Case Study — K-12

New Haven lost $6M.
The fraud was inside.

Hackers compromised the COO's email account and silently redirected six wire transfers. SPF, DKIM, DMARC all passed. Traditional email security saw nothing wrong. The sender was real. The suss. API scores the pattern, not the envelope,.

This is business email compromise at its most effective. There is no spoofed domain to detect. The attacker was reading every email in the COO's inbox.

All case studies
What happened
  1. 01
    Hackers gain access to the COO's email account
    Attackers compromise a legitimate internal email account, giving them full access to vendor conversations and payment workflows.
  2. 02
    Weeks of silent monitoring
    The attackers read vendor invoices, learn payment schedules, and study how the district communicates about wire transfers. They never send a single email during this period.
  3. 03
    Six fraudulent wire transfers executed
    Impersonating both the COO and vendors like First Student, the attackers redirect payments to accounts they control. The largest single transfer was $5.9M.
SourceNew Haven Independent
What it cost
$6M
Stolen across 6 wire transfers
$2.4M
Permanently lost
Weeks
Undetected access
What suss. would have surfaced

A signed record, before the wire.

suss. interaction recordFlagged
Business Email Compromise Detected

This is the kind of message your people see, before they act on it. Plain guidance, not a number.

  • Do not process this wire transfer.
  • Call First Student at their verified number, not the one in this email thread.
  • Verify the bank account change through a separate, known communication channel.
  • Alert IT security. The COO's email account may be compromised.
  • If any payments were already sent, contact the bank immediately to initiate a wire recall.
  • Preserve all emails in this thread as evidence for law enforcement.
signed9c2f…e7a1· queryable record
Why this keeps happening

Why K-12 districts are perfect BEC targets.

Large vendor payment flows
Transportation, food service, construction, and IT contracts involve millions in wire transfers that AP staff process routinely.
Underfunded IT security
School district IT budgets prioritize student systems and infrastructure. Dedicated email security teams are rare.
Predictable payment schedules
Bus contracts, cafeteria suppliers, and facility vendors follow seasonal cycles that attackers can study and exploit.
High trust, low verification
Small finance teams process payments from familiar vendors with minimal multi-party verification.
The divergence
Without suss.
  1. Hacker compromises COO email. No alert.
  2. Weeks of monitoring vendor conversations.
  3. Fraudulent wire instructions sent from the real account.
  4. SPF, DKIM, DMARC all pass. Email looks legitimate.
  5. Six transfers processed over weeks.
  6. $6M stolen. $2.4M lost permanently.
With suss.
  1. Wire request email forwarded to suss. for analysis.
  2. suss. flags the pattern, inline.
  3. Plain guidance returned, signed record written. instantly.
  4. Staff calls First Student directly. Confirms fraud.
  5. First transfer blocked before funds leave.
  6. $6M saved. IT investigates the compromised account.

Want this catching the next one before it ships?

This is a documented incident with a public source. The next one is in someone's inbox right now. suss. is what catches it.

Read more case studies