The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

In December, an accounts payable clerk at a midsize company received an urgent and unusual text allegedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Though suspicious, the message appeared to be from her boss during peak holiday rush. By the time she verified, the scammer had already drained the funds, leaving the company with a significant loss.

This type of scam is painful, but even more damaging attacks exist. For example, that same month, Orion S.A., a Luxembourg-based chemical firm, suffered a catastrophic fraud. An employee received what seemed to be ordinary email requests for wire transfers from trusted partners. These requests appeared urgent and aligned with business norms. Without hesitation, the employee authorized multiple wire transfers.

The devastating outcome? Cybercriminals siphoned away $60 million — over half of the company's annual profits — through these fake wire transfers.

If you think smaller businesses are safe, think again. Gift card scams alone cost companies more than $217 million in 2023. Meanwhile, business email compromise attacks made up 73% of all cyber incidents in 2024. The holiday season is a peak target time because scammers exploit distracted, stressed teams rushing through increased transactions.

5 Crucial Holiday Scams Your Team Must Recognize (Before They Drain Your Budget)

1. "The Boss Needs Gift Cards Now" (The $3,000 Text Scam)

• The Threat: Scammers impersonate executives, pressuring staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, nearly 38% of business email compromise cases involved gift card fraud.
• How to Defend: Enforce strict company policies requiring two levels of approval for gift card purchases. Train employees that executives will never request gift cards via texts.

2. Invoice & Payment Diversions (The Large Transfer Swindle)

• The Threat: Fraudsters send fake "updated banking info" or hijack vendor emails just as year-end payments are due. Arlington, MA lost nearly $500,000 in June 2024 due to such an attack.
• How to Defend: Always verify banking changes via a trusted phone number — never just by email. Adopt a strict "phone call confirmation" policy for financial transactions above $5,000.

3. Fake Shipping & Delivery Alerts

• The Threat: Phishing emails or texts claim to be from UPS, FedEx, or USPS with links prompting "reschedule delivery."
• How to Defend: Train employees to manually enter courier websites or bookmark official tracking pages instead of clicking suspicious links.

4. Malicious "Holiday Party" Email Attachments

• The Threat: Emails contain attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that deploy malware when opened.
• How to Defend: Block macros, scan attachments thoroughly, and encourage verifying unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• The Threat: Scammers create fake charity sites or bogus "company match" campaigns to steal money or data.
• How to Defend: Provide employees with an approved charity list and require donations to go only through official channels.

Why These Scams Are Effective (And How To Prevent Them)

The very technologies that optimize business — email, online banking, digital payments — are exploited by sophisticated scammers. These aren't your typical "Nigerian prince" scams; they involve detailed research and social engineering tailored to your company.

Companies that conduct regular phishing drills lower their risk by 60%, yet many small businesses don't train employees. Multifactor authentication blocks 99% of unauthorized logins, but many still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare now before holiday chaos peaks:

• Two-Person Rule: Require verbal confirmation through a separate channel for transactions over a set threshold.
• Gift Card Policy: Establish a strict written policy banning gift card purchases via email or text.
• Vendor Verification: Verify all payment or banking changes by calling known numbers on file.
• Multifactor Authentication: Activate MFA across all email, banking, and cloud accounts.
• Holiday Awareness Training: Educate your team about these five scams using real-world examples.

The True Toll: Beyond Just Financial Loss

Though Orion's headline $60 million loss shocked many, smaller businesses often face even harsher hidden consequences:

• Operations freeze during critical peak times
• Staff productivity plummets while resolving fraud aftermath
• Client trust erodes if sensitive data leaks
• Insurance rates surge post-incident

On average, businesses lose about $129,000 per email compromise attack — an amount that can devastate small companies during their most important season.

Keep Your Holidays Joyful and Fraud-Free

The holiday season should bring growth and celebration — not costly fraud cleanups. A quick team meeting, clear policies, and a few layered security steps dramatically reduce your risk of scams.

Remember: The Orion employee could have prevented a $60 million loss with a single verification call. With right awareness and simple checks, your business can avoid becoming the next cautionary story.

Ready to secure your team before the New Year? Click here or call us at 817-277-1001 to schedule a 15-Minute Discovery Call. We'll guide you through practical steps to protect your business. Don't let cybercriminals steal your holiday success — give your business the greatest gift: peace of mind.