Skip to content
Case Study

Johnson County Schools lost $3.36M
to a fake vendor email.

suss. caught it in the domain. A pearson.quest email impersonating Pearson Education triggered 85% risk before a single dollar moved.

Two wire transfers. $3.36 million gone. Only $742K recovered. Here's how a free pilot would have stopped it at the first email.

What happened

Typosquat domain: pearson.quest
An attacker registered pearson.quest and sent emails with a legitimate-looking display name. The finance director saw “Pearson Education” in the From field — not the fraudulent domain hiding behind it.
Two wire transfers totaling $3.36M
The finance director processed two separate wire transfers to the fraudulent bank account in April 2024. The scam wasn't discovered until after both payments cleared.
Only $742K recovered — $2.6M gone
Recovery efforts clawed back $742,000, but $2.6 million in public school funds was permanently lost. For a rural Tennessee district, that's devastating.

Sources: The Record (Recorded Future News), Insurance Journal

How suss. would have caught it

We ran a reconstructed version of this scam email through our production API. Here's what fired.

85%
High Risk
Vendor Invoice Fraud Detected

5 threat indicators fired

85%
Wire transfer instructions embedded in email body
wire_instructions_embedded
85%
Wire transfer request targeting school district
wire_request_campus
80%
New payment routing details provided
payment_routing_info
75%
Financial request with low verifiability
financial_request_low_verifiability
85%
Sender domain impersonating known vendor (pearson.quest vs pearson.com)
vendor_domain_typosquat

Recommended actions

  1. 1DO NOT process this wire transfer
  2. 2Verify the banking change by calling Pearson at their official number — not from this email
  3. 3Compare the sender domain (pearson.quest) against the real vendor domain (pearson.com)
  4. 4Forward to IT security and your district's fraud prevention team
  5. 5If payment was already sent, contact your bank immediately to initiate a wire recall

The cost of no protection

$3.36M
Wired to fraudster
$742K
Recovered (22%)
$2.6M
Public school funds lost

Why K-12 districts are prime targets

Large vendor relationships
Curriculum providers like Pearson, McGraw-Hill, and Houghton Mifflin process multi-million dollar invoices. Staff trust the vendor names.
Small finance teams
Rural districts often have one or two people handling all payments. There's no second pair of eyes on wire transfers.
Display name trust
Email clients show "Pearson Education" in the From field. The actual domain (pearson.quest) is hidden unless you click to expand.
Public procurement records
Vendor contracts, payment amounts, and contact names are often available through public records requests — giving attackers a blueprint.

Purpose-built BEC detection

Domain Typosquatting

Compares sender domains against known vendors. Catches .quest, .info, .xyz, and other suspicious TLDs impersonating trusted brands.

Wire Transfer Fraud

Detects wire instructions embedded in email bodies, new routing numbers, and bank account change requests.

Vendor Impersonation

Identifies display name mismatches, sender domain age, and communication patterns inconsistent with known vendor relationships.

Urgency & Pressure Tactics

Flags artificial deadlines, service disruption threats, and escalation language designed to bypass verification procedures.

With suss. vs. without

Without suss.

  • Email arrives from "Pearson Education" — looks legitimate
  • Finance director sees display name, not the .quest domain
  • First wire transfer of $1.68M processed
  • Second wire transfer of $1.68M processed days later
  • Fraud discovered after both payments clear
  • $2.6M in public school funds permanently lost

With suss.

  • Email arrives — suss. scans it automatically
  • Domain typosquatting detected: pearson.quest vs pearson.com
  • 85% HIGH RISK verdict returned in under 1 second
  • Finance director calls Pearson at their real number
  • Fraud confirmed — both wire transfers blocked
  • $3.36M saved, zero disruption to students

How the pilot works

1
Install the browser extension
Finance and AP staff install the suss. Chrome extension. It scans every email automatically — no forwarding, no extra steps.
2
AI scans in real time
Every incoming email is analyzed for domain typosquatting, wire fraud indicators, vendor impersonation, and urgency manipulation. Results in under 1 second.
3
Warnings before payments
When a threat is detected, staff see a clear risk score and specific recommended actions — before any payment is initiated.
4
Admin dashboard tracks threats
District IT gets a real-time dashboard showing scan volume, threat categories, blocked attacks, and ROI metrics for the pilot period.

Start a free 30-day pilot

Zero IT integration required. The extension scans emails automatically and flags threats before payments are processed.

Request pilot accessView enterprise plans

Built for K-12 districts — protect every finance team member from vendor impersonation.

Free for qualified school districts and government institutions

499
Scam signals
51
Enterprise fraud
94.5%
Precision
93.2%
Recall

made by humans who've been scammed.

© 2026 suss. AI, Inc.