How this comes up in practice

A payment instruction arrives from a party the carrier has worked with for two years. The email is addressed correctly, the sender's name is familiar, and the message asks for updated remittance details before the next payment cycle. The carrier's dispatcher enters the new banking information. Three weeks later, the broker's accounting department calls asking why four invoices went unpaid. The sending domain on the original email was one character different from the broker's actual domain — a hyphen inserted in a compound name — but the display name showed the broker's full company name as expected. The dispatcher had never compared the domain character by character against a previously confirmed source, because the email had always looked right before. A domain lookalike doesn't require any error on the recipient's part — it requires only that they read the display name rather than the underlying address. The check: comparing the full sending address against a saved email from a confirmed prior source takes under ten seconds and catches this substitution before any account information is updated.

Why domain lookalikes succeed within normal transaction patterns

A domain lookalike doesn't require the recipient to do anything unusual. It arrives in the context of a normal transaction, at a normal time, from a sender whose display name matches the expected broker or carrier. The only difference is one or two characters in the actual domain — which most people don't read when they're processing high volumes of email across an active day. For adjacent verification steps, compare this with Email Spoofing in Load Boards, Broker Email and Domain Red Flags, and Fake Load Posting Checklist.

The registration of a lookalike domain costs a few dollars and requires no technical skill. A fraudster can use publicly available information about the legitimate company — its name, its freight lanes, its typical communication format — to create a message that blends into normal transaction traffic. The email looks professional because it's built from professional source material.

The checklist habit this guide builds is specifically the domain-level comparison: checking the full sending address, character by character, against the company's known domain from a previously confirmed source. This takes under ten seconds, catches most substitution variants, and doesn't require any tools beyond reading the sender field. The cases where it matters are the cases where nothing else in the email would have flagged the problem.

Key Takeaways

  • Treat the load board post as a lead, not as verification.
  • Confirm the broker or carrier identity through official and independently known records.
  • Review the email domain, rate, pickup timing, and packet request before sending documents.
  • Save screenshots of the posting and all messages before details disappear or change.

Checking domains for lookalike substitutions before acting on a message

Domain lookalikes are the entry point for a significant share of freight email fraud. The attack requires no technical skill beyond registering a plausible domain. It works because transaction volume is high and a slightly wrong domain isn't obvious to someone processing multiple load confirmations in a busy day.

The most effective check is also the simplest: compare the sending domain character by character against the broker or carrier domain you confirmed through an independent source before this transaction. This takes a few seconds and catches most lookalike variations before any documents, pickup details, or payment instructions are exchanged.

Checking domains for lookalike substitutions before acting on a message checklist

  • Whether the sending domain matches the domain on file from an independently confirmed source
  • Whether any hyphen, dot, number substitution, or transposed letters are present that weren't there before
  • Whether the top-level domain changed — .com to .net, .com to .co, or .com to a country-code variant
  • Whether a web search for the domain returns the expected company or a newly created lookalike page
  • Whether suspicious emails have been preserved in full, with headers, for potential IC3 reporting

Records to check when a domain substitution is possible

Use the same identifiers across every record. Small differences can be clerical, but they should be resolved before pickup, dispatch, or payment.

If a detail is missing, ask for the missing record rather than filling the gap from memory, an old packet, or a search result.

Records to check when a domain substitution is possible checklist

  • Treat the load board post as a lead, not as verification.
  • Confirm the broker or carrier identity through official and independently known records.
  • Review the email domain, rate, pickup timing, and packet request before sending documents.
  • Save screenshots of the posting and all messages before details disappear or change.

What to save from a suspected lookalike domain email

Save records in their original format when possible. Use one folder named with the load number, lane, date, and parties involved.

If a dispute, identity concern, or theft concern appears later, the timeline is easier to reconstruct when emails, PDFs, screenshots, call notes, and lookup results are grouped together.

What to save from a suspected lookalike domain email checklist

  • Original rate confirmation and every revised version.
  • Broker or carrier packet documents, including W-9, insurance, authority, and agreement records.
  • BOL, POD, seal records, pickup number, delivery confirmation, accessorial approvals, and invoices.
  • Screenshots or saved PDFs of official lookup results with the date checked.
  • Messages showing who requested, approved, or disputed a change.

Questions that identify a substitution before a reply or document goes out

Questions should be specific and tied to records. That keeps the conversation professional and avoids unsupported accusations.

If an answer changes the transaction, document the person, date, time, and channel used to confirm it.

Questions that identify a substitution before a reply or document goes out checklist

  • Which legal entity is tendering, carrying, paying, or receiving the freight?
  • Which official record supports the MC number, USDOT number, authority, insurance, bond, or trust detail?
  • Who is authorized to approve pickup, rerouting, revised documents, or changed payment instructions?
  • What document proves the current instruction, and who should receive a copy?

What a professional message format and matching content don't confirm

One detail checking out is not the same as authorization confirmed. A correct number, a recognized company name, or a well-formatted document can each appear in a transaction where the communicating party has no connection to the registered entity.

A warning sign is a reason to document and verify, not a finding. Record what prompted the concern and what check it led to — that record determines whether the situation can be addressed if it escalates.

What a professional message format and matching content don't confirm checklist

  • Do not assume a public lookup proves the sender is authorized.
  • Do not assume a document is current because it appears complete.
  • Do not assume a red flag proves wrongdoing by itself.
  • Do not assume a missing detail can wait until after pickup or payment.

When a domain mismatch requires pausing before any response is sent

When the file still has gaps, slow the transaction enough to preserve the record and move the question to the right channel.

That may mean a direct call-back, a shipper or receiver confirmation, an internal escalation, an insurer or claims contact, or an official complaint or reporting resource where appropriate.

When a domain mismatch requires pausing before any response is sent checklist

  • Record the unresolved mismatch in plain language.
  • Save the official lookup result with the access date.
  • Keep the original communication that created the concern.
  • Use official reporting channels for eligible complaints or cyber-enabled incidents.

Source Notes

Source use for Domain Lookalike Checklist

These sources are used as verification and documentation references. They should be checked directly for current status, and they do not certify any private party, document, load, or payment instruction.

FAQ

What should I do after spotting a suspicious domain?

Screenshot the full email including the sender address bar and save it in full format with headers. Do not click any links. If a payment was already made or credentials entered, contact your bank and IT security immediately. Report to IC3 if payment redirection was involved.

What should I do immediately if I've already clicked a link in a suspicious freight email?

If the link led to a login page and you entered credentials, reset those credentials on the legitimate platform immediately and contact your IT or security team. If it was a document download, treat the device as potentially compromised and follow your organization's incident response process. Report to IC3 if payment information or freight documents were involved.

How do I find a broker's legitimate domain if I've never confirmed it before?

Check the broker's SAFER record for a company website. Then search the company name directly in a browser and compare the URL in the address bar — not a search result snippet — against what appears in the email. A search result can be manipulated; the SAFER record and the actual website URL are the more reliable sources.

Source References

  • Fraud Alerts Federal Motor Carrier Safety Administration. primary source. Last checked 2026-06-04. FMCSA alert page for phishing attempts, spoofed portals, fake notices, SAFER impersonation, and registration-related scams.
  • Internet Crime Complaint Center Federal Bureau of Investigation. primary source. Last checked 2026-05-15. Official IC3 entry point. Use the official domain directly to reduce spoofed reporting-site risk.