The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text appearing to be from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them. Although suspicious, it seemed legitimate during the hectic holiday rush. Unfortunately, by the time she confirmed, the gift cards had already been used, and the scammers had vanished, leaving the company to absorb the loss.

While that scam was costly, some attacks can devastate an entire business. In the same month, Orion S.A., a Luxembourg chemical manufacturer, suffered an even more severe attack. An employee received what appeared to be routine wire transfer requests from trusted colleagues or partners, matching typical business operations and urgency. Without hesitation, the employee executed several large wire transfers.

The outcome was catastrophic: cybercriminals stole $60 million—over half the company's annual profits—through these fraudulent transfers.

Think your small business isn't a target? Think again. Gift card scams cost businesses more than $217 million in 2023, and 73% of cyber incidents in 2024 relate to business email compromise attacks. The holiday season is prime time for these threats, as criminals exploit distractions, stress, and increased transaction volumes.

Top 5 Holiday Scams Your Team Must Know To Avoid Costly Mistakes

1. "Your Boss Wants Gift Cards" Scam (The $3,000 Text Fraud)

• The Scam: Fraudsters impersonate executives, pressuring employees to buy gift cards for "clients" or "employee rewards." Gift card scams made up 37.9% of business email compromise cases in early 2024.
• How to Protect: Enforce a strict policy requiring two approvals for gift card purchases. Train employees that executives will never ask for gift cards via text messages.

2. Invoice and Payment Redirection (The High-Stakes Scam)

• The Scam: Cybercriminals send fake banking updates or hijack vendor emails right when large payments are due. For example, Arlington, MA lost nearly $500,000 to this scam in June 2024.
• How to Protect: Always confirm bank details changes by calling a known phone number—not the one in the email. Implement a "phone call rule" for financial changes exceeding $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or texts impersonate carriers like UPS, FedEx, or USPS with links to "reschedule" deliveries.
• How to Protect: Educate staff to go directly to official carrier websites by typing URLs or bookmarking official tracking pages to avoid malicious links.

4. Malicious Holiday Party Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" which, when opened, install malware.
• How to Protect: Disable macros, scan all attachments thoroughly, and foster a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites mimic charities or false "company match" campaigns to steal donations or personal data.
• How to Protect: Provide a list of approved charities and ensure all donations are processed through official channels only.

Why These Schemes Succeed and How to Defend Your Business

Tools like email, online banking, and digital payments streamline business but also open the door to sophisticated scams. These aren't your typical "Nigerian prince" emails; attackers use social engineering combined with in-depth company research.

Companies that regularly conduct phishing drills cut their risk by 60%, yet many small businesses neglect employee training. While multifactor authentication (MFA) blocks 99% of unauthorized access, many still rely on simple passwords.

Your Essential Holiday Security Checklist

Before the holidays arrive at full tilt, implement these critical steps:

• Two-Person Verification: Require verbal confirmation through a separate method for transactions over your set threshold.
• Gift Card Policy: Clearly state that gift card purchases cannot be requested via email or text.
• Vendor Confirmation: Verify banking or payment updates by calling numbers on file, not those in emails.
• Multifactor Authentication: Enable MFA on all email, banking, and cloud services.
• Holiday Scam Awareness: Educate your team about these five scams using real-world examples.

The Bigger Impact: Loss Beyond Funds

Though Orion's $60 million loss made headlines, smaller businesses often suffer hidden costs:

• Operations stall during peak seasons
• Staff productivity drops as they deal with damage control
• Customer trust diminishes if data breaches occur
• Cyber incident claims drive up insurance premiums

The average loss per business email compromise is $129,000—enough to put many small companies out of business during their critical period.

Keep Your Holidays Safe and Successful

Holidays should be about business growth and celebration, not fraud recovery. A quick team meeting, smart policies, and layered security measures can keep scammers away from your finances.

Remember: Just one verification call could have saved Orion $60 million. With proper awareness and simple checks, your business can avoid becoming the next headline.

Ready to protect your team before the New Year? Click here or call us at (949) 396-1100 to schedule a 15-Minute Discovery Call where we'll guide you through practical, effective steps to safeguard your business. This holiday season, give your company the best gift: peace of mind.