The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received a suspicious urgent text "from the CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Although the request seemed strange, it came under the boss's name during the hectic holiday season. By the time she verified, the gift cards were gone, cashed out by a scammer, leaving the business to suffer the loss.

While this gift card scam caused pain, other attacks can devastate companies completely. That same month, Luxembourg-based chemical firm Orion S.A. fell prey to a much more severe fraud. An employee received what looked like routine, urgent email instructions for wire transfers, possibly from trusted partners or colleagues. Believing the requests were legitimate, the employee proceeded with several transfers.

The shocking outcome? Cybercriminals drained $60 million — over half of the company's yearly profits — through multiple fraudulent wire transfers.

Don't assume your small business is safe. In 2023, gift-card scams alone cost enterprises over $217 million, while in 2024, 73% of all cyber incidents involved business email compromise attacks. Criminals exploit the busy, distracted holiday season when your team processes increased transactions and feels stressed.

Top 5 Holiday Scams Every Employee Must Recognize to Avoid Costly Losses

1. "Your Boss Needs Gift Cards" Scam — The $3,000 Text Trick

• The Scam: Fraudsters impersonate company leaders, coercing employees to buy gift cards for fake clients or as "employee appreciation." In early 2024, nearly 38% of business-email compromises involved gift card scams.
• How to Prevent It: Enforce a strict policy requiring two management approvals for gift card purchases. Employees must never fulfill executive gift card requests via text.

2. Invoice & Payment Switch-Ups — The High-Stakes Money Grab

• The Scam: Criminals send fake updated banking info or hijack vendor email threads just as year-end bills are due. In June 2024, Arlington, MA lost almost $500,000 to this fraud.
• How to Prevent It: Always verify banking changes by calling using a trusted phone number—not one from email. Implement a mandatory phone confirmation rule for any financial change over $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts impersonate UPS, FedEx, or USPS, providing links to "reschedule delivery" that install malware.
• How to Prevent It: Teach employees to manually enter carrier websites or bookmark official tracking pages—never click suspicious links.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails with seemingly harmless attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that, when opened, silently install malware.
• How to Prevent It: Block macros by default, scan all attachments, and encourage verification of unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• The Scam: Fake charity websites and bogus "company match" campaigns designed to steal donations and sensitive data.
• How to Prevent It: Provide employees with a vetted list of approved charities and require all donations go through official company portals.

Why These Scams Thrive and How You Can Stop Them

Tools that streamline business—email, online banking, digital payments—are exactly what scammers manipulate. These aren't simple "Nigerian prince" schemes but highly sophisticated attacks combining social engineering with detailed research about your company.

Companies conducting regular phishing simulations cut incident risks by 60%, yet many small businesses don't train their teams. Multifactor authentication blocks 99% of unauthorized access, but too many firms still rely solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare now to safeguard your business during the busy season:

• Two-Person Rule: Require verbal confirmation for all transactions above your set threshold through a separate communication channel.
• Gift Card Policy: Establish and enforce a strict "no gift cards via email or text" rule.
• Vendor Verification: Confirm any changes to vendor payment details by calling previously verified phone numbers.
• Enable Multifactor Authentication: Apply MFA to all email, banking, and cloud service accounts.
• Boost Holiday Awareness: Educate your team on these five common scams using real-world examples.

The True Price of Scams: It's More Than Money

Orion's $60 million headline loss highlights only part of the damage. Small businesses often face even tougher hidden costs:

• Operations come to a standstill during critical seasons
• Staff productivity plummets while recovering from incidents
• Client trust erodes if data is compromised
• Cyber incidents lead to soaring insurance premiums

The average business email compromise costs $129,000—often enough to sink small businesses at their most vulnerable times.

Keep Your Holidays Joyful and Fraud-Free

The holiday season should be about growth and celebration—not scrambling to recover from wire fraud. A simple staff briefing, clear policies, and layered security measures dramatically reduce risk and keep cybercriminals out.

Remember, the Orion employee could have prevented that $60 million loss with just one verification call. With the right knowledge and basic checks, your business can stay far from the headlines.

Ready to secure your team before the New Year? Click here or call us at 702-745-9468 to book a 10-Minute Discovery Call. We'll guide you through straightforward, effective steps to protect your business from holiday cyber threats. Give your company the best gift this season: peace of mind.