How to Protect Your Fleet from Phishers Posing as the FMCSA
July 30, 2024
By Nancy Ross-Anderson
The Federal Motor Carrier Safety Administration (FMCSA) has issued a warning about a sophisticated phishing scam targeting motor carriers. Fraudulent emails, posing as official communications from the FMCSA are being sent to registered entities with the intent of extracting sensitive information.
These emails are designed to appear legitimate, complete with the FMCSA logo and formatting that closely mimics genuine correspondence. However, the content and information requested are clear red flags for those in the know.
Example of phishing email
Scam details
The phishing emails in question ask carriers to complete an attached registration form. This form goes beyond the usual requests, asking for personal details such as the carrier’s social security number, USDOT personal identification number and RMIS ID. In some cases, carriers are even asked to upload copies of their certificate of insurance and driver’s license, under the ironic pretense of “fraud protection.”
Do not complete this form!
Recognizing the red flags
The FMCSA has emphasized they would never request such sensitive information via email forms. Official communications from the FMCSA concerning information requests will either direct you to log in to your portal account or will come directly from an FMCSA-dedicated mailbox. Moreover, any legitimate email from the FMCSA will come from an official FMCSA email address and not from the dubious addresses currently being used for these fraudulent requests: safety@fmcsa.gov or filing@fmcsa.gov.
Also, use the official FMCSA website for biennial updates. Transportation companies must update their information every two years, based on the last digit of their DOT number. If you make any changes to your fleet size, whether it grows or shrinks, update your MCS-150 on the FMCSA website. Only download and fill out forms from the official .gov website. Failure to do so will impact your CSA scores and make you non-compliant.
It’s crucial to remain vigilant and verify any suspicious email seemingly from the FMCSA or other agency. If you receive an email demanding personal details or threatening to cancel your USDOT number within 24 hours if you don’t comply, it’s a scam. The FMCSA and other U.S. agencies do not operate in this manner.
5 tips to protect yourself from phishing scams
Here are five best practices to protect yourself and your business from falling victim to a phishing scam:
- Verify the email source. Always check the sender’s true email address by hovering your cursor over it to reveal the full address. This practice will help you identify the email source and determine if it’s legitimate.
- Avoid clicking on suspicious links or downloading attachments. Likewise, if an email contains links, hover over them to see where they lead before clicking. If the URL looks suspicious, do NOT click it.
- Beware of urgency. Phishing emails often create a sense of urgency to prompt immediate action. Be cautious of any email that threatens drastic action if you do not respond within a short timeframe.
- Do not share personal information by email. Never provide personal or sensitive information via unsecured email communications. Remember, official agencies like the FMCSA will never request account numbers, passwords, Social Security numbers, USDOT PIN, credit card details, copies of invoices or other personal information via email forms or an unsolicited text, phone call or fax. If you receive such a request, it’s a scam.
- Report suspicious emails. If you receive a suspicious email, immediately report it to the FMCSA or your IT department. This helps prevent others from falling victim to the same scam.
Why now? New login requirements from the FMCSA site create confusion
In response to a presidential mandate for multi-factor authentication, the FMCSA began transitioning to Login.gov in 2024 to enhance online safety and security. This transition requires all users with credentials for any FMCSA system to use a Login.gov account to access FMCSA systems instead of using their DOT PIN.
As of January 1, www.login.gov is the sole method for accessing the FMCSA portal and the Unified Registration System; however, during this period of transition, the phishing scam is taking advantage of carriers who might be confused by the new system.
To log in, you must now use the federal portal via Login.gov. The FMCSA PIN is no longer valid for accessing the system. Make sure to request a new login from Login.gov, select who will be responsible for the login, and ensure you complete the verification process by hitting the “GO” button or the “SMS” button, depending on the system you are accessing.
ASK A LOSS CONTROL REPRESENTATIVE
Have a question on how to mitigate risk? Email losscontroldirect@iatinsurance.com for a chance to see your question answered in a future blog.