You Paid the Invoice. The Carrier Never Got the Money. How Payment Fraud Hits Freight Brokers.

A brokerage in Dallas paid a $34,000 carrier invoice on a Tuesday. The carrier called the following Monday asking where their payment was. The brokerage pulled the transaction record: the ACH transfer had cleared, funds delivered to the account on file. The problem was that the account on file had been changed two weeks earlier by an email that appeared to come from the carrier's accounting department requesting updated banking information. The email matched the carrier's domain letter for letter except for one character. The brokerage's AP team processed the change, paid the next three invoices to the fraudulent account, and didn't discover the problem until the real carrier called about $97,000 in missing payments. The money was gone. The bank couldn't reverse it. The brokerage paid the carrier again out of pocket.

That's payment fraud in freight, and it is now the highest-dollar fraud category affecting brokerages. Unlike cargo theft, where the loss is the value of one load, payment fraud compounds silently across multiple invoices before anyone notices. Unlike double brokering, which creates operational chaos that surfaces quickly, payment redirect fraud produces clean transactions that look normal in every system until the real carrier picks up the phone.

Payment fraud in freight works because the industry's payment infrastructure relies on email-based communication, manual bank account updates, and a multi-day ACH clearing window that makes recovery nearly impossible once funds transfer. The three primary attack types target different points in the payment chain, but they all exploit the same structural weakness: brokerages verify carrier identity at booking but rarely re-verify identity at payment. This post breaks down how each attack works, why recovery rates are close to zero, and the specific verification protocol that prevents each one.

How ACH Redirect Fraud Works in Freight

ACH redirect fraud is the most damaging payment fraud type in the freight industry, with average losses exceeding $80,000 per incident because the scam compounds across multiple payment cycles before detection.

The attack has five stages, and every one of them looks like routine business:

1. Identify the target. The scammer identifies a broker-carrier relationship with regular, recurring loads. They need a relationship where invoices flow predictably, not a one-off spot market transaction. Carriers hauling weekly or bi-weekly dedicated lanes are the primary targets.
2. Compromise or spoof the carrier's email. The scammer either gains access to the carrier's actual email account (through a separate phishing attack on the carrier) or creates a lookalike domain. Lookalike domains swap a single character: "rediinelogistics.com" instead of "redlinelogistics.com," or "jb-hunt.com" instead of "jbhunt.com." Some attackers register domains that replace the letter "l" with the number "1" or swap "rn" for "m."
3. Send the bank update request. An email arrives at the broker's AP department requesting updated ACH information. It uses the carrier's letterhead, references the carrier's MC number, and often includes a voided check image (fabricated) for the new account. The email may reference a real event: "We've switched banks as part of our merger" or "Our accounting team has moved to a new system."
4. Wait for payment. The scammer does nothing after the bank change is processed. They don't send fake invoices. They don't contact the broker. They wait for the broker's normal payment cycle to send real payments to the fraudulent account. This is what makes ACH redirect different from other scams: the invoices are real, the amounts are correct, and the transactions process cleanly.
5. Drain the account. Funds are withdrawn within 24-48 hours of each deposit, typically via wire transfer to an overseas account or conversion to cryptocurrency. By the time the real carrier calls about missing payment (usually 15-30 days after the first redirected payment), the money has been moved through multiple accounts and is functionally unrecoverable.

Why Recovery Is Nearly Impossible

The ACH (Automated Clearing House) system was designed for efficiency, not fraud recovery. Once an ACH transfer settles (typically 2-3 business days), the sending bank has extremely limited ability to reverse it. This is different from wire transfers, which have a narrow reversal window, and fundamentally different from credit card transactions, which have chargeback protections.

When a broker discovers the fraud and contacts their bank, the bank contacts the receiving bank, which contacts the account holder. If the funds are still in the account, recovery is possible. If the funds have been withdrawn (they almost always have been), the bank issues a report and the broker's recourse shifts to law enforcement and civil litigation, both of which have low recovery rates and high time costs.

The 15-30 day detection gap is the killer. Most brokerages pay on Net 30 terms. A bank account change processed on day 1 means the first fraudulent payment goes out around day 30, the carrier notices around day 45-60, and the broker investigates and confirms fraud around day 50-65. By then, three or four payment cycles may have been redirected.

