Anatomy of a fraudulent carrier email.
Most freight fraud does not arrive with a ransom note. It arrives as a perfectly normal-looking email quote on a load you just posted — same format as the other 39, maybe a little aggressive on the rate, maybe a little too fast to confirm. Three days later a shipper is calling asking where their load is, the MC on the rate confirmation is not answering, and someone else entirely is driving the truck.
This post is a field guide to the seven red flags that separate a legitimate carrier quote from a scam — pulled from actual flagged emails in the Keelway dataset. Every signal below is something a broker can check manually in under two minutes, or an inbox-triage tool can check automatically on every reply. None of them are silver bullets. All of them together are a meaningfully better filter than any one individually.
The seven red flags, in order of reliability
1. Email domain does not match the carrier's FMCSA-registered contact
This is the single highest-signal check in the set. When a carrier registers with FMCSA, they list a contact email — and for established carriers, that email is almost always at their own domain (bigmidwestcarrier.com, not gmail.com). Fraudsters spoofing a real carrier's MC almost never have access to that carrier's email domain. They send from gmail.com, outlook.com, or a lookalike (bigmidwest-carrier.com with a hyphen, or bigmidwestcarrierllc.com).
How to check: pull the carrier record from FMCSA's QCMobile API (or by MC number on SAFER company snapshot). Compare the registered contact email's domain to the sender's domain. Any mismatch on an established carrier is a strong flag — not an auto-reject, but a stop sign that requires verification before replying.
2. MC / DOT number drift or inactive authority
The MC number in the email signature does not match the MC in the attached insurance certificate. Or the authority is currently listed as inactive / out-of-service on FMCSA. Or the authority was granted 45 days ago (a brand-new MC spinning up just in time for fraud season). Each of these is a meaningful signal on its own.
Established carriers have consistent MC / DOT numbers across all their documents. Fraudsters often stitch together identities from multiple real carriers — one carrier's MC, another carrier's insurance certificate, a third carrier's domain — and the inconsistencies show up when you check three sources against each other.
3. Insurance certificate names a different entity than the MC record
The insurance certificate attached to the email lists one company name. The FMCSA record for the MC in the email signature lists a different company name. Usually not a catastrophic mismatch — could be a DBA, could be an ownership change — but if the carrier can't immediately explain the difference, that's a flag.
Real carriers know their own ownership history. If the answer to "why does your insurance list a different entity?" is "uh, let me get back to you," the call is probably over.
4. "All-in" rate quoted without equipment specifics
Legitimate carriers tell you their equipment — trailer type, dimensions if oversized, reefer temperature range, tanker specifics. Fraudsters quoting a stolen MC often quote aggressively on rate while sidestepping the equipment details, because they have not actually inspected any truck. The quote reads like: "$3,450 all in, can pick up tomorrow AM." No trailer type. No driver name. No comment on the commodity.
This one is a soft signal — plenty of legitimate carriers also skip details when the load is obvious. But combined with a domain mismatch or MC drift, it compounds the suspicion.
5. Dispatcher quoting on behalf of a carrier they don't represent
The email is from a dispatching company (common — lots of legitimate carriers use outside dispatchers) but the MC on the rate confirmation is not a carrier that dispatching company has ever represented. Check by searching the dispatcher's historical load bookings if you have that data, or simply by asking which carriers they run.
Fraudsters love to front-run with dispatcher identities because it adds a layer of apparent professionalism. Real dispatchers have a narrow carrier roster. A dispatcher quoting for five different MCs you have never seen them represent is not an organically broad book — it is a red flag.
6. Rate confirmation request includes unusual payment terms
Legitimate carriers want to get paid on your brokerage's standard terms — usually quickpay or net-30 via your standard payment rail. Fraudsters try to introduce friction that disguises the theft: insist on ACH to a new account, request factoring changes mid-load, push for same-day wire. Any request for an off-standard payment arrangement before the load has even been picked up is a flag.
7. Writing style or formatting is inconsistent with historical emails from that MC
If you have worked with an MC before, you have historical emails from their dispatchers. The language, signature, time zones, and typical quoting format are all consistent across months. A fraudulent email using a stolen MC will show up as a signature-style break — different sign-off, different signature block, different quoting format. Your eye catches it even if you can't articulate why.
