Why your broker's inbox is now the weakest link in CBSA clearance

Key Takeaways

• Phishing attacks now target customs brokers and forwarders to intercept shipments, alter CAD filings, or steal CARM Client Portal credentials before cargo arrives.
• A fraudulent release prior to payment instruction can divert goods to a third-party warehouse and disappear before the importer knows the shipment cleared.
• CBSA does not request CARM login credentials by email; any message asking for portal access is a phishing attempt.
• Multi-factor authentication on CARM Client Portal accounts and locked communication protocols with your broker are no longer optional.

The heist that never touches the warehouse yard

Cargo theft used to mean bolt cutters and a missing trailer. Now it starts with an email that looks exactly like the one your freight forwarder sends every week, asking for a small change to the delivery address or consignee name on an inbound shipment.

Researchers recently watched a cargo theft actor work in real time for 30 days. What they documented should worry every broker, carrier, and importer in the business. The attacker didn’t break into a yard. They impersonated shippers, submitted fraudulent bids on legitimate loads, and redirected shipments using nothing more than spoofed email threads and patience.

Canadian customs brokers sit at the centre of that same vulnerability. We control CAD filings, release prior to payment instructions, CARM Client Portal access, and consignee details for thousands of shipments every month. If an attacker compromises our email or spoofs our domain, they can divert cargo, alter duty payment routing, or file fraudulent declarations before the importer knows the shipment has cleared.

Where the attack surface sits in CBSA clearance

Every commercial import into Canada moves through a small set of digital chokepoints. The CARM Client Portal replaced the old Customs Commercial System in October 2024, and every CAD (Commercial Accounting Declaration) filed since then carries the importer’s business number, the broker’s credentials, and the consignee’s delivery instructions in a single record.

If an attacker gains access to a broker’s CARM login, they can file or amend CADs, request release on existing RPP bonds, or change the notify party without triggering an obvious red flag. CBSA does not call to confirm minor amendments. If the HS classification, value, and origin look plausible, the system releases the goods.

We routinely see phishing emails impersonating CBSA verification requests, asking brokers to log in through a cloned portal page or reply with scanned invoices and packing lists. The CBSA website publishes official D-memoranda and notices, but attackers count on brokers moving fast during peak season and clicking first.

The second common vector is email thread hijacking. An attacker monitors a legitimate email chain between importer, broker, and carrier, then injects a single message with updated delivery instructions. The broker files the CAD with the new consignee address. The carrier delivers to that address. The goods disappear. By the time the importer calls to ask where the shipment is, someone else signed the proof of delivery three days earlier.

What a compromised CAD filing looks like

A fraudulent CAD doesn’t usually misstate the tariff classification or country of origin. Those errors trigger CBSA risk scores and delay release. Instead, the attacker changes the consignee name, the delivery address, or the notify party email. The shipment clears normally under the importer’s RPP bond, and the carrier delivers to the address on file.

If the fraudulent consignee operates out of a legitimate commercial location (a rented unit in a transload facility, a short-term lease in a bonded warehouse, or even a sufferance warehouse), the driver has no reason to question the delivery. The shipment is signed for, unloaded, and gone before the real importer notices.

We’ve handled cases where the only discrepancy was a single-digit typo in the consignee’s business number on the CAD. CBSA released the goods because the rest of the declaration matched the prior entry history. The carrier delivered to the address the broker provided. The importer discovered the fraud when the downstream customer called asking where their order was.

Locked communication protocols matter more than policy PDFs

Most importers have a cybersecurity policy. Fewer have a locked communication protocol with their customs broker. If your broker accepts shipment instructions, consignee changes, or CAD amendments by email without phone confirmation, you’re vulnerable.

We require voice confirmation for any change to consignee name, delivery address, or payment routing on an active CAD. It slows down clearance by 15 minutes. It has stopped three attempted diversions in the last six months.

Multi-factor authentication on CARM Client Portal accounts is not yet mandatory under CBSA policy as of May 2024, but enabling it is the simplest control you can implement. If your broker’s CARM login requires a second factor, an attacker who phishes the password still can’t file a CAD or request release.

The same discipline applies to freight forwarding and drayage handoffs. If your carrier receives updated delivery instructions from an email address you’ve never used before, they should call you. If your warehouse receives a last-minute consignee change on a PARS-released shipment, they should call the broker. One phone call is cheaper than filing a theft report and unwinding a fraudulent RPP claim.

What CBSA verification requests actually look like

CBSA does conduct post-release verifications under the Customs Act, and those requests can arrive by mail, through the CARM Client Portal message centre, or occasionally by email from a cbsa-asfc.gc.ca domain. What CBSA never does is ask for your CARM login credentials, request that you click a link to “verify your account,” or send unsolicited attachments asking you to confirm shipment details.