How Factoring Company Interception Works

Factoring company interception fraud targets the payment relationship between brokers, carriers, and third-party factoring companies by inserting a fake intermediary into the payment flow.

Freight factoring is a common practice where a carrier sells its receivables to a factoring company at a discount in exchange for immediate payment. Factoring companies are financial intermediaries that purchase carrier invoices at 95-98% of face value and collect the full amount from the broker. When a carrier uses a factoring company, the broker pays the factoring company directly instead of the carrier.

The scam works like this:

1. Identify a carrier who doesn't currently use factoring (or whose factoring relationship the scammer can impersonate).
2. Send the broker a Notice of Assignment (NOA). A Notice of Assignment is a legal document that instructs a debtor (the broker) to redirect payments to a third party (the factoring company). NOAs are standard documents in freight finance. Brokers receive them regularly and are legally required to honor them.
3. Provide banking details for the fraudulent "factoring company." The NOA includes ACH routing and account numbers for an account the scammer controls.
4. Collect payments until the carrier or a legitimate factoring company raises the alarm.

This attack is effective because NOAs are a normal part of freight finance operations. A broker who receives an NOA doesn't think "fraud." They think "this carrier started using a factor." The document format is standard, the legal language is boilerplate, and AP departments process them routinely. Use CarrierBrief's carrier search to check whether the carrier has a history of using factoring or has recently changed their payment arrangements, and compare the factoring company name against known industry factors.

How to Verify an NOA Is Legitimate

1. Call the carrier directly at their FMCSA-registered phone number (not any number provided on the NOA) and confirm they have engaged a factoring company.
2. Verify the factoring company exists as a registered business entity in the state listed on the NOA.
3. Request the factoring company's EIN and verify it against IRS records or a business verification service.
4. Confirm the factoring company has a physical address, a working phone number, and a website with a history (not registered last month).
5. Never process an NOA received only by email. Require original signed documents or verify through a phone call to the carrier.

Why Double-Identity Billing Targets Brokerages After Double-Brokered Loads

Double-identity billing is a payment fraud that exploits the confusion created by double brokering. After a load is double-brokered, the scammer who double-brokered it submits an invoice to the original broker using the identity of the carrier they impersonated, even though a different carrier actually hauled the load.

Here's the scenario: a scammer accepts a load from Broker A using Carrier X's identity. The scammer then re-brokers the load to Carrier Y, who actually hauls it. After delivery, the scammer invoices Broker A as Carrier X for the full rate. Broker A pays "Carrier X" (actually the scammer's account). Meanwhile, Carrier Y invoices the scammer for the rate they agreed to. The scammer either pays Carrier Y a lower rate and pockets the spread, or doesn't pay Carrier Y at all.

The broker ends up paying twice if Carrier Y comes to them directly demanding payment for a load they actually hauled. This is where many brokerages discover they were double-brokered in the first place: when the actual carrier contacts them looking for money.

The defense is documentation discipline at the point of delivery:

1. Require the driver to provide their CDL and the truck's DOT number at pickup, recorded by the shipper.
2. Compare the driver name and truck DOT number against the carrier on the rate confirmation. If they don't match, flag the load immediately.
3. Match the delivering carrier's information against the carrier you booked. If the truck that picked up the load belongs to a different carrier than the one on your rate confirmation, you've been double-brokered and should not pay the invoice from the original "carrier."

Understanding how double brokering works and its 14 warning signs is directly relevant here because double-identity billing is the financial consequence of undetected double brokering.

The Payment Verification Protocol That Prevents All Three Attack Types

This protocol adds friction to the payment process, but the friction is measured in minutes and the losses it prevents are measured in tens of thousands of dollars. Every brokerage should implement these five controls.

Control 1: Bank Account Change Verification

1. Establish a policy that no banking information change is processed based on email alone. Period.
2. Require a phone call to the carrier's FMCSA-registered phone number to confirm any bank account change. The call must reach someone who confirms the change verbally.
3. Implement a 7-day hold on new banking information before any payment is sent to the new account. This hold gives time for the real carrier to notice if a fraudulent change request was submitted using their identity.
4. Require a W-9 with the new banking details. Compare the EIN on the W-9 against the carrier's existing records.

