The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize firm received a suspicious text supposedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Though it felt off, the message carried the boss's name and came amid hectic holiday activity. Unfortunately, by the time she verified, the scammer had already moved the funds, resulting in a costly loss for the company.

Such scams are painful, but some attacks have more devastating consequences. In the same month, Luxembourg-based chemical manufacturer Orion S.A. suffered a massive fraud. An employee received emails appearing to be routine wire transfer requests from trusted contacts. Believing them urgent and legitimate, the employee authorized multiple transfers.

The outcome? A staggering $60 million vanished into cybercriminals' hands—over half of the company's annual profits wiped out in a single series of fraudulent transfers.

Think your small business is too insignificant to be targeted? Think twice. In 2023 alone, gift card scams cost businesses upwards of $217 million, and business email compromise attacks made up 73% of cyber incidents in 2024. The holiday season is a prime window for fraudsters, exploiting distracted, stretched-thin teams handling increased transaction volumes.

Top 5 Holiday Scams Your Employees Must Recognize (Before They Cost You Thousands)

1. "Urgent Gift Card Requests from Leadership" (The $3,000 Text Scam)

• The Scam: Impersonators masquerade as company executives, pressuring staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, these schemes accounted for 37.9% of all business email compromise attacks.
• How to Prevent: Implement a strict policy requiring dual approvals before purchasing gift cards. Train employees that executives never request gift cards via text messages.

2. Invoice and Payment Fraud (The Fraudulent Fund Diversion)

• The Scam: Cybercriminals send "updated bank details" or hijack vendor email threads just as year-end payments are due. For example, the Town of Arlington, MA, lost nearly $500,000 this way in June 2024.
• How to Prevent: Always verify any banking information changes by calling a verified phone number — never rely on contact details contained in email messages. Establish a "phone call verification" rule for all financial changes exceeding $5,000.

3. Fraudulent Shipping and Delivery Alerts

• The Scam: Phishing emails or texts impersonate major carriers like UPS, FedEx, or USPS, containing links to "reschedule" shipments.
• How to Prevent: Train employees to access carrier websites by typing URLs directly or using bookmarks to avoid malicious links.

4. Malicious Attachments Disguised as Holiday Party Information

• The Scam: Emails with attachments titled "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware when opened.
• How to Prevent: Disable macros, scan all attachments for malware, and encourage verification of unexpected files.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fake company matching programs to steal funds or personal data.
• How to Prevent: Circulate a vetted list of approved charities and direct all donations through official, secure channels.

Why These Scams Succeed (And How You Can Stop Them)

While digital tools like email, online banking, and e-payments boost business efficiency, they also open doors for fraudsters. These aren't your average spam emails; they are sophisticated, socially engineered attacks tailored through in-depth company research.

Companies conducting frequent phishing simulations cut risks by 60%, yet many small businesses neglect employee training. Enabling multifactor authentication blocks 99% of unauthorized access, though some still rely solely on passwords.

Your Essential Holiday Security Checklist

To safeguard your business during the busy season, implement these steps:

• The Two-Person Rule: Require verbal confirmations via separate communication channels for transactions above a set amount.
• Gift Card Policy: Enforce a written policy banning gift card purchases via email or text.
• Vendor Verification: Confirm all changes to banking or payment info with trusted phone numbers on file.
• Multifactor Authentication: Activate MFA on all email, banking, and cloud platforms.
• Holiday Awareness Training: Educate your team on these five scams using real-world examples.

The True Cost: More Than Money

Although Orion's $60 million loss grabbed headlines, smaller companies often suffer hidden impacts like:

• Disrupted operations during peak sales periods
• Diminished productivity as employees manage crisis fallout
• Eroded customer trust if sensitive data is breached
• Increased insurance premiums post-cyber incidents

With an average financial loss of $129,000 per business email compromise event, many small businesses risk closure at the most critical time of year.

Protect Your Holidays: Keep Them Merry and Fraud-Free

The holidays should focus on growth and celebration—not damage control from wire fraud. A quick team meeting, clear policies, and layered security measures can effectively lock cybercriminals out.

Remember, Orion's devastating $60 million loss could have been averted with a single verification phone call. Equip your team with awareness and simple safeguards to prevent becoming the next cautionary example.

Ready to secure your business before the New Year? Click here or call us at 323-410-7785 to book a 10-Minute Discovery Call. We'll guide you through straightforward, effective steps to protect your company from holiday cyber threats. The greatest gift you can give your business this season is peace of mind.