The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received a suspicious text allegedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Although it seemed unusual, the message appeared to come from the boss, and holiday chaos was in full swing. By the time she confirmed the request, the scammer had already taken the cards, leaving the company to absorb the loss.

This kind of scam may be painful, but some are far more devastating. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a much more severe fraud. An employee received what seemed like standard email requests for wire transfers—likely from trusted partners or colleagues. The messages appeared urgent and routine. Without hesitation, the employee authorized multiple transfers as directed.

The fallout? $60 million wired to cybercriminals—over half the company's yearly profits lost in a fraud scheme.

If you believe your small business is too insignificant to be targeted, think again. In 2023, gift card scams alone cost companies more than $217 million, and in 2024, 73% of all cyberattacks on businesses involved email compromise tactics. Cybercriminals exploit hectic holiday periods, knowing your team is overwhelmed, distracted, and processing numerous transactions.

5 Critical Holiday Scams Your Employees Must Recognize (Before They Drain Your Funds)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Scam)

• The Scam: Fraudsters impersonate executives, pressuring staff to purchase gift cards supposedly for "clients" or "employee appreciation." In Q1 2024, gift card-related schemes accounted for 37.9% of all business email compromise cases.
• How to Prevent: Enforce a strict company policy requiring two approvals for gift card purchases. Train employees that no executive will request gift cards via text messages.

2. Invoice & Payment Diversions (The Big Money Heist)

• The Scam: Cybercriminals send fake "updated banking information" or hijack vendor email threads precisely when year-end invoices are due. For example, in June 2024, Arlington, MA lost nearly $500,000 due to this tactic.
• How to Prevent: Always verify banking changes through a phone number you already have on file—not the one provided in the email. Institute a "phone call verification" for all financial changes above $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts pretending to be from UPS, FedEx, or USPS, urging recipients to click links to "reschedule delivery."
• How to Prevent: Educate your team to visit carrier websites by typing URLs directly into their browsers. Encourage bookmarking official tracking pages to avoid falling for phishing links.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that install malware once opened.
• How to Prevent: Disable macros, scan attachments rigorously, and foster a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraiser Scams

• The Scam: Phishing sites imitate legitimate charities or fake "company match" fundraisers to steal money or sensitive information.
• How to Prevent: Provide employees with a vetted charity list and require all donations to be made through verified company portals.

Why These Scams Succeed (And How To Protect Your Business)

Tools like email, online banking, and digital payments streamline business—but they also expose vulnerabilities that scammers exploit. These aren't outdated "Nigerian prince" cons. They are sophisticated, targeted attacks combining social engineering with in-depth research on your company.

Businesses that conduct regular phishing drills reduce their risk by 60%, yet many small companies skip employee training altogether. Multifactor authentication prevents 99% of unauthorized logins, but numerous organizations still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare your team before the busy season ramps up with these steps:

• The Two-Person Rule: Require verbal confirmation through separate channels for all transactions above your defined limit.
• Gift Card Policy: Officially ban gift card requests via email or text.
• Vendor Verification: Verify all payment or banking changes by contacting vendors via existing phone numbers.
• Enable Multifactor Authentication: Activate MFA on all email, banking, and cloud services.
• Holiday Scam Training: Educate your team about these five key scams using real-world examples.

The True Cost: Beyond Financial Loss

While Orion's $60 million loss made waves, smaller businesses often suffer additional hidden impacts:

• Business operations stall during peak demand periods
• Lost productivity as staff scramble to manage the aftermath
• Declined customer trust if sensitive client data is compromised
• Increased insurance premiums after cyber incidents occur

The average financial toll per business email compromise is $129,000 — enough to endanger many small companies, especially during critical times.

Protect Your Holidays: Keep Them Cheerful and Secure

The holiday season should focus on growth and celebration—not crisis recovery from costly fraud. A straightforward team briefing, firm policies, and layered security measures can effectively block criminals from infiltrating your finances.

Remember: The employee at Orion could have prevented a $60 million loss with a simple verification call. With the right vigilance and easy safety checks, your business can steer clear of becoming the next cautionary headline.

Ready to shield your team before the New Year? Click here or call us at 929-523-2921 to schedule a Call With Our CEO. We'll guide you through effective, practical strategies to secure your business. Don't let cybercriminals ruin your holiday success—the best gift you can give your company this season is peace of mind.