Control 2: First-Payment Verification for New Carriers

1. Verify the carrier's banking information matches their legal name and EIN before sending the first payment.
2. Send a small test payment ($1-$5) and confirm receipt with the carrier before processing the full invoice.
3. Record the carrier's bank account details during the initial onboarding call, not from a follow-up email. Initial phone-verified details are your baseline.

Control 3: NOA Authentication

1. Call the carrier to confirm every NOA before processing it. Use the FMCSA-registered number.
2. Verify the factoring company independently. Search for the company name, check registration, confirm physical presence.
3. Flag any NOA received within 30 days of a new carrier relationship. Scammers often submit fake NOAs early, before the broker and carrier have established a communication pattern.

Control 4: Invoice Matching

1. Match every invoice against the rate confirmation, BOL, and proof of delivery before payment.
2. Verify the invoice sender's email domain matches the carrier's known domain. Flag invoices from new or different email addresses.
3. Compare the invoice bank account against the account on file. If they differ, do not pay until the discrepancy is resolved through phone verification.

Control 5: AP Team Training

1. Train AP staff to recognize lookalike domains. Show them real examples: "rn" vs "m," "1" vs "l," extra or missing letters.
2. Establish a rule: any request to change payment details, from any carrier, triggers the phone verification step. No exceptions. No urgency overrides this.
3. Run quarterly simulated phishing tests on the AP team. The team that processes payments is the last line of defense, and they need to be sharp.

The Real Cost: Payment Fraud vs. Cargo Theft

Payment fraud in freight is financially worse than cargo theft for most brokerages, and the reason is structural.

Cargo theft is a one-time loss. One load disappears. The loss is the value of that load, typically $100,000-$300,000 for high-value commodities. Insurance may cover part of it. The broker discovers the loss within 24-72 hours because the consignee reports non-delivery. The loss is painful but bounded.

Payment fraud compounds. An ACH redirect that goes undetected for 45 days can siphon three to five payment cycles, turning a $30,000 single-load payment into a $90,000-$150,000 total loss. Insurance coverage for payment fraud is limited and often excluded from standard brokerage policies. The broker typically discovers the fraud only when the carrier calls about missing payment, which can take 30-60 days. And unlike cargo theft, the broker has to pay the carrier again for the loads that were legitimately hauled, effectively doubling the loss.

A brokerage that loses $100,000 to a cargo theft incident has lost $100,000. A brokerage that loses $100,000 to an ACH redirect has lost $200,000: $100,000 to the scammer plus $100,000 in re-payment to the carrier. The carrier hauled the freight and is legally entitled to payment regardless of what happened to the broker's first payment attempt.

What Your Cyber Insurance Probably Doesn't Cover

Most brokerage cyber insurance policies have exclusions or sublimits that significantly reduce coverage for payment fraud. The specific gaps vary by policy, but three are common across the industry.

Social engineering exclusion. Many cyber policies exclude losses resulting from social engineering attacks, which is exactly what ACH redirect fraud is. The policy covers hacking, malware, and data breaches but not "voluntary transfer of funds based on fraudulent instructions." If your AP team changed the bank account based on a spoofed email, the insurer may argue that was a voluntary action, not a cyber attack.

Funds transfer sublimit. Even policies that cover social engineering often cap it at $25,000-$100,000, well below the typical loss from a multi-payment ACH redirect. Check your policy's "funds transfer fraud" or "social engineering" sublimit. If it's $50,000 and your loss is $150,000, you're covering the difference.

Verification requirement. Some policies require that the insured follow specific payment verification procedures as a condition of coverage. If you didn't call back to verify the bank change and your policy requires callback verification, the claim may be denied.

Review your cyber insurance policy specifically for these three terms. If the coverage gaps are significant, either negotiate better terms or treat the payment verification protocol as your primary risk control rather than relying on insurance as a backstop.

FAQ

How do scammers redirect freight payments?

