The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text message from someone claiming to be the "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them. Although it sounded suspicious, the message carried the boss's name and arrived during the hectic holiday season. By the time she verified, the gift cards were already spent, the scammer had vanished, and the business absorbed the loss.

While this scam caused financial pain, some attacks can devastate a business completely. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, was targeted by a catastrophic fraud. An employee received emails mimicking routine wire transfer requests—seemingly from trusted colleagues or partners. The urgent and seemingly legitimate messages synchronized perfectly with regular business processes. Without hesitation, the employee authorized multiple transfers as instructed.

The aftermath? $60 million, over half of the company's annual profits, was wired to cybercriminals in a series of fraudulent transactions.

If you believe your small business is too insignificant to be targeted, reconsider. Gift card scams alone cost businesses more than $217 million in 2023, and business email compromise attacks accounted for 73% of all cyber incidents in 2024. The holiday season presents a prime opportunity for attackers who exploit distracted teams, heightened stress, and an increased volume of transactions.

Top 5 Holiday Scams Your Employees Must Recognize (Before They Drain Your Budget)

1. "Your Boss Needs Gift Cards" Scam (The $3,000 Text Trap)

• The Scam: Impersonators pose as company owners or managers, pressuring employees to buy gift cards for "clients" or "employee appreciation." In early 2024, 37.9% of business email compromise incidents involved gift card fraud.
• How to Prevent: Enforce a strict policy requiring two approvals before purchasing gift cards. Train your team that executives will never request gift cards via text messages.

2. Invoice & Payment Details Hijacking (The High-Stakes Scheme)

• The Scam: Fraudsters send notifications of "updated bank details" or hijack vendor email threads right when year-end payments are due. In June 2024, the Town of Arlington, MA, lost almost half a million dollars to this tactic.
• How to Prevent: Always verify banking changes by calling a known, trusted phone number—not the one provided in the email. Implement a "phone call rule" for all financial changes exceeding $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts pretending to be from UPS, FedEx, or USPS containing malicious links to "reschedule delivery."
• How to Prevent: Instruct employees to access carrier websites directly by typing URLs into browsers. Save official tracking pages as bookmarks to avoid harmful links.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails carrying attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware when opened.
• How to Prevent: Block macros, scan all attachments, and encourage verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fake "company match" campaigns to steal donations or sensitive data.
• How to Prevent: Maintain and share an approved charity list, and require all donations to go through official company channels.

Why These Scams Succeed & How to Defend Your Business

While e-mail, online banking, and digital payments streamline business, these very tools are gateways for cybercriminals. These aren't just simple scams; they are sophisticated attacks combining social engineering and tailored research targeting your organization.

Companies conducting regular phishing drills reduce risks by 60%, but many small businesses neglect this critical training. Multifactor authentication safeguards against 99% of unauthorized access, yet many still rely solely on passwords.

Your Essential Holiday Security Checklist

Before the holiday rush, implement these protective measures:

• Two-Person Rule: Require verbal confirmation through a separate communication channel for transactions above a set limit.
• Gift Card Policy: Establish a written policy forbidding gift card purchases via email or text.
• Vendor Verification: Confirm all payment or banking updates by calling numbers already on file.
• Multifactor Authentication (MFA): Activate MFA on all email, banking, and cloud services.
• Holiday Scam Awareness: Educate your team about these five scams using real-life examples.

The True Impact: Beyond Just Dollars

While Orion's $60 million loss captured attention, smaller businesses often face tougher hidden consequences:

• Workflow disruptions during critical business periods
• Lost productivity as staff scramble to resolve issues
• Damage to customer trust if private data is compromised
• Insurance cost increases after cyberattacks

On average, each business email compromise incident costs $129,000 — an amount that can jeopardize many small businesses, especially during peak seasons.

Ensure Your Holidays Are Joyful, Not Disrupted

Holidays are for growth and celebration—not cleaning up after wire fraud. A quick team meeting, solid policies, and layered defenses are your best shields to keep scammers away from your finances.

Remember: A simple verification phone call stopped a $60 million loss at Orion. With the right knowledge and easy precautionary steps, your business can avoid becoming a headline cautionary tale.

Ready to safeguard your team before the New Year? Click here or call us at 320-310-4321 to book a 15-Minute Discovery Call. We'll guide you through practical, effective steps to secure your business. Don't let cybercriminals ruin your holiday achievements—the most valuable gift you can give your business this season is peace of mind.