The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize business received a suspicious text 'from her CEO' demanding $3,000 in Apple gift cards to send to clients, asking her to scratch off the cards and email the codes. Although it seemed unusual, the message appeared to come from her boss amid hectic holiday deadlines. By the time she realized the scam, the thief had already cashed out and the company suffered the loss.

While this scam caused financial pain, others can devastate businesses completely. That same month, Luxembourg-based chemical company Orion S.A. was deceived through seemingly standard email transfer requests, which appeared to come from trusted partners or colleagues. The urgent and credible emails convinced an employee to authorize multiple wire transfers without hesitation.

The outcome? $60 million drained directly to cybercriminals — over half of Orion's yearly profits wiped out by fraudulent wire transfers.

Think your small business is immune? Think again. In 2023, gift card scams alone caused businesses to lose upwards of $217 million. In 2024, 73% of cyber incidents targeted businesses via email compromise attacks. Criminals exploit the holiday rush when staff are distracted, stressed, and handling more transactions than usual.

Top 5 Holiday Scams Your Employees Must Recognize Before They Rob You Blind

1. The $3,000 "Boss Needs Gift Cards" Trick

• The Scam: Impostors impersonate executives pressuring employees to purchase gift cards for fake "clients" or "employee appreciation." In early 2024, 37.9% of email compromise attacks involved gift card fraud.
• Prevention: Enforce a strict policy requiring two approvals for any gift card purchase. Train your staff that executives will never send such requests via text.

2. The Invoice & Payment Switch Scam: Stealing Big Bucks

• The Scam: Fraudsters send fake "updated banking details" or hijack vendor email threads near year-end bill payments. For example, Arlington, MA lost nearly $500,000 in June 2024 to this scheme.
• Prevention: Always verify banking changes through a trusted phone number, never from email alone. Require a verification phone call for financial changes over $5,000.

3. Fake Delivery and Shipping Alerts

• The Scam: Phishing emails or texts pretending to be from UPS, FedEx, or USPS encouraging recipients to "reschedule delivery" through malicious links.
• Prevention: Train employees to navigate to carrier websites manually by typing the URL or bookmarking official tracking pages. Never click unsolicited links.

4. Malware-Laden "Holiday Party" Email Attachments

• The Scam: Emails with attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware when opened.
• Prevention: Block macros on email attachments, scan all files for malware, and emphasize verifying unexpected attachments as a standard practice.

5. Fraudulent Holiday Fundraisers

• The Scam: Phishing sites impersonate charities or fake "company match" donation campaigns to steal funds or data.
• Prevention: Provide employees with an approved list of charities and require all donations to occur through official company channels.

Why These Scams Succeed and How to Defend Against Them

While digital tools like email, online banking, and payment systems boost efficiency, they also open doors for cybercriminals. These attacks are *not* your typical rogue emails; they are highly sophisticated blends of social engineering and targeted research about your company.

Companies conducting regular phishing simulations cut their risk by 60%, yet most small businesses overlook employee training. Multifactor authentication stops 99% of unauthorized logins, but many businesses still rely solely on passwords, leaving vulnerabilities wide open.

Your Ultimate Holiday Cybersecurity Checklist

Before the holiday rush, take these essential steps:

• Two-Person Verification Rule: All transactions exceeding your threshold require verbal confirmation via a separate communication channel.
• Gift Card Policy: Establish written rules banning gift card requests through email or text.
• Vendor Confirmation: Verify any changes in banking or payment info through known phone numbers already on file.
• Enable Multifactor Authentication: Activate MFA on all email, banking, and cloud accounts.
• Holiday Awareness Training: Educate your team with real-world examples of these five scams.

The True Toll: Beyond Financial Loss

Though Orion's $60 million loss drew headlines, the hidden damages can hit smaller businesses even harder:

• Business operations freezing during peak periods
• Disruptions reduce staff productivity due to crisis management
• Compromised client data damages customer trust
• Cyber incident risk leads to higher insurance costs

The average financial hit from a business email compromise is $129,000 — a blow that could devastate many small companies during their busiest season.

Keep Your Holidays Safe, Secure, and Successful

The holiday season should be about growth and celebration — not recovering from fraud. A brief team discussion, solid policies, and layered security safeguards can block cybercriminals from invading your company's finances.

Remember: The Orion employee could have prevented a $60 million loss with a simple verification call. With the right training and controls, your business can avoid becoming the next painful headline.

Ready to safeguard your team before the New Year? Click here or call 214-845-8198 to schedule a 15-Minute Discovery Call. We'll guide you through practical, fast steps to protect your business. Don't let cybercriminals ruin your holiday success — the best gift for your business this season is peace of mind.