The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent message appearing to be from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Though suspicious, the request came under the boss's name amid the hectic holiday season. Unfortunately, by the time she verified, the scammer had already cashed out, and the company suffered the loss.

While this scam was painful, some attacks can devastate a business entirely. In that same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a far more catastrophic fraud. An employee received what seemed like regular email requests for wire transfers—likely from a trusted colleague or partner. These requests appeared urgent, legitimate, and fitting typical business routines. Without question, the employee authorized multiple transfers.

The outcome? Cybercriminals captured $60 million—more than half of the company's annual profits—through a series of fraudulent wire transfers.

If you think your small business isn't a target, think again. Gift card scams alone drained over $217 million from businesses in 2023, and business email compromise attacks accounted for 73% of cyber incidents in 2024. The holiday season is prime time for such threats because your team is distracted, stressed, and handling more transactions than usual.

5 Holiday Scams Your Employees Must Recognize (Before They Cost You Thousands)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Deception)

• The Scam: Impersonators pose as executives, pressuring employees to buy gift cards for "clients" or "employee appreciation." In Q1 2024, 37.9% of business email compromise cases involved gift card fraud.
• How to Prevent It: Enforce a strict policy requiring two approvals for gift card purchases. Educate employees that executives will never request gift cards via text.

2. Invoice & Payment Switches (The Costly Money Maneuver)

• The Scam: Fraudsters send false "updated banking details" or hijack vendor emails right when bills are due. In June 2024, the Town of Arlington, MA, lost nearly $500,000 this way.
• How to Prevent It: Always verify banking changes via a trusted phone number—not the one in the email. Implement a mandatory phone call confirmation for all financial modifications over $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts impersonate carriers like UPS, FedEx, or USPS with links to "reschedule delivery."
• How to Prevent It: Train staff to avoid clicking suspicious links by typing carrier websites directly or bookmarking official tracking pages.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that install malware when opened.
• How to Prevent It: Block macros, scan all attachments, and create a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fake company matching campaigns to steal money or data.
• How to Prevent It: Distribute a vetted list of approved charities and require donations only through official portals.

Why These Attacks Succeed (And How You Can Block Them)

The very tools that boost your efficiency—email, online banking, digital payments—are exploited by scammers. These are not your typical "Nigerian prince" scams. Instead, they are advanced attacks combining social engineering and in-depth company research.

Organizations conducting regular phishing simulations cut risks by 60%, yet many small businesses skip employee training. Multifactor authentication prevents 99% of unauthorized logins, but some still rely solely on passwords.

Your Essential Holiday Cyber Defense Checklist

Prepare now for a secure holiday season:

• Two-Person Rule: Require verbal confirmation through a separate channel for any transaction above your set limit.
• Gift Card Policy: Establish a strict, written ban on gift card requests via email or text.
• Vendor Verification: Confirm all payment changes by calling numbers already on file.
• Multifactor Authentication: Activate MFA across all email, banking, and cloud platforms.
• Holiday Awareness: Educate your team about these five scams using real-world examples.

The True Cost: Beyond the Money

While Orion's $60 million loss grabbed headlines, smaller businesses often endure hidden impacts:

• Operations disrupted during peak season
• Lost productivity as teams scramble to recover
• Damaged customer trust, especially if data is exposed
• Insurance costs rising post-cyber incident

The typical business email compromise results in $129,000 lost—enough to jeopardize many small businesses at the worst possible time of year.

Ensure Your Holidays Stay Merry, Not Messy

The holiday season is for growth and celebration—not battling wire fraud. A simple team meeting, clear policies, and layered defense measures can keep cybercriminals away from your finances.

Remember: The employee at Orion could have prevented a $60 million loss with a single verification call. With awareness and smart safeguards, your business can avoid becoming the next headline.

Ready to secure your team before the New Year? Click here or call us at 816-233-3777 to schedule a 15-Minute Discovery Call with our experts. We'll guide you through practical steps to protect your business. Don't let cybercriminals ruin your holiday success; the best gift this season is peace of mind.