Motor Carrier Cybersecurity Protocol Checklist

Target dispatchers, carrier sales reps, and AP staff with a simulated rate-confirmation or fuel-card-portal phishing lure. Record the click rate and book one-on-one remediation for anyone who entered credentials. Dispatch and AP are the highest-value targets for ACH-fraud and load-fraud attackers.

Cover the patterns: spoofed rate cons from look-alike domains, last-minute pickup-location changes via text, requests to move freight to a third-party warehouse, and double-brokered loads where the actual broker on the BOL differs from the rate con. Driver should call dispatch on the company-issued number before re-routing or releasing freight.

Confirm MFA is enabled for every user in McLeod / Tailwind / AscendTMS, DAT, Truckstop, Comdata, EFS, WEX, and the ELD admin console. Account-takeover on load boards is the entry point for posting-hijack and double-brokering attacks.

Pull the user list from the TMS and verify every account is scoped to its actual job — dispatchers shouldn't have carrier-payment edit rights, and brokers shouldn't have driver-DQ access. Remove unused roles inherited from prior staff.

Cross-check the HR separation list against active users in TMS, ELD (Motive / Samsara / Geotab), fuel cards, load boards, and email. Disable within 24 hours of separation — terminated dispatchers retaining DAT access is a known leak path for load fraud.

Confirm USDOT and MC are active, authority is not revoked, insurance on file matches the COI in the carrier packet, and the entity name matches the W-9. New authority under 90 days old plus a recent address change is a common fraud-shell pattern.

Use the phone number on the FMCSA snapshot — not the number on the carrier packet or rate-con reply email. Verify the dispatcher you've been emailing is actually employed there. Impostor brokers and impostor carriers both rely on the victim trusting the email-supplied number.

Red flags: gmail or yahoo dispatch addresses on a 10-year-old authority, factoring company changed in the last 30 days, COI faxed from a number not matching the agency on file, MC sold and re-activated, posted truck never matches the units listed with FMCSA. If anything fails verification, flag for fraud review before tendering the load.

Request the latest SOC 2 Type II from Motive, Samsara, Geotab, or your ELD provider. HOS records, driver PII, and vehicle telemetry sit in the vendor cloud — a compromised ELD vendor exposes the entire fleet's location history and DOT logs.

Pull the ELD console user list. Only the safety director and assigned compliance staff should have log-edit privileges; dispatchers usually need view-only. Edit privileges on HOS logs are the highest-risk permission in the platform — unauthorized edits show up as falsification in a compliance review.

DQ files contain SSN, MVR, medical card, and drug-test history — driver PII that triggers state breach-notification statutes if leaked. Confirm encryption-at-rest on the document repository (Foley, J.J. Keller Encompass, Tenstreet, or the network share) and TLS for any portal access.

Pull the last 30 days of backup logs from McLeod / Tailwind / Q7 / AscendTMS. Confirm no failed nights, and that the offsite copy is current. Ransomware against dispatch is the most common cyber claim filed by motor carriers.

A backup that has never been restored is not a backup. Spin up the most recent backup in an isolated environment, log in, and confirm load history, driver data, and AR are intact. Document the elapsed time — that's your real RTO.

Refresh the call tree: cyber insurer 24/7 hotline, breach counsel, MSP / IT lead, TMS vendor support, top-five shippers' contact, factoring company. The plan should answer the dispatch-can't-tender-loads-tomorrow scenario, not just the abstract breach.

Walk through a scenario where the TMS is encrypted at 6 a.m. Monday: how does dispatch keep moving trucks already on loads, communicate with shippers expecting tenders, and reach drivers who can't pull their next dispatch? Capture gaps and assign owners.

Run the patch report from the MSP or Intune / WSUS console. Dispatch workstations are 24/7 production — coordinate reboot windows with the night dispatch lead so patches actually land instead of getting indefinitely deferred.

Driver tablets running the ELD app, shop laptops connected to diagnostic tools, and yard kiosks are frequently overlooked. Verify EDR agent install and last-checkin date across the inventory; rogue installs of free APKs on driver tablets are a common malware vector.