The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received an urgent text purportedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Despite sounding suspicious, the message bore the boss's name, and amid the holiday rush, the clerk complied. Before she double-checked, the scammer had already redeemed the cards, leaving the company to absorb the loss.

While this scam caused a painful loss, others can devastate companies. That same month, Luxembourg-based chemical manufacturer Orion S.A. fell prey to a far more damaging fraud. One employee received emails mimicking routine wire transfer requests from trusted partners or colleagues. These appeared urgent and aligned with typical business operations, leading the employee to authorize multiple transfers without hesitation.

The consequence? $60 million wired to cybercriminals—over half the firm's yearly profits vanished through fraudulent transfers.

Think your small business is too inconspicuous to be targeted? Think again. Gift card scams alone cost businesses more than $217 million in 2023, while business email compromise (BEC) attacks made up 73% of cyber incidents in 2024. The holiday season is a prime window for these scams, exploiting your team's distraction, stress, and increased transaction volume.

5 Critical Holiday Scams Your Employees Must Recognize to Avoid Costly Mistakes

1. "Your Boss Needs Gift Cards" (Avoid the $3,000 Text Scam)

• Scam Overview: Impostors impersonate executives, pressuring staff to buy gift cards for "clients" or "employee rewards." In early 2024, 37.9% of BEC attacks were tied to gift card fraud.
• Defense Strategy: Implement a strict policy requiring dual approvals before purchasing gift cards. Educate employees that executives never request gift cards via text messages.

2. Invoice & Payment Fraud (The High-Stakes Trick)

• Scam Overview: Fraudsters send fake "updated banking details" or hijack vendor email threads near billing deadlines. In June 2024, the Town of Arlington, MA lost nearly $500,000 through this tactic.
• Defense Strategy: Always verify banking changes by calling a known number—not the one in the email—and enforce a "phone call rule" for any financial transaction above $5,000.

3. Fake Shipping & Delivery Alerts

• Scam Overview: Phishing emails or texts claim to be from carriers like UPS/FedEx/USPS with links to "reschedule delivery."
• Defense Strategy: Train employees to manually type carrier websites into browsers or bookmark official tracking pages to avoid malicious links.

4. Malicious "Holiday Party" Attachments

• Scam Overview: Emails with attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware upon opening.
• Defense Strategy: Block macros, scan all attachments, and cultivate a culture of verifying unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• Scam Overview: Phishing sites impersonate charities or "company match" campaigns to steal donations or sensitive data.
• Defense Strategy: Circulate an approved charity list and route all donations through company-authorized platforms only.

Why These Scams Succeed and How to Safeguard Your Business

The digital tools that streamline your operations—email, online banking, and digital payments—are precisely what scammers exploit. These aren't outdated "Nigerian prince" emails; they're sophisticated schemes combining social engineering with in-depth company research.

Businesses conducting regular phishing simulations reduce their risk by 60%, yet most small enterprises neglect employee training. Multifactor authentication blocks 99% of unauthorized access, but many still rely solely on passwords.

Your Essential Holiday Security Checklist

Take action before the holiday rush intensifies:

• Two-Person Rule: Require a verbal confirmation via a separate channel for transactions exceeding your limit.
• Gift Card Policy: Establish a firm no-gift-card-purchases rule via email or text.
• Vendor Authentication: Verify all banking and payment updates by calling pre-existing contacts.
• Multifactor Authentication (MFA): Activate MFA across all email, banking, and cloud systems.
• Holiday Cyber Awareness: Educate your team about these five scams using real-life examples.

The True Price: Beyond Financial Losses

While Orion's $60 million theft made headlines, smaller businesses often suffer hidden repercussions:

• Operations halt during peak periods
• Staff productivity plummets as they manage the fallout
• Customer trust diminishes if sensitive data leaks
• Insurance rates surge after cyber breaches

On average, each BEC incident costs $129,000—enough to jeopardize many small businesses during their most vulnerable season.

Ensure Your Holidays Stay Joyful, Not Risky

The holiday season should focus on growth and celebration—not costly wire fraud cleanups. A brief team meeting, clear policies, and layered security measures can go a long way in keeping scammers away from your finances.

Remember, the Orion employee could have averted a $60 million theft with just one verification call. With the right vigilance and simple precautions, your business can be next year's success story—not a cautionary tale.

Ready to fortify your team before the New Year? Click here or call us at 608-416-2400 to schedule a 10-Minute Discovery Call. We'll guide you through effective, practical steps to protect your business. Don't let cybercriminals hijack your holiday success—the greatest gift this season is peace of mind.