85%
Sender domain impersonating vendor (pearson.quest vs pearson.com)
vendor_domain_typosquat
Case Study — K-12
$3.36M gone.
One typosquat domain.
An email from pearson.quest, impersonating Pearson Education, triggered two wire transfers from a rural Tennessee district. Only $742K was recovered. The suss. API scores this exact attack at 85% risk.
The display name said "Pearson Education." The actual domain was hiding behind it. Here is what a free pilot would have caught at the first email.
What happened
The attack.
01
Typosquat domain: pearson.quest
An attacker registered pearson.quest and sent emails with a legitimate-looking display name. The finance director saw "Pearson Education" in the From field. Not the fraudulent domain hiding behind it.
02
Two wire transfers totaling $3.36M
The finance director processed two separate wire transfers to the fraudulent account in April 2024. The scam was not discovered until after both payments cleared.
03
Only $742K recovered
Recovery efforts clawed back $742,000. $2.6 million in public school funds was permanently lost. For a rural Tennessee district, that is devastating to the 2024-2025 budget.
Detection
What suss.
would have seen.
We ran a reconstructed version of this attack through the production API. Here's what fired.
suss. verdict
85%
HIGH RISK
Vendor Invoice Fraud Detected
5 threat indicators fired
85%
Wire transfer instructions embedded in email body
wire_instructions_embedded
85%
Wire transfer request targeting school district
wire_request_campus
80%
New payment routing details provided
payment_routing_info
75%
Financial request with low verifiability
financial_request_low_verifiability
Recommended actions
- 01Do not process this wire transfer.
- 02Verify the banking change by calling Pearson at their official number, not from this email.
- 03Compare the sender domain (pearson.quest) against the real vendor domain (pearson.com).
- 04Forward to IT security and your district's fraud prevention team.
- 05If payment was already sent, contact your bank immediately to initiate a wire recall.
Impact
The cost.
$3.36M
Wired to fraudster
$742K
Recovered (22%)
$2.6M
Public school funds permanently lost
Pattern
Why K-12 districts are sitting ducks.
01
Large vendor relationships
Curriculum providers like Pearson, McGraw-Hill, and Houghton Mifflin process multi-million dollar invoices. Staff trust the vendor names on sight.
02
Small finance teams
Rural districts often have one or two people handling all payments. There is no second pair of eyes on wire transfers.
03
Display name trust
Email clients show "Pearson Education" in the From field. The actual domain is hidden unless you click to expand it.
04
Public procurement records
Vendor contracts, payment amounts, and contact names are often available through public records requests, giving attackers a blueprint.
With vs without
Two timelines.
Two outcomes.
Without suss.
- 01Email arrives from "Pearson Education." Looks legitimate.
- 02Finance director sees display name, not the .quest domain.
- 03First wire transfer of $1.68M processed.
- 04Second wire transfer of $1.68M processed days later.
- 05Fraud discovered after both payments clear.
- 06$2.6M in public school funds permanently lost.
With suss.
- 01Email arrives. suss. scans it automatically.
- 02Domain typosquatting detected: pearson.quest vs pearson.com.
- 0385% HIGH RISK verdict returned in under 1 second.
- 04Finance director calls Pearson at their real number.
- 05Fraud confirmed. Both wire transfers blocked.
- 06$3.36M saved. Zero disruption to students.
Get protected
Don't be the
next case study.
Book a 15-minute pilot conversation. We'll show you the threats targeting your institution right now and walk through deployment.
Free 30-day pilot for qualified institutions. No IT integration required.