Case Study — K-12

$3.36M gone.
One typosquat domain.

An email from pearson.quest, impersonating Pearson Education, triggered two wire transfers from a rural Tennessee district. Only $742K was recovered. The suss. API scores this exact attack.

The display name said "Pearson Education." The actual domain was hiding behind it. Here is what a free pilot would have caught at the first email.

All case studies
What happened
  1. 01
    Typosquat domain: pearson.quest
    An attacker registered pearson.quest and sent emails with a legitimate-looking display name. The finance director saw "Pearson Education" in the From field. Not the fraudulent domain hiding behind it.
  2. 02
    Two wire transfers totaling $3.36M
    The finance director processed two separate wire transfers to the fraudulent account in April 2024. The scam was not discovered until after both payments cleared.
  3. 03
    Only $742K recovered
    Recovery efforts clawed back $742,000. $2.6 million in public school funds was permanently lost. For a rural Tennessee district, that is devastating to the 2024-2025 budget.
SourceThe Record (Recorded Future News)
What it cost
$3.36M
Wired to fraudster
$742K
Recovered (22%)
$2.6M
Public school funds permanently lost
What suss. would have surfaced

A signed record, before the wire.

suss. interaction recordFlagged
Vendor Invoice Fraud Detected

This is the kind of message your people see, before they act on it. Plain guidance, not a number.

  • Do not process this wire transfer.
  • Verify the banking change by calling Pearson at their official number, not from this email.
  • Compare the sender domain (pearson.quest) against the real vendor domain (pearson.com).
  • Forward to IT security and your district's fraud prevention team.
  • If payment was already sent, contact your bank immediately to initiate a wire recall.
signed9c2f…e7a1· queryable record
Why this keeps happening

Why K-12 districts are sitting ducks.

Large vendor relationships
Curriculum providers like Pearson, McGraw-Hill, and Houghton Mifflin process multi-million dollar invoices. Staff trust the vendor names on sight.
Small finance teams
Rural districts often have one or two people handling all payments. There is no second pair of eyes on wire transfers.
Display name trust
Email clients show "Pearson Education" in the From field. The actual domain is hidden unless you click to expand it.
Public procurement records
Vendor contracts, payment amounts, and contact names are often available through public records requests, giving attackers a blueprint.
The divergence
Without suss.
  1. Email arrives from "Pearson Education." Looks legitimate.
  2. Finance director sees display name, not the .quest domain.
  3. First wire transfer of $1.68M processed.
  4. Second wire transfer of $1.68M processed days later.
  5. Fraud discovered after both payments clear.
  6. $2.6M in public school funds permanently lost.
With suss.
  1. Email arrives. suss. scans it automatically.
  2. Domain typosquatting detected: pearson.quest vs pearson.com.
  3. Plain guidance returned, signed record written. in under 1 second.
  4. Finance director calls Pearson at their real number.
  5. Fraud confirmed. Both wire transfers blocked.
  6. $3.36M saved. Zero disruption to students.

Want this catching the next one before it ships?

This is a documented incident with a public source. The next one is in someone's inbox right now. suss. is what catches it.

Read more case studies