The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received an urgent text seemingly from her CEO: Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them back. Though it sounded suspicious, the message bore her boss's name amidst the holiday rush. By the time she double-checked, the cards were already spent, the scammer vanished, and the company absorbed the loss.

This scam was costly, but others can devastate businesses entirely. That same month, Orion S.A., a Luxembourg chemical manufacturer, fell prey to a far more damaging fraud. An employee received what appeared to be routine, urgent email requests for wire transfers from trusted colleagues or partners. Believing them genuine, the employee processed multiple transfers without hesitation.

The outcome? Cybercriminals walked away with $60 million—over half the company's annual profits—through a series of fraudulent wire transfers.

Don't assume your small business is safe. Gift card scams alone cost companies more than $217 million in 2023, and business email compromise (BEC) attacks made up 73% of all cyber incidents in 2024. The holiday season is a prime target period as cybercriminals exploit distractions, stress, and increased transaction volumes.

5 Holiday Scams Your Team Must Recognize (Before They Drain Your Budget)

1. "Your Boss Wants Gift Cards" (The Costly $3,000 Text Scam)

• The Scam: Fraudsters impersonate executives, pressuring employees to buy gift cards for "clients" or "employee appreciation." In Q1 2024 alone, gift card-related BEC made up 37.9% of incidents.
• How to Stop It: Enforce a policy requiring two approvals before any gift card purchase. Train staff that no executive will ever request gift cards via text message.

2. Invoice & Payment Diversions (The Costly Year-End Deception)

• The Scam: Cybercriminals send false "updated banking details" or hijack email threads with vendors right when bills are due. In June 2024, Arlington, MA lost nearly $500,000 due to such a scam.
• Prevention: Always verify banking changes by calling a known phone number, not the one provided in the email. Implement a mandatory phone call verification for financial changes exceeding $5,000.

3. Fake Shipping & Delivery Notifications

• The Scam: Phishing emails or texts pose as UPS, FedEx, or USPS with links to "reschedule delivery."
• Protection Tips: Train employees to visit carrier websites directly by typing URLs or using bookmarks to avoid malicious links.

4. Malicious "Holiday Party" Email Attachments

• The Threat: Attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that trigger malware infections upon opening.
• How to Prevent: Block macros, scan all attachments thoroughly, and cultivate a culture of verifying unexpected files with senders.

5. Fraudulent Holiday Fundraisers

• The Scam: Fake charity websites or counterfeit "company match" donation campaigns designed to steal funds or sensitive data.
• Defense: Maintain and share an approved list of charities. Require all donations to be routed through official company portals.

Why These Scams Succeed and How You Can Protect Your Business

The digital tools businesses rely on—email, online banking, digital payments—are the very channels scammers exploit. These aren't amateur phishing attempts from strangers, but highly sophisticated tactics combining social engineering with detailed knowledge of your company.

Companies that conduct regular phishing drills reduce their risk by 60%, yet many small businesses skip this vital training. Multifactor authentication (MFA) prevents 99% of unauthorized logins, but far too many organizations still rely on passwords alone.

Your Essential Holiday Security Checklist

Prepare your team before the holiday season peaks with these key steps:

• The Two-Person Rule: Require verbal, separate-channel confirmation for any transaction exceeding your set limit.
• Gift Card Policy: Make it official: No gift card purchases via email or text.
• Vendor Verification: Confirm all changes to banking or payment information by phone using trusted contact numbers.
• Enable Multifactor Authentication: Activate MFA on all email, banking, and cloud accounts for added protection.
• Holiday Scam Awareness: Brief your team on these five common scams using real-life examples.

The True Price: Beyond Financial Loss

While Orion's $60 million setback grabbed headlines, smaller businesses often face deeper hidden repercussions:

• Disruptions during peak operating periods
• Lost productivity as staff address crisis recovery
• Damaged customer trust if private data is exposed
• Rising insurance premiums following cyber incidents

The average financial loss per business email compromise is a staggering $129,000—enough to devastate many small businesses in their critical season.

Make This Holiday Season Secure and Stress-Free

Holidays should focus on growth and celebration—not cleaning up after fraud. A quick team huddle, smart policies, and layered safeguards dramatically reduce your risk and protect your bottom line.

Remember: The Orion employee could have prevented a $60 million theft with just one verification phone call. With proper awareness and simple safeguards, your business can avoid becoming the next cautionary story.

Want to ensure your team is prepared before the New Year? Click here or call us at 312-564-5446 to schedule a Initial Consultation and discover quick, practical steps to fortify your business. Don't let cybercriminals ruin your holiday success—the best gift you can give your company this season is peace of mind.