The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received a suspicious text that seemed to be from her CEO: "Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them." Despite her doubts, holiday chaos clouded judgment, and by the time she confirmed, the scammer was long gone with the money, leaving the company to bear the loss.

While this scam hurt, some attacks can devastate a business completely. That same month, Orion S.A., a Luxembourg-based chemical manufacturer, was hit by a more severe fraud. An employee received what looked like legitimate, urgent emails requesting wire transfers, apparently from trusted colleagues or partners, and processed multiple payments without hesitation.

The outcome? Cybercriminals siphoned away $60 million—over half the company's yearly profits—through a series of fraudulent transfers.

Think your small business is too minor to attract fraudsters? Think again. In 2023, gift card scams alone cost businesses more than $217 million, and business email compromise (BEC) attacks made up 73% of cyber incidents in 2024. The hectic holiday season is prime time for these threats because criminals exploit distractions, stress, and the surge in transactions.

5 Must-Know Holiday Scams Your Employees Should Spot to Protect Your Bottom Line

1. "Your Boss Needs Gift Cards"—The $3,000 Text Trap

• The Scam: Impersonators pretending to be executives pressure staff into purchasing gift cards for "clients" or "employee rewards." In Q1 2024, 37.9% of business email compromise cases involved gift card scams.
• How to Prevent: Enforce a strict policy requiring two distinct approvals before any gift card purchase. Train employees that executives never request gift cards via text messages.

2. Invoice and Payment Switch-Ups—The High-Stakes Financial Hoax

• The Scam: Fraudsters alter banking details or hijack vendor email threads just as year-end bills are due. For instance, in June 2024, the Town of Arlington, MA lost nearly $500,000 through this tactic.
• How to Prevent: Always verify banking changes via a known phone number—not the one in the email—and implement a "phone call rule" for any financial transactions exceeding $5,000.

3. Fake Shipping and Delivery Notifications

• The Scam: Phishing emails or texts disguised as UPS, FedEx, or USPS asking recipients to "reschedule delivery" through malicious links.
• How to Prevent: Train your team to enter the carrier's website URL directly into browsers and bookmark official tracking pages to avoid falling for deceptive links.

4. Malicious Holiday Party Email Attachments

• The Scam: Emails with attachments titled "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware upon opening.
• How to Prevent: Disable macros, scan all attachments thoroughly, and encourage staff to verify the legitimacy of unexpected files.

5. Phantom Holiday Fundraisers

• The Scam: Fraudulent charity websites or fake "company match" campaigns designed to steal money or confidential data.
• How to Prevent: Distribute an approved charity list and ensure all donations are processed exclusively through official channels.

Why These Holiday Scams Succeed—and How You Can Defend Against Them

E-mail, online banking, and digital payments streamline your business—but these very tools are exploited by scammers. These are not simple "Nigerian prince" schemes; they are highly sophisticated attacks combining social engineering with in-depth company research.

Companies that conduct frequent phishing simulations cut their risk by 60%, yet most small businesses neglect this crucial training. Implementing multifactor authentication can block 99% of unauthorized access, but too many firms still depend solely on passwords.

Your Ultimate Holiday Security Checklist

Prepare your team for the busy season with these essential steps:

• Two-Person Rule: Require verbal confirmation through a separate channel for all transactions exceeding your set amount.
• Gift Card Policy: Prohibit purchasing gift cards via email or text messages.
• Vendor Verification: Always confirm payment or banking changes by calling contact numbers on file.
• Multifactor Authentication: Activate MFA on email, banking, and cloud platforms.
• Holiday Awareness: Educate your employees about these five scams using real-world examples.

The True Cost of Cyberattacks: Beyond Financial Losses

Though Orion's $60 million theft captured headlines, smaller businesses face equally severe hidden damages:

• Operational shutdowns during critical peak periods
• Loss of productivity as teams scramble to recover
• Diminished customer trust if sensitive data is leaked
• Increased insurance premiums following cyber incidents

The average loss per business email compromise incident stands at $129,000—enough to jeopardize many small businesses at the worst time of year.

Make This Holiday Season Safe and Successful

The holidays are for growth and celebration—not recovering from wire fraud. A short team meeting, clear policies, and layered security measures can powerfully protect your business from cybercriminals.

Remember: Orion's costly $60 million loss could have been prevented with a simple verification call. By boosting awareness and implementing basic safeguards, your business can avoid becoming a cautionary tale.

Ready to secure your team before the New Year? Click here or call us at 781-837-0069 to schedule a 15-Minute Discovery Call. We'll guide you through effective, practical steps to protect your business. Cybercriminals won't get a chance to ruin your holiday success—because the greatest gift you can offer your company this season is peace of mind.