely on the victim trusting the email-supplied number.

Red flags: gmail or yahoo dispatch addresses on a 10-year-old authority, factoring company changed in the last 30 days, COI faxed from a number not matching the agency on file, MC sold and re-activated, posted truck never matches the units listed with FMCSA. If anything fails verification, flag for fraud review before tendering the load.

Hold the load tender. Open a fraud ticket, notify the shipper if the load was already posted, and submit the carrier to the load board's fraud team (DAT CarrierWatch, Truckstop RMIS). Document the call-back failure or COI mismatch for the file.

Request the latest SOC 2 Type II from Motive, Samsara, Geotab, or your ELD provider. HOS records, driver PII, and vehicle telemetry sit in the vendor cloud — a compromised ELD vendor exposes the entire fleet's location history and DOT logs.

Pull the ELD console user list. Only the safety director and assigned compliance staff should have log-edit privileges; dispatchers usually need view-only. Edit privileges on HOS logs are the highest-risk permission in the platform — unauthorized edits show up as falsification in a compliance review.

Confirm retention covers your accident-defense window (typically 90 days minimum, longer if discovery hold is in place). Lock event-video download to safety and legal only — dashcam clips leaked to social media after a crash have torpedoed defense cases.

DQ files contain SSN, MVR, medical card, and drug-test history — driver PII that triggers state breach-notification statutes if leaked. Confirm encryption-at-rest on the document repository (Foley, J.J. Keller Encompass, Tenstreet, or the network share) and TLS for any portal access.

Pull the last 30 days of backup logs from McLeod / Tailwind / Q7 / AscendTMS. Confirm no failed nights, and that the offsite copy is current. Ransomware against dispatch is the most common cyber claim filed by motor carriers.

A backup that has never been restored is not a backup. Spin up the most recent backup in an isolated environment, log in, and confirm load history, driver data, and AR are intact. Document the elapsed time — that's your real RTO.

Treat a failed restore as a P1. File the support ticket with the TMS vendor, escalate to the account manager, and hold the cyber-insurance broker informed if RTO exceeds policy assumptions. Do not close until a successful restore has been demonstrated.

Refresh the call tree: cyber insurer 24/7 hotline, breach counsel, MSP / IT lead, TMS vendor support, top-five shippers' contact, factoring company. The plan should answer the dispatch-can't-tender-loads-tomorrow scenario, not just the abstract breach.

Walk through a scenario where the TMS is encrypted at 6 a.m. Monday: how does dispatch keep moving trucks already on loads, communicate with shippers expecting tenders, and reach drivers who can't pull their next dispatch? Capture gaps and assign owners.

Confirm policy limits cover business-interruption for at least the RTO measured in the restore test, ransom payment is included or excluded as expected, and the notification window (commonly 72 hours) matches your IR plan. Many motor carrier policies sub-limit social-engineering loss — confirm the cap.

Run the patch report from the MSP or Intune / WSUS console. Dispatch workstations are 24/7 production — coordinate reboot windows with the night dispatch lead so patches actually land instead of getting indefinitely deferred.

Driver tablets running the ELD app, shop laptops connected to diagnostic tools, and yard kiosks are frequently overlooked. Verify EDR agent install and last-checkin date across the inventory; rogue installs of free APKs on driver tablets are a common malware vector.

Block USB mass-storage on dispatcher and AP workstations via group policy. Shop diagnostic ports are a legitimate exception — document them. Drivers transferring dashcam SD cards through office machines is a recurring infection path.