The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received an alarming text message purporting to be from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Despite doubts, the message seemed genuine during the hectic holiday rush. By the time she verified, the scammer had already collected the cards, leaving the business to absorb the loss.

Although this scam is painful, others can devastate an entire company. That same month, Orion S.A., a Luxembourg chemical manufacturer, suffered a catastrophic fraud. An employee got what appeared to be routine wire transfer requests, likely from trusted partners or colleagues. These requests looked authentic, urgent, and aligned with normal business practices. Without hesitation, the employee processed multiple transfers.

The outcome? Cybercriminals walked away with $60 million—over half the company's annual profits lost through fraudulent wire transfers.

If you believe your small business is too minor a target, think again. Gift card scams alone drained over $217 million from businesses in 2023, while business email compromise attacks accounted for 73% of all cyber incidents in 2024. The holiday season is a favorite for cybercriminals because your team is distracted, stressed, and handling increased transactions.

5 Crucial Holiday Scams Your Employees Must Recognize (Before They Drain Thousands)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Scam)

• The Scam: Impersonators pretend to be executives, pressuring employees to buy gift cards for "clients" or "employee rewards." In Q1 2024, gift card fraud accounted for 37.9% of business email compromise cases.
• Prevention: Enforce a strict policy requiring two approvals before any gift card purchase. Train staff that executives never request gift cards via text messages.

2. Invoice and Payment Details Tampering (The High-Stakes Switch)

• The Scam: Fraudsters send bogus "updated banking information" or hijack vendor email threads just as bills are due. In June 2024, Arlington, MA, lost nearly $500,000 in such a scam.
• Prevention: Always verify bank details changes by calling trusted phone numbers—not those in emails. Adopt a "phone confirmation" rule for all financial transactions exceeding $5,000.

3. Fraudulent Shipping and Delivery Alerts

• The Scam: Phishing emails or texts pretending to be UPS, FedEx, or USPS with links to "reschedule delivery."
• Prevention: Instruct employees to manually visit carrier websites by typing addresses directly into browsers. Bookmark official tracking pages to avoid malicious links.

4. Dangerous "Holiday Party" Email Attachments

• The Scam: Emails with attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that deploy malware when opened.
• Prevention: Block macros, routinely scan attachments, and cultivate a culture of verifying any unexpected files.

5. Fake Holiday Charity Fundraisers

• The Scam: Phishing sites impersonate charities or fabricate "company match" donation drives to steal funds or data.
• Prevention: Provide an approved list of charities and mandate donations only through verified official portals.

Why These Scams Succeed and How to Stop Them

The very tools that streamline business—email, online banking, digital payments—are exploited by scammers. These attacks are sophisticated, using social engineering combined with extensive research about your company.

Organizations that conduct routine phishing simulations reduce their risk by 60%, yet many small businesses skip employee training. Multifactor authentication blocks 99% of unauthorized logins, but many firms still rely solely on passwords.

Your Holiday Cybersecurity Checklist

Before the holiday rush, implement these key defenses:

• The Two-Person Rule: Any payment above your set limit needs verbal confirmation using a separate communication channel.
• Gift Card Policy: Establish a clear written policy: No gift card purchases requested via email or text.
• Vendor Verification: Confirm changes to banking or payment info by calling known phone numbers from your records.
• Multifactor Authentication: Implement MFA on all email, banking, and cloud accounts.
• Holiday Awareness Training: Update your team on these top five scams using real-world examples.

The True Cost: Beyond Monetary Losses

While Orion's $60 million loss made headlines, smaller companies often bear heavier hidden costs:

• Operations stall during peak business seasons
• Staff productivity plummets as they deal with damage control
• Customer trust diminishes if sensitive client data is exposed
• Insurance costs spike following a cyberattack

The average loss per business email compromise is $129,000—an amount that can jeopardize many small enterprises during their busiest season.

Keep Your Holidays Safe and Profitable

The holidays should focus on growth and celebration, not recovering from fraudulent wire transfers. A brief team meeting combined with smart policies and layered security measures can keep cybercriminals far from your financial records.

Remember: A simple verification call could have prevented Orion's $60 million theft. With the right awareness and small precautions, you can protect your business from becoming a cautionary tale.

Want to ensure your team is fully prepared before the New Year? Click here or call us at 314-993-5528 to schedule a 10-Minute Discovery Call. We'll guide you through straightforward, effective steps to secure your business. Don't let cybercriminals ruin your holiday success—the greatest gift you can give your company this season is complete peace of mind.