The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text claiming to be from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Although it seemed suspicious, the message bore her boss's name and it was a hectic holiday period. By the time she verified, the gift cards had been used, the scammer had vanished, and the company suffered the financial loss.

That scam was painful, but some attacks can devastate an entire business. In the same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a far more damaging fraud. An employee got emails that seemed like ordinary wire transfer requests—likely from trusted colleagues or partners. These requests appeared authentic, urgent, and consistent with regular operations. Without hesitation, the employee executed multiple transfers as instructed.

The consequence? $60 million funneled directly into the accounts of cybercriminals—more than half of the company's yearly profits lost in a string of fraudulent wire transfers.

If you believe your small business isn't a target, think again. Gift card scams alone cost businesses over $217 million in 2023, and business email compromise attacks represented 73% of all cyber incidents in 2024. The holiday season is prime time for these schemes, as criminals exploit distracted, stressed teams managing increased transactions.

5 Holiday Scams Your Employees Must Recognize (Before They Drain Your Funds)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Trap)

• The Scam: Imposters impersonate executives, urging staff to buy gift cards for "clients" or "employee appreciation." In Q1 2024, 37.9% of business email compromise incidents were linked to gift card scams.
• Prevention: Implement a strict company policy that gift cards require two separate approvals. Educate employees that executives never request gift cards via text messages.

2. Invoice & Payment Switch-Ups (The High-Stakes Deception)

• The Scam: Fraudsters send fake "updated banking details" or hijack vendor email conversations right when large payments are due. For example, the Town of Arlington, MA, lost nearly half a million dollars to this tactic in June 2024.
• Prevention: Always verify banking changes with a known phone number—not one provided in the email. Adopt a "phone call only" rule for all financial changes exceeding $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts pretending to be UPS, FedEx, or USPS, containing links that claim to "reschedule delivery" but lead to malicious sites.
• Prevention: Train employees to navigate directly to the carrier's official website by typing the URL and bookmarking tracking pages to avoid clicking dubious links.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails with attachments named like "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware upon opening.
• Prevention: Disable macros, scan all attachments thoroughly, and instill a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Scam websites that impersonate charities or fake "company match" campaigns aiming to steal money or personal data.
• Prevention: Circulate a list of approved charities and require all donations to go through official, verified portals.

Why These Attacks Succeed (And How To Defend Against Them)

The very tools that boost business efficiency—such as email, online banking, and digital payments—are what scammers exploit. These attacks aren't amateur phishing attempts; they're sophisticated schemes combining social engineering with in-depth research on your company.

Companies that conduct regular phishing simulations reduce risks by up to 60%, yet many small businesses forgo this crucial training. Multifactor authentication blocks 99% of unauthorized access attempts, but too many businesses still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare your team before the busy season begins by implementing these measures:

• The Two-Person Approval Rule: Require verbal confirmation via a separate channel for any transaction surpassing your set threshold.
• Gift Card Policy: Enforce a written rule against purchasing gift cards through email or text requests.
• Vendor Verification: Confirm all banking or payment changes by calling known numbers already on file.
• Multifactor Authentication: Activate MFA across all email, banking, and cloud accounts.
• Holiday Scam Awareness: Educate your team on these five threats with real-world examples.

The True Price of Cyberattacks: Beyond Financial Loss

While Orion's $60 million theft captured headlines, the often invisible costs hit small businesses hardest:

• Business operations halting during peak seasons
• Lost productivity as staff deal with incident recovery
• Damaged customer trust if sensitive data is compromised
• Increased insurance premiums following a cyber breach

The average cost per business email compromise incident is $129,000—potentially devastating many small businesses at the most critical time of year.

Keep Your Holidays Joyful and Secure

The holidays should focus on growth and celebration—not recovering from rampant wire fraud. By conducting a team briefing, enforcing smart policies, and layering security defenses, you can dramatically reduce the risk of cybercriminals infiltrating your finances.

Remember: The Orion employee might have prevented a $60 million loss simply by making one verification call. With the right vigilance and straightforward checks, your business can avoid becoming the next cautionary headline.

Ready to safeguard your team before the New Year? Click here or call us at 877-310-0123 to schedule a 15-Minute Discovery Call. Don't let cybercriminals ruin your holiday success—give your business the ultimate gift this season: peace of mind.