Inbox-triage AI picks this up by comparing the sender's email patterns against the historical thread for that MC. A sharp dissimilarity score on a carrier you have worked with before is a flag.
What none of these catch: the inside job
Every red flag above is about catching a fraudulent email at the quote stage — before you book. The harder fraud case is the carrier who is fully legitimate at the email stage and then re-brokers the load after you accept. They pass every check above. They have their own domain, current authority, matching insurance, consistent format.
That case is not caught by email triage. It is caught by post-booking monitoring: pickup verification against the expected driver and truck, GPS integration for in-transit visibility, and check-call discipline. AI helps, but the whole stack has to be in place. Brokerages that have been burned by double-brokering once usually add post-booking monitoring as the next layer of defense.
Reporting suspected fraud
If you catch a fraud attempt at the email stage, do not just delete the thread. Report to:
- FMCSA National Consumer Complaint Database — official federal channel.
- TIA FreightValidate or Highway (for carrier-community notification) — if the fraud uses a stolen MC from a legitimate carrier, that carrier wants to know.
- Local law enforcement — if actual theft occurred.
How Keelway handles this automatically
Every inbound carrier reply in the Keelway pipeline is run through checks 1, 2, 3, 5, and 7 automatically on the server before it ever gets ranked. Quotes flagged on multiple signals surface with a fraud-adjacent badge on the ranked list. The goal is not to auto-reject — a one-off flag is often a false positive — but to make sure the broker sees the flag before they accept. A five-second check at book time is worth a three-day nightmare after the fact.
For the full spec, see Carrier Email Automation and the product-integration pages for Tai, McLeod, and Aljex.
Frequently asked questions
What is double brokering in freight?+
Double brokering is when a carrier accepts a load from a broker and then re-brokers it — often illegally, without disclosure — to a different carrier who actually hauls it. The original broker thinks Carrier A is on the load; Carrier B is actually driving it. When something goes wrong (late delivery, damage, theft), liability gets murky and the broker is often left holding the bag. Federal law requires written consent for re-brokering; most double-brokering incidents do not have that consent.
How common is carrier email fraud in 2026?+
Highway's Q3 2025 Freight Fraud Index flagged a meaningful increase in direct freight theft with fraudsters shifting tactics toward identity-based approaches — stolen MC numbers, spoofed emails from registered carrier domains, dispatchers fronting for carriers they don't represent. In our carrier-reply dataset at Keelway, roughly 3–7% of inbound quotes have at least one fraud-adjacent red flag post-tuning. Actual fraud attempts in email form are rarer but meaningful.
What's the difference between a double-broker and a scam carrier?+
A scam carrier is misrepresenting who they are — fake MC, stolen authority, spoofed domain. A double-broker is (usually) a real carrier with real authority, but they're trying to re-broker a load they accepted. Both are problems; both get caught by different checks. Scam carriers fail identity verification. Double-brokers pass identity verification but fail the post-booking check (the carrier on the load doesn't match the driver showing up for pickup).
Can AI reliably catch fraudulent carrier emails?+
AI can catch most of the email-stage signals reliably — domain mismatches, MC authority drift, insurance-on-file inconsistencies, FMCSA-registered-contact mismatches. What AI cannot do alone is catch an inside job where the carrier is fully legitimate on paper but is preparing to re-broker the load after acceptance. That requires post-booking monitoring (check-calls, pickup verification, GPS integration). A layered defense works; AI alone does not.
Should brokers report suspected fraud?+
Yes. Suspected carrier identity fraud should be reported to FMCSA's National Consumer Complaint Database and, for organized schemes, to TIA's FreightValidate or Highway for carrier-community notification. If actual theft has occurred, it's a police matter. Keeping quiet about a near-miss helps the fraudster move on to the next brokerage.
What's the single highest-leverage thing a small broker can do to prevent carrier fraud?+
Verify email domain against the carrier's FMCSA-registered contact before replying to a quote. That one check catches the majority of stolen-MC and identity-spoof attempts because fraudsters rarely have access to the real carrier's email domain — they use gmail.com, outlook.com, or a lookalike domain. Inbox-triage tools like Keelway run this check on every reply automatically; doing it manually takes about 90 seconds per carrier.