Case Study — University

SOU lost $1.9M
to a fake contractor.

An attacker impersonated Andersen Construction, redirected a wire payment, and disappeared. The real contractor called three days later asking where their money was. The suss. API scores this exact attack.

Capital projects. Long vendor relationships. Public procurement records. Universities are uniquely exposed to this playbook. Here is what the engine sees.

All case studies
What happened
  1. 01
    Contractor impersonation email
    An attacker posed as Andersen Construction, the contractor building McNeal Pavilion, and sent an email requesting a banking change for upcoming payments.
  2. 02
    $1.9 million wire transfer
    The accounts payable team processed the payment to the fraudulent bank account. The real contractor called three days later asking about their missing payment.
  3. 03
    3-day discovery delay
    The fraud was only discovered when the real Andersen Construction contacted SOU about non-payment. By then, the funds had been moved through multiple accounts.
SourceThe Siskiyou / Tripwire
What it cost
$1.9M
Wired to fraudster
3 days
Discovery delay
23
CSU campuses sharing the same threat surface
What suss. would have surfaced

A signed record, before the wire.

suss. interaction recordFlagged
Vendor Payment Redirect Detected

This is the kind of message your people see, before they act on it. Plain guidance, not a number.

  • Do not process this payment.
  • Call the vendor at a known phone number, not one from this email.
  • Verify the banking change through your vendor management system.
  • Forward to IT security for investigation.
  • If payment was sent, contact your bank immediately to initiate a recall.
signed9c2f…e7a1· queryable record
Why this keeps happening

Why universities keep losing to this.

Capital construction projects
Multi-million dollar building projects involve large wire transfers to contractors. Perfect targets for payment redirection.
Long vendor relationships
AP teams trust established vendors. A single email claiming new banking details bypasses skepticism built on years of legitimate invoices.
Decentralized payment approval
Different departments handle their own vendor payments, creating inconsistent verification procedures across the institution.
Public procurement records
Construction contracts, vendor awards, and project timelines are public record. Attackers get everything they need to craft convincing impersonations.
The divergence
Without suss.
  1. Contractor banking change email arrives.
  2. AP team trusts the established vendor relationship.
  3. $1.9M wired to a fraudulent account.
  4. Real contractor calls 3 days later.
  5. Funds already moved through multiple accounts.
  6. $1.9M lost. Construction project delayed.
With suss.
  1. Banking change email arrives. Staff forwards to suss.
  2. suss. flags the pattern, inline.
  3. Plain guidance returned, signed record written.
  4. Staff calls Andersen Construction directly. Fraud confirmed.
  5. Payment blocked before it leaves.
  6. $1.9M saved. Project stays on schedule.

Want this catching the next one before it ships?

This is a documented incident with a public source. The next one is in someone's inbox right now. suss. is what catches it.

Read more case studies