90%
Vendor bank account change request
invoice_bank_change
Case Study — University
SOU lost $1.9M
to a fake contractor.
An attacker impersonated Andersen Construction, redirected a wire payment, and disappeared. The real contractor called three days later asking where their money was. The suss. API scores this exact attack at 89% risk.
Capital projects. Long vendor relationships. Public procurement records. Universities are uniquely exposed to this playbook. Here is what the engine sees.
What happened
The attack.
01
Contractor impersonation email
An attacker posed as Andersen Construction, the contractor building McNeal Pavilion, and sent an email requesting a banking change for upcoming payments.
02
$1.9 million wire transfer
The accounts payable team processed the payment to the fraudulent bank account. The real contractor called three days later asking about their missing payment.
03
3-day discovery delay
The fraud was only discovered when the real Andersen Construction contacted SOU about non-payment. By then, the funds had been moved through multiple accounts.
Source: The Siskiyou / Tripwire
Detection
What suss.
would have seen.
We ran a reconstructed version of this attack through the production API. Here's what fired.
suss. verdict
89%
HIGH RISK
Vendor Payment Redirect Detected
4 threat indicators fired
85%
Urgent wire request from authority figure
ceo_urgent_wire
80%
Wire to new or changed beneficiary account
wire_new_beneficiary
75%
Urgency pressure with late payment penalty
rush_payment_penalty
Recommended actions
- 01Do not process this payment.
- 02Call the vendor at a known phone number, not one from this email.
- 03Verify the banking change through your vendor management system.
- 04Forward to IT security for investigation.
- 05If payment was sent, contact your bank immediately to initiate a recall.
Impact
The cost.
$1.9M
Wired to fraudster
3 days
Discovery delay
23
CSU campuses sharing the same threat surface
Pattern
Why universities keep losing to this.
01
Capital construction projects
Multi-million dollar building projects involve large wire transfers to contractors. Perfect targets for payment redirection.
02
Long vendor relationships
AP teams trust established vendors. A single email claiming new banking details bypasses skepticism built on years of legitimate invoices.
03
Decentralized payment approval
Different departments handle their own vendor payments, creating inconsistent verification procedures across the institution.
04
Public procurement records
Construction contracts, vendor awards, and project timelines are public record. Attackers get everything they need to craft convincing impersonations.
With vs without
Two timelines.
Two outcomes.
Without suss.
- 01Contractor banking change email arrives.
- 02AP team trusts the established vendor relationship.
- 03$1.9M wired to a fraudulent account.
- 04Real contractor calls 3 days later.
- 05Funds already moved through multiple accounts.
- 06$1.9M lost. Construction project delayed.
With suss.
- 01Banking change email arrives. Staff forwards to suss.
- 02API detects 4 BEC indicators in seconds.
- 0389% HIGH RISK verdict returned.
- 04Staff calls Andersen Construction directly. Fraud confirmed.
- 05Payment blocked before it leaves.
- 06$1.9M saved. Project stays on schedule.
Get protected
Don't be the
next case study.
Book a 15-minute pilot conversation. We'll show you the threats targeting your institution right now and walk through deployment.
Free 30-day pilot for qualified institutions. No IT integration required.