The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize firm received an urgent text seemingly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Though suspicious, the message appeared authentic, and amid the holiday rush, she complied. By the time she verified, the scammer had already cashed out, resulting in a costly loss for the company.

While this scam is painful, others can devastate businesses entirely. That same month, Luxembourg-based chemical manufacturer Orion S.A. was fooled by a sophisticated scheme. An employee got what looked like normal, urgent internal emails requesting wire transfers—likely from trusted colleagues or partners. The requests matched typical business practices, and the employee completed multiple transfers without hesitation.

The outcome? $60 million vanished directly into cybercriminals' hands—over half of the company's annual profits lost to fraudulent wire transfers.

If you think your small business is safe from such threats, think again. In 2023 alone, gift-card scams cost businesses more than $217 million, while business email compromise (BEC) attacks made up 73% of cyber incidents in 2024. The holiday season is prime time for attackers, knowing your team is overwhelmed, distracted, and handling increased transactions.

Top 5 Holiday Scams Your Employees Must Know to Avoid Costly Mistakes

1. "Your Boss Needs Gift Cards" Scam (The $3,000 Text Trap)

• The Scam: Attackers impersonate executives, urging staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, almost 38% of BEC attacks involved gift-card fraud.
• How to Prevent It: Enforce a strict policy requiring two separate approvals before purchasing gift cards. Train employees that executives will never request gift cards via text messages.

2. Invoice & Payment Diversion (The High-Stakes Switch)

• The Scam: Fraudsters send fake "updated banking information" or hijack email threads with vendors, especially near year-end billing. In June 2024, Arlington, MA lost nearly $500,000 to this scheme.
• How to Prevent It: Always verify banking changes via a known phone number—not the email contact. Establish a "phone call rule" for confirming any financial changes over $5,000.

3. Fraudulent Shipping and Delivery Notifications

• The Scam: Phishing emails or texts impersonate carriers like UPS, FedEx, or USPS, prompting recipients to "reschedule" deliveries via malicious links.
• How to Prevent It: Train employees to enter carriers' official websites directly into browsers. Bookmark legitimate tracking pages to avoid falling for deceptive links.

4. Malicious Attachments Masquerading as Holiday Materials

• The Scam: Emails contain attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that, when opened, install malware.
• How to Prevent It: Block macros by default, scan all attachments thoroughly, and encourage a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraising Appeals

• The Scam: Phishing sites mimic real charities or fake "company match" campaigns designed to steal money or sensitive data.
• How to Prevent It: Distribute an approved charity list and mandate that all donations go through official company channels.

Why These Scams Succeed & How to Defend Your Business

The very tools that enhance business productivity—email, online banking, and digital payments—are leveraged by scammers. These attacks aren't unsophisticated "Nigerian prince" emails but expertly crafted social engineering campaigns tailored to your company.

Companies that conduct regular phishing drills cut risk by 60%, yet many small businesses neglect training. Multifactor authentication blocks 99% of unauthorized access, but many still depend solely on passwords.

Your Essential Holiday Security Checklist

Before the holiday rush, implement these vital steps:

• The Two-Person Rule: Require verbal confirmation via a separate channel for transactions exceeding a set amount.
• Gift Card Policy: Formalize a strict no-gift-card policy through email or text.
• Vendor Verification: Validate all banking or payment changes by calling numbers already on file.
• Enable Multifactor Authentication: Activate MFA across all email, banking, and cloud platforms.
• Holiday Awareness Training: Educate your team about these top five scams with concrete examples.

The True Price: Beyond Financial Loss

Though Orion's $60 million loss captured headlines, small businesses often bear hidden costs such as:

• Severe operational disruptions during peak season
• Lost productivity as staff handle incident recovery
• Damaged customer trust if client data is exposed
• Increased insurance premiums post-cyber incident

On average, each business email compromise incident costs $129,000—enough to devastate many small companies at the most critical time of year.

Protect Your Holidays: Stay Secure and Stress-Free

The holiday season should focus on growth and celebrations—not recovering from wire fraud. A quick team briefing, smart policies, and layered security measures create strong defenses against cybercriminals.

Remember: The Orion employee could have stopped that $60 million loss with one simple phone call. With awareness and straightforward checks, your business can avoid becoming the next cautionary headline.

Ready to lock down your team before the New Year? Click here or call us at (646) 989-9900 to schedule a Business Technology Alignment Assessment. We'll guide you through quick, effective steps to safeguard your business. Don't let cybercriminals ruin your holiday success — the greatest gift you can give your business this season is peace of mind.