The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received a suspicious text purportedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Although unsettled, the message seemed genuine amid the holiday rush. By the time the clerk verified, the scammer had already cashed out, leaving the company to absorb the loss.

While that scam was painful, some attacks can devastate businesses completely. That same month, Luxembourg-based chemical manufacturer Orion S.A. was hit by a far more damaging fraud. An employee received emails appearing to be legitimate wire transfer requests from trusted partners or colleagues. The instructions seemed urgent, routine, and aligned with business operations. Without hesitation, multiple large transfers were made.

The consequence? A staggering $60 million—over half of the company's annual profits—vanished via fraudulent wire transfers sent straight to cybercriminals.

Think your small business is too minor a target? Think again. Gift card scams alone cost companies more than $217 million in 2023. Business email compromise attacks made up 73% of all cyber incidents in 2024. Criminals capitalize on holiday distractions, stress, and increased transaction volume to strike.

Top 5 Holiday Scams Your Employees Must Recognize—Before They Drain Your Wallet

1. "Your Boss Needs Gift Cards" Scam: The $3,000 Text Trap

• The Scam: Impersonators pose as executives pressuring staff to purchase gift cards for "clients" or "employee appreciation." In early 2024, 37.9% of business email compromise cases involved gift card fraud.
• How to Prevent: Enforce a strict policy requiring dual approvals for gift card purchases. Educate staff that executives will never request gift cards via text.

2. Invoice and Payment Hijacking: The Big Money Scheme

• The Scam: Scam artists send fake "updated banking details" or hijack vendor email chains near billing deadlines. For instance, in June 2024, Arlington, MA lost nearly $500,000 this way.
• How to Prevent: Always verify banking changes by calling a known number separate from the email. Implement a verbal confirmation policy for transactions over $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or messages impersonate UPS, FedEx, or USPS with links to "reschedule delivery."
• How to Prevent: Train employees to navigate directly to official carrier websites without clicking suspicious links. Bookmark legitimate tracking pages.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" can infect systems with malware upon opening.
• How to Prevent: Disable macros, scan all attachments, and build a company culture of verifying unexpected files.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites imitate charities or pretend to offer "company match" programs to steal money or personal data.
• How to Prevent: Provide an approved list of charities and mandate donations go through official company channels.

Why These Scams Succeed—And How to Defend Your Business

Business tools such as email, online banking, and digital payments streamline operations but are prime targets for scammers. These are not amateur phishing attempts but carefully crafted attacks combining social engineering with company-specific research.

Organizations conducting regular phishing tests cut risk by 60%, yet many small businesses still skip employee training. Multifactor authentication blocks 99% of unauthorized attempts, but many companies continue relying solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare before the holiday frenzy with these vital steps:

• Two-Person Rule: Require verbal confirmation via a different communication channel for all transactions exceeding set limits.
• Gift Card Policy: Establish a formal policy prohibiting gift card requests via email or text.
• Vendor Verification: Confirm all financial information changes by calling known contacts already on file.
• Enable Multifactor Authentication: Activate MFA on every email, banking, and cloud platform.
• Holiday Scam Awareness: Educate your team using real-world examples of top holiday scams.

The True Toll: Beyond Financial Loss

While Orion's massive $60 million loss made headlines, hidden consequences often devastate smaller businesses even more:

• Disrupted operations during peak season
• Lost productivity as staff manage crisis recovery
• Damaged customer trust if data breaches occur
• Increased insurance costs following cyber incidents

Average losses from business email compromise soar to $129,000 per incident—threatening the survival of many small businesses at the most critical time of year.

Keep Your Holidays Joyful, Not Risky

The holiday season should be for growth and celebration, not for scrambling to fix fraud fallout. A team briefing, clear policies, and layered security measures build a robust defense against cybercriminals.

Remember: The Orion employee could have prevented a $60 million fraud with one simple confirmation call. With awareness and straightforward checks, your business won't become the next cautionary story.

Ready to fortify your team before the New Year? Click here or call us at 252-240-3399 to schedule a 15-Minute Discovery Call. We'll guide you through effective, easy-to-implement steps to keep your business secure. This holiday season, the greatest gift you can give your company is complete peace of mind.