Back to Resources

Town of Plymouth Cyber Attack: $200k Social Engineering Scam

Town of Plymouth Cyber Attack: $200k Social Engineering Scam

Town of Plymouth Cyber Attack: $200k Social Engineering Scam

The Town of Plymouth Cyber Attack caused a $200,000 USD+ shortfall as a result of a sophisticated social engineering campaign carried out by a group of cybercriminals. This blog post will review the incident in detail and discuss how your organization can avoid falling for similar scams and other types of cyber attacks.

Incident Breakdown

Cybercriminals gained access to a regularly used vendor’s email account and sent fraudulent invoices over the course of a month, posing as the legitimate vendor. The key difference in these invoices was that the payment information had been altered. Normally, such a change would raise suspicions which would prompt a company to verify the validity of the altered information with a trusted contact at the vendor’s office. Unfortunately, this crucial verification step was not taken, leading to the Town of Plymouth falling victim to this incident.

Why this matters to Startups + SMBs

  • Smaller organizations typically do not have a standardized process for verifying changes to vendors’ financial information.
  • They oftentimes do not provide any sort of financial awareness training for their teams to make them aware of common financial scams and cyber attacks to watch out for
  • Typically, vendor due diligence is not performed, and businesses trust their vendor is doing everything right as opposed to understanding their cybersecurity resilience

1. Awareness Training

Train your financial team on specific threats related to their department, such as invoice fraud and other types of common social engineering attempts. If banking information changes, always call the requesting party through a trusted contact to verify the change. The Complete Guide To Cybersecurity Awareness Training for Employees

2. Dual Financial Control

Ensure at least two people are involved in initiating transactions above a threshold amount (e.g., $10,000 or greater) to catch mistakes earlier rather than later. Why Dual Control Matters (City National Bank)

3. Vendor Management

Make sure to thoroughly vet your vendors, especially the ones handling sensitive data. Understand their security limitations and address any internal gaps. The recent Town of Plymouth Cyber Attack highlights the importance of ensuring that your vendors’ security measures meet the required standards. If they don’t, consider switching to vendors with similar functionality to limit risk. The Ultimate Guide to Vendor Security Management in 2025

Your employees are the #1 target — and businesses face constant risk from AI deepfakes, misconfigurations, and more. Start today with our unified trust, compliance, and security platform, free-for-life, and get access to:

  • Cybersecurity training – 50+ animated micro-courses
  • Unlimited employees on the free plan – no credit card required
  • Policy, risk, and vendor management -publish, distribute, and track with ease
  • Inventory manager -track, categorize and organize all your assets

Get started free today – no credit card required.