If you receive an email claiming to be a CBSA verification request and it includes a login link, a request for your business number and portal password, or an attachment with a filename like “CBSA_Verification_Form.exe,” delete it. Real CBSA verification letters reference specific CAD transaction numbers, include an officer’s name and phone extension, and request documentation by mail or secure portal upload.

When in doubt, call the CBSA Border Information Service at the number published on the official site, reference the transaction number in the email, and ask whether the verification request is legitimate. If the request is real, the officer will confirm it. If it’s phishing, you’ve saved yourself a compromised credential and a fraud report.

The fraud you can’t see in the CARM audit trail

One of the challenges with email-based attacks is that the CARM Client Portal audit log won’t show anything unusual. If the attacker uses stolen credentials or convinces the broker to file the CAD with fraudulent details, the portal records a normal filing by an authorized user. There’s no failed login attempt, no unusual IP address, no red flag.

The only signal is the downstream mismatch: the importer never received the goods, the carrier delivered to an address the importer doesn’t recognize, and the consignee on the proof of delivery doesn’t match the purchase order. By the time those dots connect, the shipment is long gone.

This is why customs compliance now includes communication security, not just tariff classification accuracy and CUSMA origin documentation. If your broker allows open-loop email instructions, if your carrier accepts consignee changes without confirmation, or if your warehouse releases goods based solely on a forwarded email, you’re one spoof away from a loss.

What you can lock down tomorrow

Enable multi-factor authentication on your CARM Client Portal account and require your broker to do the same. Most brokers already use MFA internally, but if yours doesn’t, make it a contract requirement.

Establish a change-control protocol for CAD amendments and consignee updates. Any email requesting a change to delivery address, notify party, or payment instructions requires voice confirmation using a previously verified phone number. No exceptions, even during peak season.

Review your RPP bond terms and ensure your customs broker maintains errors and omissions insurance that covers fraudulent release. If an attacker files a CAD using your broker’s credentials and your goods are released to the wrong party, the bond issuer may argue that the release was authorized under the broker’s login and deny the claim.

If you operate your own warehouse or use a third-party facility, brief your receiving staff on consignee verification. A last-minute change to the pickup contact, a consignee name that doesn’t match the advance ship notice, or a driver who can’t provide a reference number should all trigger a call to the broker before releasing the freight.

Finally, if your broker’s email is compromised or you suspect a fraudulent CAD has been filed, notify CBSA enforcement immediately and freeze all pending release instructions. The faster you flag the fraud, the better your chance of stopping delivery or recovering the goods before they leave the carrier’s custody.

If your current broker doesn’t have locked communication protocols or can’t explain how they secure CARM Client Portal access, that’s a gap worth closing. We run these controls on every file and can walk through what change management looks like for active CAD filings. Get in touch.

Frequently Asked Questions

How do phishing attacks target customs brokers in Canada?

Attackers impersonate shippers, carriers, or CBSA officials to request shipment diversions, CAD amendments, or CARM Client Portal credentials. Once inside the broker’s email or portal, they can redirect cargo, alter duty payment instructions, or file fraudulent release prior to payment claims.

What is a CAD and how could it be manipulated by attackers?

A CAD (Commercial Accounting Declaration) is the CARM-era replacement for the old B3 form, mandatory for all commercial imports into Canada since CARM Phase 2 Release 3 in October 2024. If an attacker gains access to your broker’s CARM Client Portal, they can file or amend CADs to misstate value, classification, or consignee, triggering release to a fraudulent party.

Does CBSA ever ask for my CARM login credentials by email?

No. CBSA never requests CARM Client Portal usernames, passwords, or security questions by email. Any message claiming to be from CBSA asking for login details is a phishing attempt. CBSA publishes official notices and D-memoranda only through cbsa-asfc.gc.ca.

Can a fraudulent release prior to payment divert my shipment?

Yes. If an attacker spoofs an importer’s email and sends new delivery instructions to the broker, the carrier may release cargo to a different warehouse before the legitimate importer notices. We’ve seen cases where goods cleared under valid RPP bonds but were picked up by third parties using forged consignee documents.

How can I verify a CBSA verification request is legitimate?

CBSA verification requests arrive by registered mail or through the CARM Client Portal message centre, never by generic email with attachments. Check the sender domain carefully (cbsa-asfc.gc.ca, not lookalikes), and contact your broker directly using known phone numbers before responding to any request for documents or payment.

What should I do if my broker’s email is compromised?

Immediately notify your broker and freeze all pending CAD filings and release instructions. Confirm every shipment’s consignee, delivery address, and payment routing by phone. If goods have already been released, contact CBSA enforcement and file a commercial theft report with local police to preserve your claim under your RPP bond.

Is multi-factor authentication required for CARM Client Portal?

CBSA strongly recommends MFA for all CARM Client Portal accounts but does not yet mandate it for importers or brokers as of May 2024. Given the rising volume of credential phishing, enabling MFA on your portal account and your broker’s account is the simplest defense against unauthorized CAD filings.

Source: The Loadstar