The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received an alarming text, seemingly from her CEO: "Purchase $3,000 in Apple gift cards for clients, scratch off the backs, and email the codes." Though suspicious, the message bore the boss's name and it was hectic holiday season. Before she realized it, the cards had vanished, the scammer disappeared with the funds, and the company absorbed the loss.

While this scam was damaging, some cyberattacks cause far greater devastation. That same month, Luxembourg-based chemical firm Orion S.A. was duped by a sophisticated fraud. An employee received seemingly routine emails requesting wire transfers — appearing to come from trusted colleagues or partners. The requests were urgent and aligned with typical business processes. Trusting this, the employee approved multiple costly transfers.

The outcome? Cybercriminals walked away with $60 million — over half the company's yearly profits lost in one fraudulent wire transfer spree.

If you believe your small business isn't at risk, think again. Gift card scams alone cost companies more than $217 million in 2023, and business email compromise attacks made up 73% of cyber incidents in 2024. Criminals exploit the holiday rush, knowing your team is overwhelmed and handling more transactions than usual.

Top 5 Holiday Scams Your Employees Must Recognize (Before They Drain Your Funds)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Scam)

• The Scam: Impersonators pose as executives, pressuring employees to buy gift cards for "clients" or "staff rewards." In Q1 2024, these gift-card frauds accounted for 37.9% of business email compromise cases.
• How to Prevent: Implement a strict policy requiring two separate approvals for gift card purchases. Train employees to know executives never request such purchases via text.

2. Invoice & Payment Redirection (Large-Scale Financial Fraud)

• The Scam: Criminals send fake "updated bank details" or hijack vendor email threads during peak billing times. For instance, the Town of Arlington, MA, lost nearly $500,000 to this tactic in June 2024.
• How to Prevent: Always verify bank details changes via a known phone number—not the one in the email. Enforce a "phone call confirmation" for all financial transactions exceeding $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts impersonate carriers like UPS, FedEx, or USPS, providing links to "reschedule deliveries."
• How to Prevent: Train staff to access carrier websites directly by typing URLs or using bookmarks, avoiding suspicious links.

4. Harmful "Holiday Party" Attachments

• The Scam: Emails with attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware upon opening.
• How to Prevent: Disable macros, scan attachments before opening, and cultivate a culture of verifying unexpected files.

5. Fraudulent Holiday Fundraising Campaigns

• The Scam: Fake charity websites or forged "company match" drives designed to steal donations or sensitive data.
• How to Prevent: Provide an approved list of charities and require all contributions go through legitimate portals.

Why These Scams Succeed (And How To Protect Your Business)

Crucial business tools like email, online banking, and digital payments empower companies — but also open doors for cybercriminals. These attacks are sophisticated, using social engineering and company-specific research, far from crude "Nigerian prince" scams.

Firms conducting regular phishing simulations cut risk by 60%, though many small businesses neglect employee training. Enabling multifactor authentication can block 99% of unauthorized access, yet numerous organizations still depend solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Before the holiday rush, implement these safeguards:

• Two-Person Verification: Require verbal confirmation via a separate channel for all transactions above your established limit.
• Gift Card Rules: Clearly state in policy: no gift card purchases through email or text.
• Vendor Confirmation: Verify any changes in payment information by calling pre-approved, on-file numbers.
• Enforce MFA: Activate multifactor authentication across all email, banking, and cloud platforms.
• Holiday Scam Awareness: Educate your team on these five scams using real-life stories.

The Hidden Impact: More Than Dollars Lost

Though Orion's $60 million loss grabbed headlines, smaller businesses often feel the hidden pain even more:

• Operations halt during critical seasons
• Loss of productivity as teams scramble to recover
• Damaged customer trust, especially if sensitive data is exposed
• Insurance costs surge following cyber incidents

On average, each business email compromise incident costs $129,000 — a disastrous blow for many small businesses, especially during peak periods.

Keep Your Holidays Joyful, Not Disrupted

Holidays should be a time for growth and celebration, not damage control from wire fraud. A quick team meeting, solid policies, and simple layered security measures provide powerful defense against cybercriminals.

Remember: the employee at Orion could have stopped a $60 million loss with one verification call. With the right awareness and checks, your business can avoid becoming the next headline.

Want to secure your team before the New Year? Click here or call us at 817-589-0808 to schedule your 30-Minute Discovery Call. We'll guide you through straightforward steps to safeguard your business. Because the greatest gift you can give your company this holiday season is peace of mind.