90%
Vendor bank account change request
invoice_bank_change
Case Study — University
SDSU lost $5.9M
to a fake invoice.
A fraudster impersonated a vendor and redirected a wire payment. The suss. API scores this exact attack at 94% risk, before anyone clicks send.
If it happened at SDSU, it can happen at any of the 23 CSU campuses. Here is what our engine saw when we reran it.
What happened
The attack.
01
Vendor impersonation email
A fraudster posed as a legitimate vendor and sent SDSU an invoice with updated bank account details. Display name matched the real vendor. The body looked routine.
02
$5.9 million wire transfer
AP staff processed the payment to the fraudulent account. No second pair of eyes caught the change. The scam was not detected until after the funds were sent.
03
FBI recovered 90%+ of funds
The FBI assisted with recovery. Reputational damage and operational disruption were real. No student data was breached, but the trust loss with vendors and the press coverage were not recoverable.
Source: The Daily Aztec
Detection
What suss.
would have seen.
We ran a reconstructed version of this attack through the production API. Here's what fired.
suss. verdict
94%
HIGH RISK
Vendor Invoice Fraud Detected
6 threat indicators fired
85%
New vendor with urgent first payment
new_vendor_rush
85%
Sender domain impersonating known vendor
vendor_domain_typosquat
80%
Wire transfer instructions sent via email
wire_instruction_email
75%
Urgency pressure with late payment penalty
rush_payment_penalty
70%
Vendor contact person changed
vendor_contact_change
Recommended actions
- 01Do not process this payment.
- 02Call the vendor at a known number — never the one in this email.
- 03Verify the bank account change through your vendor management system.
- 04Forward to IT security for investigation.
- 05If payment was sent, contact your bank immediately to initiate a recall.
Impact
The cost.
$5.9M
Wired to fraudster
Weeks
FBI recovery timeline
500K+
CSU system employees at risk
Pattern
Why universities keep getting hit.
01
Large vendor ecosystems
Hundreds of active vendors means AP teams cannot personally verify every invoice change. Attackers exploit the volume.
02
Decentralized purchasing
Department-level procurement creates more entry points for fraudulent invoices, with no unified approval chain.
03
High transaction volumes
Millions in monthly payments make individual wire scrutiny impractical. Fraud hides inside normal workflow.
04
Public org charts
University leadership, department heads, and finance contacts are publicly listed. Perfect for social engineering.
With vs without
Two timelines.
Two outcomes.
Without suss.
- 01Invoice arrives. It looks legitimate.
- 02AP team processes payment normally.
- 03Funds sent to fraudulent account.
- 04Discovered days or weeks later.
- 05FBI involved for recovery.
- 06$5.9M at risk, reputation damaged.
With suss.
- 01Invoice arrives, staff forwards to suss.
- 02API detects 6 BEC indicators in seconds.
- 0394% HIGH RISK verdict returned.
- 04Staff calls the vendor to verify.
- 05Payment blocked before it leaves.
- 06$5.9M saved, zero downtime.
Get protected
Don't be the
next case study.
Book a 15-minute demo. We'll show you the threats targeting your institution right now and walk through deployment.
Free 30-day pilot for qualified institutions. No IT integration required.