Scammers redirect freight payments by sending the broker's accounts payable department an email requesting updated bank account information. The email appears to come from the carrier's known email address or a lookalike domain that differs by one character. The AP team processes the change, and subsequent payments are sent to the scammer's bank account instead of the carrier's. The scammer withdraws the funds within 24-48 hours. The fraud goes undetected until the real carrier contacts the broker about missing payments, which typically takes 15-45 days.

How do I verify a carrier's bank account information?

Call the carrier at the phone number listed on their FMCSA registration and confirm their banking details verbally. Do not use a phone number provided in the same email that contains the banking information. Request a W-9 with the bank details and compare the EIN against the carrier's existing records. For any bank account change, implement a 7-day hold before sending payment to the new account, and send a small test payment that the carrier confirms receiving before processing full invoices.

Can a broker recover money from a fraudulent ACH transfer?

Recovery rates for fraudulent ACH transfers are under 10%. Once an ACH payment settles (2-3 business days) and the scammer withdraws the funds, the sending bank has very limited ability to reverse the transaction. Recovery depends on whether funds remain in the receiving account at the time the fraud is reported. Since scammers typically withdraw within 24-48 hours and the fraud isn't detected for 15-45 days, the money is almost always gone. File a report with your bank, the FBI's IC3, and local law enforcement, but plan for the funds to be unrecoverable.

What is a Notice of Assignment in freight?

A Notice of Assignment (NOA) is a legal document that instructs a broker to redirect carrier payments to a third-party factoring company. Factoring companies purchase carrier invoices at a discount and collect the full payment from the broker. NOAs are standard in freight finance, but scammers exploit them by sending fake NOAs that redirect payments to accounts they control. Always verify an NOA by calling the carrier at their FMCSA-registered number to confirm they've engaged the factoring company named in the document.

Why does payment fraud cost more than cargo theft?

Payment fraud costs more than cargo theft because it compounds across multiple payment cycles before detection and creates a double payment obligation. When an ACH redirect goes undetected for 30-60 days, three to five invoices may be paid to the fraudulent account. The broker then must re-pay the carrier for all loads that were legitimately hauled, because the carrier is legally entitled to payment regardless of where the broker's first payment went. A $30,000 single-load cargo theft costs $30,000. A $30,000 single-load payment redirect that runs for three payment cycles costs $180,000: $90,000 to the scammer plus $90,000 in re-payment to the carrier.

Does cyber insurance cover freight payment fraud?

Most standard brokerage cyber insurance policies do not fully cover payment fraud. Three common gaps exist: social engineering exclusions that exempt "voluntary transfer of funds based on fraudulent instructions," funds transfer sublimits that cap coverage at $25,000-$100,000 (below typical losses), and verification requirements that void coverage if the broker didn't follow a specified callback procedure before changing payment details. Review your policy for these specific terms before assuming you're covered. Many brokerages discover the gaps only after filing a claim.

How do I train my AP team to spot payment fraud?

Start with three specific training elements: teach staff to identify lookalike email domains by showing real examples of character substitution ("rn" vs "m," "1" vs "l"), establish an absolute rule that no banking information is changed based on email alone without phone verification to the FMCSA-registered number, and run quarterly simulated phishing tests that send fake bank-change requests to measure response. The AP team is the last line of defense against payment redirect fraud, and simulated tests are the only reliable way to measure whether training has actually changed behavior.

What should I do immediately if I discover a payment was redirected?

Contact your bank within the first hour. ACH reversals have a narrow window and every hour matters. Then take these steps in order: freeze all pending payments to the compromised account, notify the real carrier that their identity was used, file a report with the FBI's Internet Crime Complaint Center (IC3), file a report with your cyber insurance carrier (even if you're unsure about coverage), and audit every bank account change processed in the last 90 days to check for additional compromised accounts. Speed matters more in payment fraud than in any other freight fraud type because the recovery window closes within 48 hours of each payment.

The Bottom Line

The Dallas brokerage that lost $97,000 across three invoices had a carrier vetting process, an insurance verification step, and a signed rate confirmation for every load. None of that mattered because nobody called the carrier to confirm when an email asked them to change a bank account number. One phone call to the FMCSA-registered number. That's the control that separates a $97,000 loss from a $0 loss. Put it in writing, make it policy, and never let urgency or convenience override it.