Skip to content
Case Study

Southern Oregon lost $1.9M
to a vendor impersonation.

An attacker impersonated a construction contractor and redirected a wire payment. suss. would have flagged it at 89% risk before anyone clicked send.

Construction vendors, capital projects, and large wire transfers make universities uniquely vulnerable to BEC. Here's how a free 30-day pilot would have stopped it.

What happened

Contractor impersonation email
An attacker impersonated Andersen Construction, the contractor building McNeal Pavilion, and sent an email requesting a banking change for upcoming payments.
$1.9 million wire transfer
The accounts payable team processed the payment to the fraudulent bank account. The real contractor called three days later asking about their missing payment.
3-day discovery delay
The fraud was only discovered when the real Andersen Construction contacted SOU about non-payment. By then, the funds had been moved through multiple accounts.

Source: The Siskiyou / Tripwire

How suss. would have caught it

We ran a reconstructed version of this scam through our API. Here's what fired.

89%
High Risk
Vendor Payment Redirect Detected

4 threat indicators fired

90%
Vendor bank account change request
invoice_bank_change
85%
Urgent wire transfer request from authority figure
ceo_urgent_wire
80%
Wire to new/changed beneficiary account
wire_new_beneficiary
75%
Urgency pressure with late payment penalty
rush_payment_penalty

Recommended actions

  1. 1DO NOT process this payment
  2. 2Call the vendor at a known phone number — not one from this email
  3. 3Verify the banking change through your vendor management system
  4. 4Forward to IT security for investigation
  5. 5If payment was sent, contact your bank immediately to initiate a recall

The cost of no protection

$1.9M
Funds sent to fraudster
3 days
Discovery delay
23
CSU campuses sharing same threat surface

Why universities are prime targets

Capital construction projects
Multi-million dollar building projects involve large wire transfers to contractors — perfect targets for payment redirection.
Long vendor relationships
AP teams trust established vendors. A single email claiming 'new banking details' bypasses skepticism built on years of legitimate invoices.
Decentralized payment approval
Different departments handle their own vendor payments, creating inconsistent verification procedures across the institution.
Public procurement records
Construction contracts, vendor awards, and project timelines are public record — giving attackers everything they need to craft convincing impersonations.

Purpose-built BEC detection

Vendor Payment Redirect

Detects banking change requests, new beneficiary routing, and payment instruction modifications from vendor impersonators.

Construction & Capital Fraud

Identifies high-value wire fraud targeting capital projects, progress payments, and contractor milestone billing.

Email Authenticity

Analyzes sender domain legitimacy, communication anomalies, and impersonation patterns to verify email provenance.

Urgency & Pressure Tactics

Flags artificial deadlines, penalty threats, and rush payment requests designed to bypass normal verification procedures.

With suss. vs. without

Without suss.

  • Contractor banking change email arrives
  • AP team trusts established vendor relationship
  • $1.9M wired to fraudulent account
  • Real contractor calls 3 days later
  • Funds already moved through multiple accounts
  • $1.9M lost, construction project delayed

With suss.

  • Banking change email arrives, staff forwards to suss.
  • AI detects 4 BEC indicators in seconds
  • 89% HIGH RISK verdict returned
  • Staff calls Andersen Construction directly — confirms fraud
  • Payment blocked before it leaves
  • $1.9M saved, project stays on schedule

How the pilot works

1
Submit suspicious emails
Forward any suspicious invoice, payment request, or vendor email for instant analysis. Zero IT integration required.
2
AI scans in seconds
Purpose-built BEC detection analyzes the email across multiple threat categories including impersonation, fraud patterns, and social engineering tactics.
3
Verdict delivered via email
The sender receives a risk score, threat classification, and specific recommended actions within seconds — before any payment is processed.
4
Dashboard tracks everything
IT security gets a real-time dashboard showing scan volume, threat categories, and ROI metrics for the pilot period.

Start a free 30-day pilot

Zero IT integration required. Submit suspicious emails, get instant AI verdicts. See exactly what threats are hitting your university.

Request pilot accessView enterprise plans

Construction BEC is the #1 wire fraud vector in higher education.

Free for qualified universities and government institutions

524
Scam signals
51
Enterprise fraud
94.5%
Precision
93.2%
Recall
FERPA CompliantNo student PII stored
SOC 2 Type IIIn progress
US-HostedGoogle Cloud, us-central1
AARP AgeTechCollaborative member
Chrome Web StoreVerified publisher

made by humans who've been scammed.

© 2026 suss. AI, Inc.