The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text appearing to be from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Despite sensing something was off, the message seemed genuine amidst the holiday rush. Unfortunately, by the time she verified, the scammer had already redeemed the cards, leaving the company to bear the loss.

While this scam caused a significant hit, some attacks can devastate a business entirely. In that same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to an even more catastrophic fraud. An employee received what looked like routine emails requesting wire transfers—from what appeared to be trusted colleagues or partners. These requests felt urgent and consistent with normal operations, prompting the employee to process multiple large transfers without hesitation.

The aftermath? Cybercriminals walked away with $60 million—over half the company's yearly profit—drained through fraudulent wire transfers.

If you believe your small business flies under hackers' radar, think again. Gift card scams alone cost US businesses more than $217 million in 2023. Moreover, business email compromise attacks made up 73% of cyber incidents reported in 2024. The holiday season is especially risky when your team is distracted, stressed, and managing an increased volume of transactions.

Top 5 Holiday Scams Your Employees Must Recognize to Avoid Costly Losses

1. "Your Boss Needs Gift Cards" (Beware the $3,000 Text Scam)

• How it works: Impersonators pose as executives, urging staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, nearly 38% of business email compromises involved gift card scams.
• Protection tips: Enforce a strict no gift-card purchase policy without dual approvals. Teach employees that executives will never request gift cards via text messages.

2. Invoice & Payment Manipulation (Targeting Big Transactions)

• How it works: Fraudsters send fake "updated banking information" or hijack vendor emails right as year-end bills become due. For example, in June 2024, the Town of Arlington, MA, lost nearly $500,000 this way.
• Protection tips: Always verify banking changes by calling a previously established phone number, not the one in the email. Implement a "call confirmation" rule for any financial transaction above $5,000.

3. Fake Shipping and Delivery Alerts

• How it works: Phishing emails or texts impersonate UPS, FedEx, or USPS, urging recipients to "reschedule delivery" via malicious links.
• Protection tips: Instruct staff to navigate delivery services by typing URLs manually or using bookmarked official tracking sites. Avoid clicking suspicious links.

4. Harmful "Holiday Party" Attachments

• How it works: Emails arrive with attachments labeled "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware when opened.
• Protection tips: Disable macros, routinely scan attachments, and make it standard practice to verify unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• How it works: Phishing websites mimic legitimate charities or fake company matching programs to steal money or personal data.
• Protection tips: Distribute an approved list of charities and ensure donations occur exclusively through official company portals.

Why These Attacks Succeed and How You Can Stop Them

Scammers exploit the very tools businesses rely on daily—email, online banking, and digital payments. These attacks are highly sophisticated, combining social engineering with detailed research about your company. They are far from the outdated "Nigerian prince" scams.

Companies that conduct regular phishing tests reduce their risk by up to 60%, yet many small businesses neglect employee training. Multifactor authentication blocks 99% of unauthorized access, but numerous firms still depend solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Before the holiday rush, implement these crucial steps:

• Two-Person Verification: Require verbal confirmation via a separate communication channel for all transactions exceeding your minimum threshold.
• Gift Card Policy: Clearly document a no gift card purchase rule via email or text.
• Vendor Validation: Use on-file phone numbers to verify any banking or payment changes.
• Multifactor Authentication: Activate MFA across email, banking, and cloud services.
• Holiday Scam Awareness: Educate your team about these five common scams with real-life examples.

The True Impact: Beyond Financial Loss

Though Orion's $60 million theft made headlines, smaller businesses often suffer deeper hidden consequences:

• Business operations stalling during peak demand periods
• Staff productivity diminishing as they manage recovery efforts
• Loss of customer confidence if sensitive data is exposed
• Increased insurance costs following cyber incidents

The average business email compromise incident costs $129,000—enough to devastate many small businesses at the worst possible time.

Keep Your Holidays Joyful, Not Compromised

The holiday season should focus on growth and celebration—not recovering from wire fraud. A quick team meeting, clear policies, and layered security measures are your best defenses against cyber criminals.

Remember: a single verification call could have saved Orion $60 million. With proper awareness and simple precautions, your business won't become another cautionary story.

Ready to secure your team before the New Year? Click here or call us at (951) 405-6873 to schedule a 15-Minute Discovery Call where we'll provide straightforward, effective strategies to protect your business. Don't let cybercriminals ruin your holiday success—give your business the gift of peace of mind this season.