Cargo theft is entering a new phase, and according to industry specialists, the most dangerous shift is happening inside legitimate trucking operations rather than at the perimeter.
Scott Cornell, Chief Risk Officer at SPG Cargo & Logistics, has handled enough cargo theft investigations to recognise a pattern: the most sophisticated schemes rarely appear as clear-cut crimes at first. They usually begin as small inconsistencies that almost look like routine operational errors.
Speaking on the Fraud Watch podcast, Cornell discussed what the industry is now calling the “Trojan Driver” scam — a method that, at first, did not look like a coordinated threat at all.
A case that didn’t initially make sense
The first incident Cornell reviewed appeared ordinary. On the surface, it resembled a standard cargo theft case. But certain details didn’t align: the truck was found parked in a location the driver could not properly explain, the stop did not match the planned route, and basic identification details were inconsistent. Communication with the driver also became increasingly difficult.
Individually, none of these signs confirmed wrongdoing. But together, they formed a pattern that suggested something more organised.
At the time, it still looked like an isolated case. That changed when Cornell began discussing similar incidents with other industry professionals. What started in small conversations eventually became a broader exchange at industry level.
Within days, more companies began reporting the same type of irregularities — across different freight, different carriers, and different routes. That was the turning point. What initially looked like coincidence started to resemble a coordinated method.
From insider access to insider control
The concept behind the Trojan Driver is not entirely new. Cargo theft groups have long attempted to infiltrate logistics networks by placing insiders inside warehouses, brokerages, and distribution centres to gain access to shipment data.
What has changed is the role of the insider itself.
In traditional schemes, insiders typically provided information while external actors carried out the theft. Intelligence and execution were separated, creating operational risk for the criminal network.
The Trojan Driver model removes that separation completely. The insider is no longer just gathering information they are the driver controlling the freight itself, including timing, routing, and delivery decisions.
Cornell believes this evolution is partly a response to improved security practices across the industry. As carrier vetting, onboarding procedures, and fraud detection systems have become more sophisticated, theft groups have lost easier entry points such as fake carriers and identity manipulation. As a result, they have shifted toward targeting legitimate hiring processes within trucking companies.
A slow-moving but deliberate threat
Despite its seriousness, Cornell does not expect the Trojan Driver model to become the dominant form of cargo theft overnight.
Unlike phishing or identity fraud schemes, this approach takes time to develop. Drivers must be hired, build trust within an organisation, and wait for the right load assignment. That waiting period, he notes, is actually part of what makes the scheme harder to detect.
He describes it as an opportunity-based tactic. Rather than relying exclusively on it, organised groups keep it available in their toolbox, deploying it when conditions are favourable while continuing to use other theft methods in parallel. This diversified strategy also reduces the likelihood of rapid industry-wide detection.
Cornell draws a comparison with the early days of phishing attacks in cybersecurity — initially easy to identify and limited in scale, but over time evolving into one of the most widespread forms of cybercrime. He suggests cargo theft may be at a similar early stage of evolution.
A structural gap in the supply chain
The broader challenge, according to Cornell, lies in how responsibility is distributed across the logistics ecosystem.
From a broker’s perspective, due diligence typically focuses on the carrier as a company. If the carrier passes verification checks, there is often no practical mechanism to identify a compromised driver within that organisation in real time. The vulnerability exists inside the carrier’s internal hiring and screening processes.
This creates a structural blind spot. Shippers, brokers, and carriers each operate within clearly defined responsibilities, a model that works well when threats are external and easily identifiable. However, it becomes significantly less effective when the risk originates inside legitimate operations.
Cornell compares the situation to the evolution of safety standards in trucking, where meaningful progress only occurred when the industry adopted shared responsibility frameworks, common standards, and collective accountability.
He suggests cargo theft prevention may require the same shift.
What happens next
The Trojan Driver scam is unlikely to be the final evolution of cargo theft. Organised criminal groups continuously test new approaches, refine successful tactics, and discard those that fail. Once a method proves effective, it tends to spread quickly.
The underlying question, Cornell argues, is not whether cargo theft will continue to evolve — it always has — but whether the industry can adapt quickly enough to stay ahead of it.
Scott Cornell is Chief Risk Officer at SPG Cargo & Logistics. This analysis is based on his appearance on the Fraud Watch podcast.
