The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a mid-sized company received a suspicious text appearing to be from her CEO: Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Though it sounded unusual, the message came from her boss's name amid the holiday rush. By the time she realized something was wrong, the scammer had vanished with the funds, leaving the company to absorb the loss.

While this scam caused financial pain, some attacks can devastate businesses completely. In the same month, Orion S.A., a chemical manufacturer based in Luxembourg, suffered a catastrophic breach. An employee received what looked like authentic email requests for wire transfers—likely from trusted partners or colleagues. These seemingly urgent and routine requests led the employee to execute multiple transfers without question.

The outcome? Cybercriminals stole $60 million—over half of Orion's annual profits—through fraudulent wire transfers.

If you believe your small business is too modest to be targeted, think again. In 2023 alone, gift card scams drained over $217 million from companies, and in 2024, 73% of cyber incidents involved business email compromise attacks. The holiday season is prime time for fraud because criminals exploit your team's distractions, stress, and increased transaction volume.

5 Critical Holiday Scams Every Employee Must Recognize (Before They Drain Your Wallet)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Scam)

• The Scam: Fraudsters impersonate company leaders, pressuring staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, 37.9% of business email compromises involved gift card fraud.
• How to Prevent: Enforce strict policies requiring two senior approvals for gift card purchases. Train employees that executives will never request gift cards via text.

2. Invoice & Payment Manipulation (The Large Sum Heist)

• The Scam: Criminals send fake "updated bank info" or hijack vendor email conversations around billing periods. For example, in June 2024, Arlington, MA lost nearly $500,000 this way.
• How to Prevent: Always verify banking changes by calling a known number—not one from the email. Implement a "phone call confirmation" rule for transactions above $5,000.

3. Fraudulent Shipping & Delivery Alerts

• The Scam: Phishing emails or texts masquerade as UPS, FedEx, or USPS notifications with links to "change delivery schedules."
• How to Prevent: Educate staff to manually type carrier websites and bookmark official tracking pages instead of clicking suspicious links.

4. Malicious Holiday Party Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that install malware upon opening.
• How to Prevent: Disable macros, scan all attachments for malware, and foster a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fake "company match" donation campaigns to steal money or personal data.
• How to Prevent: Provide a vetted list of approved charities and require donations to be made only through official company portals.

Why These Attacks Succeed & How to Combat Them

While tools like email, online banking, and digital payments streamline operations, they also offer gateways for scammers. These aren't obvious scams; they are highly sophisticated, combining social engineering with detailed company research.

Businesses conducting regular phishing simulations reduce their risk by 60%, yet most small firms skip employee training. Moreover, multifactor authentication (MFA) can stop 99% of unauthorized access, but many still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare now to protect your business through the holiday season:

• Two-Person Approval Rule: Require verbal confirmation via a separate channel for transactions over your threshold.
• Gift Card Purchase Policy: Enforce clear, written rules banning gift card requests through email or text.
• Vendor Banking Verification: Confirm payment details changes using pre-existing contact info.
• Implement MFA: Activate multifactor authentication on all email, banking, and cloud accounts.
• Holiday Scam Education: Share real examples and briefing sessions covering these five scams.

The True Price of Scams: Beyond Money

Though Orion's $60 million loss made headlines, small businesses often suffer even deeper consequences:

• Disrupted operations during critical peak times
• Dropped productivity as staff scramble to manage the crisis
• Damaged customer trust if sensitive data is breached
• Increased insurance premiums post-incident

On average, a business email compromise costs $129,000—an amount that could shutter many small enterprises at the most vulnerable time of year.

Protect Your Holidays: Keep Cybercriminals at Bay

Holidays should focus on growth and celebration, not recovering from wire fraud. Just a quick team meeting, firm policies, and layered security can significantly reduce your risk.

Remember, the employee at Orion could have prevented a $60 million loss with one simple verification call. Through heightened awareness and practical checks, you can also shield your business from becoming a cautionary tale.

Ready to safeguard your team before the New Year? Click here or call us at 408-335-0353 to book a Discovery Call. We'll guide you through quick, practical steps to secure your business. Don't let cybercriminals ruin your holiday achievements. The greatest gift this season is peace of mind.