90%
Vendor bank account change request
invoice_bank_change
Case Study — K-12
New Haven lost $6M.
The fraud was inside.
Hackers compromised the COO's email account and silently redirected six wire transfers. SPF, DKIM, DMARC all passed. Traditional email security saw nothing wrong. The sender was real. The suss. API scores the pattern, not the envelope, at 90% risk.
This is business email compromise at its most effective. There is no spoofed domain to detect. The attacker was reading every email in the COO's inbox.
What happened
The attack.
01
Hackers gain access to the COO's email account
Attackers compromise a legitimate internal email account, giving them full access to vendor conversations and payment workflows.
02
Weeks of silent monitoring
The attackers read vendor invoices, learn payment schedules, and study how the district communicates about wire transfers. They never send a single email during this period.
03
Six fraudulent wire transfers executed
Impersonating both the COO and vendors like First Student, the attackers redirect payments to accounts they control. The largest single transfer was $5.9M.
Source: New Haven Independent
Detection
What suss.
would have seen.
We ran a reconstructed version of this attack through the production API. Here's what fired.
suss. verdict
90%
HIGH RISK
Business Email Compromise Detected
6 threat indicators fired
88%
Business email compromise invoice pattern
bec_invoice_fraud
85%
New wire transfer beneficiary added
wire_new_beneficiary
82%
Wire routing details embedded in email body
wire_instructions_embedded
80%
Urgency pressure with service disruption threat
rush_payment_penalty
75%
Account closure claim to force action
account_suspended_threat
Recommended actions
- 01Do not process this wire transfer.
- 02Call First Student at their verified number, not the one in this email thread.
- 03Verify the bank account change through a separate, known communication channel.
- 04Alert IT security. The COO's email account may be compromised.
- 05If any payments were already sent, contact the bank immediately to initiate a wire recall.
- 06Preserve all emails in this thread as evidence for law enforcement.
Impact
The cost.
$6M
Stolen across 6 wire transfers
$2.4M
Permanently lost
Weeks
Undetected access
Pattern
Why K-12 districts are perfect BEC targets.
01
Large vendor payment flows
Transportation, food service, construction, and IT contracts involve millions in wire transfers that AP staff process routinely.
02
Underfunded IT security
School district IT budgets prioritize student systems and infrastructure. Dedicated email security teams are rare.
03
Predictable payment schedules
Bus contracts, cafeteria suppliers, and facility vendors follow seasonal cycles that attackers can study and exploit.
04
High trust, low verification
Small finance teams process payments from familiar vendors with minimal multi-party verification.
With vs without
Two timelines.
Two outcomes.
Without suss.
- 01Hacker compromises COO email. No alert.
- 02Weeks of monitoring vendor conversations.
- 03Fraudulent wire instructions sent from the real account.
- 04SPF, DKIM, DMARC all pass. Email looks legitimate.
- 05Six transfers processed over weeks.
- 06$6M stolen. $2.4M lost permanently.
With suss.
- 01Wire request email forwarded to suss. for analysis.
- 02API detects 6 BEC indicators in under 1 second.
- 0390% HIGH RISK verdict returned instantly.
- 04Staff calls First Student directly. Confirms fraud.
- 05First transfer blocked before funds leave.
- 06$6M saved. IT investigates the compromised account.
Get protected
Don't be the
next case study.
Book a 15-minute pilot conversation. We'll show you the threats targeting your institution right now and walk through deployment.
Free 30-day pilot for qualified institutions. No IT integration required.