Skip to content
Case Study
New Haven Public Schools

New Haven lost $6M
while the fraud was inside
their own email.

suss. flags the pattern, not just the sender. Our API scored a reconstructed version of this attack at 90% risk with 6 threat indicators.

Hackers compromised the COO's email and silently redirected wire transfers for weeks. Traditional email security saw nothing wrong — the sender was real.

What happened

Hackers gain access to the COO's email account
May 2023
Attackers compromise a legitimate internal email account, giving them full access to vendor conversations and payment workflows.
Weeks of silent monitoring
May – June 2023
The attackers read vendor invoices, learn payment schedules, and study how the district communicates about wire transfers. They never send a single email.
Six fraudulent wire transfers executed
Summer 2023
Impersonating both the COO and vendors like First Student, the attackers redirect payments to accounts they control. The largest single transfer: $5.9M.
$3.6M recovered, IT director fired
After discovery
Of the $6M stolen, $3.6M was eventually recovered. The remaining $2.4M was lost. The IT director was terminated.

Sources: New Haven Independent, WTNH, StateScoop

The cost of no protection

$6M
Total stolen across 6 wire transfers
$2.4M
Permanently lost (unrecoverable)
Weeks
Attackers had access undetected

Why this attack bypasses traditional email security

This wasn't a spoofed email. It was the real account.
The attackers compromised the COO's actual email credentials. Every fraudulent message passed DKIM, SPF, and DMARC validation because it was genuinely sent from the district's mail server.
PASS
SPF/DKIM/DMARCEmail sent from legitimate domain
PASS
Spam filterNo phishing links, no malware attachments
PASS
Domain reputationSender domain is the district's own .gov/.org
PASS
Email gatewayKnown internal sender, existing conversation thread

Every traditional email security tool says "this is safe." suss. looks at what the email is asking you to do — and that's where the fraud becomes visible.

How suss. catches it

We ran a reconstructed version of this attack through our production API. Here's what fired.

90%
High Risk
Business Email Compromise Detected
Embedding: 0.9878 | Response: 665ms | Model: fusion-v5

6 threat indicators fired

90%
Vendor bank account change request
invoice_bank_change
88%
Business email compromise invoice pattern
bec_invoice_fraud
85%
New wire transfer beneficiary added
wire_new_beneficiary
82%
Wire routing details embedded in email body
wire_instructions_embedded
80%
Urgency pressure with service disruption threat
rush_payment_penalty
75%
Account closure claim to force action
account_suspended_threat

Why this works

suss. doesn't care who sent the email — it analyzes what the email is asking you to do. A legitimate COO would never embed wire routing numbers in an email body, pressure staff with a same-day deadline, and instruct them not to use known contact numbers. These behavioral patterns fire regardless of whether the sender is spoofed or compromised.

Recommended actions

  1. 1DO NOT process this wire transfer
  2. 2Call First Student at their verified number — not the one in this email thread
  3. 3Verify the bank account change through a separate, known communication channel
  4. 4Alert IT security — the COO's email account may be compromised
  5. 5If any payments were already sent, contact the bank immediately to initiate a wire recall
  6. 6Preserve all emails in this thread as evidence for law enforcement

Why school districts are prime targets

Large vendor payment flows
Transportation, food service, construction, and IT contracts involve millions in wire transfers that AP staff process routinely.
Underfunded IT security
School district IT budgets prioritize student systems and infrastructure. Dedicated email security teams are rare.
Predictable payment schedules
Bus contracts, cafeteria suppliers, and facility vendors follow seasonal cycles that attackers can study and exploit.
Public leadership directories
Superintendent, COO, CFO, and board member names are public record — perfect for social engineering and account targeting.
High trust, low verification
Small finance teams in districts process payments from familiar vendors with minimal multi-party verification.

Purpose-built BEC detection

Account Takeover Patterns

Detects behavioral anomalies in compromised accounts: unusual payment requests, redirected conversations, and instructions that contradict established workflows.

Wire Transfer Fraud

Flags new beneficiaries, embedded routing numbers, bank account changes, and urgency pressure around high-value transfers.

Vendor Impersonation

Identifies fraudulent vendor communications including invoice manipulation, payment redirect requests, and forged approval chains.

Social Engineering Tactics

Recognizes manipulation patterns: artificial deadlines, authority invocation, isolation attempts, and instructions to bypass normal verification.

With suss. vs. without

Without suss.

  • Hacker compromises COO email — no alert
  • Weeks of monitoring vendor conversations
  • Fraudulent wire instructions sent from real account
  • SPF, DKIM, DMARC all pass — email looks legitimate
  • Six transfers processed over weeks
  • $6M stolen, $2.4M lost permanently

With suss.

  • Wire request email forwarded to suss. for analysis
  • AI detects 6 BEC indicators in under 1 second
  • 90% HIGH RISK verdict returned instantly
  • Staff calls First Student directly — confirms fraud
  • First transfer blocked before funds leave
  • $6M saved, IT investigates compromised account

How the pilot works

1
Forward suspicious payment requests
Any vendor invoice, wire instruction, or payment change email gets forwarded for instant AI analysis. Zero IT integration required.
2
AI scans in under 1 second
Purpose-built BEC detection analyzes the email across 500+ threat signals including account takeover patterns, wire fraud, and social engineering tactics.
3
Verdict delivered instantly
The sender receives a risk score, specific threat classification, and recommended actions — before any payment is processed.
4
Dashboard tracks everything
District IT and finance leadership get a real-time dashboard showing scan volume, threat categories, and blocked fraud attempts during the pilot.

Start a free 30-day pilot

Zero IT integration. Forward suspicious emails, get instant AI verdicts. See exactly what threats are targeting your district.

Request pilot accessView enterprise plans

If it happened in New Haven, it can happen in any district. 13,000+ U.S. school districts share the same attack surface.

Free for qualified school districts and government institutions

508
Scam signals
28+
BEC-specific
94.5%
Precision
93.2%
Recall

made by humans who've been scammed.

© 2026 suss. AI, Inc.