The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text message from someone pretending to be her "CEO": Purchase $3,000 worth of Apple gift cards for clients, then scratch off the codes and email them immediately. Though it sounded suspicious, the message appeared to come from her boss, and with the hectic holiday rush, she followed the instructions. By the time she verified, the cards had already been used, the scammer vanished, and the company absorbed the loss.

While this scam caused frustration, others can devastate an entire business. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, suffered a catastrophic attack. An employee received seemingly routine email requests for wire transfers—looking like they came from a trusted partner or colleague. The requests appeared urgent and consistent with regular business activity. Without hesitation, the employee authorized multiple transfers as requested.

The consequence? Cybercriminals walked away with $60 million—a loss exceeding half of Orion's annual profits due to fraudulent wire transfers.

Think your small business is safe from these threats? Think again. In 2023 alone, gift-card scams drained businesses of over $217 million, while business email compromise attacks made up 73% of cyber incidents in early 2024. The holiday season is a prime window for attackers, exploiting the distractions, stress, and increased transaction volume your team faces.

5 Holiday Scams Your Employees Must Recognize Before They Drain Your Funds

1. "Your Boss Needs Gift Cards" (The $3,000 Text Fraud)

• The Scam: Impersonators pose as executives, pressuring staff to buy gift cards for "clients" or "employee gifts." In Q1 2024, nearly 38% of business email compromises involved such gift card fraud.
• How to Prevent It: Implement strict company rules: No gift card purchases without dual approvals. Educate employees that executives will never request gift cards via text message.

2. Invoice & Payment Details Swaps (The High-Stakes Heist)

• The Scam: Fraudsters send fake "updated banking information" or infiltrate vendor email threads right before year-end payments are due. For example, Arlington, MA, lost nearly $500,000 to this scam in June 2024.
• How to Prevent It: Always verify banking changes by calling a trusted phone number—not the one provided in the email. Establish a "phone call rule" for any financial changes over $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or texts pretending to be from UPS, FedEx, or USPS contain links to "reschedule delivery."
• How to Prevent It: Train employees to visit the carrier's official website directly instead of clicking on links. Bookmark genuine tracking pages to avoid falling for malicious links.

4. Malicious "Holiday Party" Email Attachments

• The Scam: Emails titled "Holiday_Schedule.pdf" or "Party_List.xls" may carry malware downloads when opened.
• How to Prevent It: Disable macros, run thorough scans on all attachments, and encourage verification of unexpected files before opening.

5. Fake Holiday Fundraising Campaigns

• The Scam: Phishing websites masquerade as charities or fake company match drives to steal money or sensitive data.
• How to Prevent It: Provide employees with an approved list of charities and require donations to be made through official platforms only.

Why These Scams Succeed and How You Can Stop Them

The very tools that streamline business operations—email, online banking, and digital payments—are exploited by savvy scammers. These attacks aren't simple "Nigerian prince" emails but highly sophisticated, using social engineering combined with research on your company.

Companies conducting regular phishing simulations reduce risk by 60%, yet many small businesses neglect employee training altogether. Multifactor authentication blocks 99% of unauthorized access, but countless businesses still rely solely on passwords.

Your Holiday Cybersecurity Checklist

To protect your business during the busy season, implement these key steps:

• Two-Person Verification Rule: Any transaction exceeding your threshold must be verbally confirmed through a different communication method.
• Gift Card Policy: Establish a strict written policy prohibiting gift card purchases via email or text.
• Vendor Confirmation: Verify any banking or payment changes by calling known numbers on file.
• Enable Multifactor Authentication: Protect all email, banking, and cloud services with MFA.
• Holiday Awareness Training: Brief your team on these five common scams using real-world examples.

The True Costs Extend Beyond Money

Although Orion's $60 million loss attracted media attention, small businesses often suffer even more from hidden impacts such as:

• Operations grinding to a halt during peak periods
• Decreased productivity as staff address aftermaths
• Loss of client trust if data is breached
• Rising insurance costs after cyber incidents

The average loss from a business email compromise incident is $129,000—enough to endanger many small businesses during the worst time of year.

Keep Your Holidays Joyful and Fraud-Free

The holidays should be about growth and celebration—not struggling with wire fraud fallout. A simple team meeting, clear policies, and layered security measures offer powerful defenses against cybercriminals.

Remember: One verification call prevented Orion's employee from losing $60 million. With the right awareness and straightforward checks, you can protect your business from becoming the next cautionary story.

Ready to secure your team before the New Year? Click here or call us at 316-867-4566 to schedule a 15-Minute Discovery Call. We'll guide you through effective, practical steps to safeguard your business. Don't let cybercriminals ruin your holiday success; the best gift you can give your company this season is peace of mind.