The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text appearing to be from her CEO: Buy $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them immediately. Though suspicious, the message bore the CEO's name, and holiday pressure was mounting. By the time she verified, the scammer had vanished with the funds, leaving the business to absorb the loss.

This type of scam is harmful, but some attacks cause far greater damage. For instance, Orion S.A., a Luxembourg chemical firm, fell prey in the same month to a much more severe fraud. An employee received what seemed like standard email requests to initiate wire transfers from trusted partners. Seeming urgent and routine, these requests were processed without question.

The devastating outcome? Cybercriminals stole $60 million—over half of Orion's annual profits—through fraudulent wire transfers executed in quick succession.

Don't assume your small business is safe. In 2023 alone, gift card scams cost companies over $217 million. Moreover, business email compromise (BEC) attacks made up 73% of all cyber incidents in 2024. The holiday season is especially risky: criminals exploit the chaos, distractions, and increased transaction volumes to target your team.

5 Critical Holiday Scams Your Employees Must Recognize to Prevent Costly Losses

1. The "Your Boss Needs Gift Cards" Scam (The $3,000 Text Trap)

• The Scam: Fraudsters impersonate owners or managers, pressuring employees to buy gift cards claiming they are for clients or as employee rewards. Alarmingly, 37.9% of BEC incidents in Q1 2024 involved gift card scams.
• How to Prevent: Enforce a strict policy requiring two approvals before purchasing gift cards. Educate employees that executives will never request gift cards via text messages.

2. Invoice & Payment Account Changes (The High-Stakes Money Grab)

• The Scam: Scammers send fraudulent "updated banking details" or infiltrate vendor email chains near year-end, redirecting payments to their accounts. In June 2024, the Town of Arlington, MA, fell victim and lost nearly $500,000.
• How to Prevent: Always verify any banking details changes by calling a trusted phone number outside of email communications. Institute a "phone call confirmation rule" for payments exceeding $5,000.

3. Fake Shipping and Delivery Notifications

• The Scam: Phishing emails or texts impersonate courier services like UPS, FedEx, or USPS, including links to "reschedule delivery" which infect devices with malware.
• How to Prevent: Teach employees to avoid clicking these links and instead enter carrier websites directly via a browser or use bookmarked tracking pages to avoid phishing traps.

4. Malicious Holiday Party Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that, when opened, deploy malware.
• How to Prevent: Disable macros, scan all attachments with security software, and foster a culture where employees verify unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• The Scam: Fake charity websites or bogus "company match" campaigns designed to steal funds or personal data.
• How to Prevent: Provide and circulate an approved list of charities, ensuring all donations are made only through verified platforms.

Understanding Why These Scams Succeed and How to Defend Your Business

Common business tools like email, online banking, and digital payment platforms are ironically exploited by cybercriminals. These schemes are not your typical "Nigerian prince" emails—they combine social engineering with tailored research about your company.

Organizations conducting regular phishing simulations reduce their risk by 60%, yet many small businesses ignore employee training. Multifactor authentication (MFA) prevents 99% of unauthorized logins, but many companies still depend solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare your company for the holiday rush with these crucial steps:

• Enforce a Two-Person Verification Rule: Require verbal confirmation via separate communication channels for any transaction exceeding your threshold.
• Implement a Gift Card Purchase Policy: Clearly state that purchasing gift cards through email or text is prohibited.
• Vendor Banking Changes Verification: Confirm all payment or banking adjustments by calling numbers already on file.
• Enable Multifactor Authentication: Apply MFA on all email accounts, online banking, and cloud services.
• Holiday Scam Awareness Training: Brief your team about these five scams with real-life examples to increase vigilance.

Beyond Financial Loss: The Hidden Toll of Cyberattacks

While Orion's multi-million dollar loss grabbed headlines, smaller businesses often suffer concealed impacts:

• Disruption of operations during peak business periods
• Lost productivity as employees focus on incident recovery
• Damaged customer trust if sensitive client data is breached
• Rising insurance premiums after cyber incidents

The average loss per business email compromise episode is $129,000—enough to devastate many small enterprises during the busiest time of year.

Secure Your Holidays for Growth and Joy

Holidays should bring prosperity and celebration—not the stress of fraud clean-up. By holding a focused team meeting, implementing clear policies, and layering security defenses, you significantly reduce risks and keep cybercriminals at bay.

Remember: A simple verification call stopped a $60 million theft at Orion. With vigilance and easy safeguards, your business can avoid becoming the next cybercrime headline.

Ready to fortify your team before the New Year? Click here or call us at 609-676-3597 to schedule a 15-Minute Discovery Call. We'll guide you through effective, practical steps to secure your business. Don't let hackers spoil your holiday success—the greatest gift you can give your company this season is lasting peace of mind.