Stay up to date with the latest industry insights
Sign up for blog updates
By Nancy Ross-Anderson
The Federal Motor Carrier Safety Administration (FMCSA) has issued a warning about a sophisticated phishing scam targeting motor carriers. Fraudulent emails, posing as official communications from the FMCSA are being sent to registered entities with the intent of extracting sensitive information.
These emails are designed to appear legitimate, complete with the FMCSA logo and formatting that closely mimics genuine correspondence. However, the content and information requested are clear red flags for those in the know.
Example of phishing email
Scam details
The phishing emails in question ask carriers to complete an attached registration form. This form goes beyond the usual requests, asking for personal details such as the carrier’s social security number, USDOT personal identification number and RMIS ID. In some cases, carriers are even asked to upload copies of their certificate of insurance and driver’s license, under the ironic pretense of “fraud protection.”
Do not complete this form!
Recognizing the red flags
The FMCSA has emphasized they would never request such sensitive information via email forms. Official communications from the FMCSA concerning information requests will either direct you to log in to your portal account or will come directly from an FMCSA-dedicated mailbox. Moreover, any legitimate email from the FMCSA will come from an official FMCSA email address and not from the dubious addresses currently being used for these fraudulent requests: safety@fmcsa.gov or filing@fmcsa.gov.
Also, use the official FMCSA website for biennial updates. Transportation companies must update their information every two years, based on the last digit of their DOT number. If you make any changes to your fleet size, whether it grows or shrinks, update your MCS-150 on the FMCSA website. Only download and fill out forms from the official .gov website. Failure to do so will impact your CSA scores and make you non-compliant.
It’s crucial to remain vigilant and verify any suspicious email seemingly from the FMCSA or other agency. If you receive an email demanding personal details or threatening to cancel your USDOT number within 24 hours if you don’t comply, it’s a scam. The FMCSA and other U.S. agencies do not operate in this manner.
5 tips to protect yourself from phishing scams
Here are five best practices to protect yourself and your business from falling victim to a phishing scam:
In response to a presidential mandate for multi-factor authentication, the FMCSA began transitioning to Login.gov in 2024 to enhance online safety and security. This transition requires all users with credentials for any FMCSA system to use a Login.gov account to access FMCSA systems instead of using their DOT PIN.
As of January 1, www.login.gov is the sole method for accessing the FMCSA portal and the Unified Registration System; however, during this period of transition, the phishing scam is taking advantage of carriers who might be confused by the new system.
To log in, you must now use the federal portal via Login.gov. The FMCSA PIN is no longer valid for accessing the system. Make sure to request a new login from Login.gov, select who will be responsible for the login, and ensure you complete the verification process by hitting the “GO” button or the “SMS” button, depending on the system you are accessing.
ASK A LOSS CONTROL REPRESENTATIVE
Have a question on how to mitigate risk? Email losscontroldirect@iatinsurance.com for a chance to see your question answered in a future blog.