The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a medium-sized company received an urgent text claiming to be from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them. Although it seemed suspicious, the message used the boss's name during peak holiday busyness. By the time she verified, the gift cards were already cashed out, and the business suffered the loss.

This scam is painful, but some attacks devastate companies even further. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell victim to a far more damaging fraud. An employee received what looked like standard email requests for wire transfers—seemingly from trusted colleagues or partners. The requests appeared urgent, authentic, and consistent with usual operations. Trusting this, the employee processed multiple transfers.

The outcome? $60 million wired straight to cybercriminals—over half of the company's yearly profits lost in fraudulent transfers.

If you believe your small business is safe from such threats, think again. Gift-card scams alone cost businesses over $217 million in 2023. Additionally, business email compromise attacks accounted for 73% of cyber incidents in 2024. The holiday season is prime for these attacks because criminals exploit your team's distraction, stress, and increased transaction volumes.

Top 5 Holiday Scams Your Employees Must Recognize to Prevent Costly Losses

1. "Urgent Gift Card Requests from Your Boss" (Avoid the $3,000 Text Trap)

• The Scam: Impersonators pretend to be executives, pressuring staff to purchase gift cards for "clients" or "employee rewards." In the first quarter of 2024, 37.9% of business email compromise cases were tied to gift card fraud.
• How to Prevent: Enforce a company policy requiring two approvals before any gift card purchases. Educate employees that executives will never request gift cards via text message.

2. Invoice and Payment Details Fraud (The High-Stakes Switch)

• The Scam: Scammers send counterfeit "updated banking info" or hijack email threads with vendors right when payments are due. For example, in June 2024, the Town of Arlington, MA, lost nearly $500,000 to such a fraud.
• How to Prevent: Always verify banking changes by calling a known number—not the one in the email. Implement a "phone call rule" for any financial changes exceeding $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or texts pretending to be from UPS, FedEx, or USPS prompt recipients to click links to "reschedule delivery."
• How to Prevent: Train employees to navigate directly to official carrier websites instead of clicking on suspicious links. Bookmark genuine tracking pages to avoid phishing attempts.

4. Malicious Holiday Party Attachments

• The Scam: Emails containing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that launch malware upon opening.
• How to Prevent: Block macros, scan all attachments with security tools, and foster a culture where unexpected files are verified before opening.

5. Fake Holiday Fundraising Campaigns

• The Scam: Phishing websites mimic charities or fake "company match" programs intending to steal donations or data.
• How to Prevent: Provide employees with an approved charity list and require all contributions to be made through official channels.

Why These Scams Succeed and How to Stop Them

The very tools that increase business efficiency—email, online banking, digital payments—are precisely what scammers exploit. These are sophisticated attacks combining social engineering with in-depth research on your company.

Companies conducting regular phishing simulations reduce their risk by 60%, yet most small businesses skip employee training. Multifactor authentication prevents 99% of unauthorized account access, but many businesses still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare your business with these critical steps before the holiday rush begins:

• Two-Person Verification: Any transaction above your limit must be confirmed verbally through a different communication channel.
• Gift Card Policy: Establish a written policy forbidding gift card requests via email or text.
• Vendor Verification: Confirm all payment or banking updates by phone using existing contact numbers.
• Enable Multifactor Authentication: Activate MFA on all email, banking, and cloud platforms.
• Holiday Scam Awareness: Educate your team on these five scams, sharing real-life stories for impact.

The True Cost: Beyond Money

While Orion's $60 million loss made headlines, the unseen toll often affects small businesses more severely:

• Business operations stalled during critical periods.
• Lost productivity as employees deal with damage control.
• Damaged customer trust if sensitive data is breached.
• Increased insurance premiums following cyber incidents.

The average financial hit per business email compromise is $129,000—enough to shutter many small companies at the worst time of year.

Keep Your Holidays Joyful and Fraud-Free

The holiday season should bring growth and celebration—not stress from wire fraud. A brief team meeting, clear policies, and layered security measures can effectively block cybercriminals from your finances.

Remember: the employee at Orion could have stopped that $60 million loss with a single verification phone call. With awareness and simple checks, your business can avoid becoming the next cautionary story.

Ready to secure your team before the New Year? Click here or call us at 888-638-3621 to schedule a 15-Minute Discovery Call. We'll guide you through quick, effective steps to protect your business. Don't let cybercriminals steal your holiday success—the best gift you can give your business this season is peace of mind.