The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a mid-sized firm received an urgent text appearing to come from the "CEO": Purchase $3,000 in Apple gift cards for clients, scratch the backs, and email over the codes. Though it seemed suspicious, the message bore the boss's name and it was the chaotic holiday season. By the time she confirmed, the gift cards were already spent by scammers, causing a financial loss to the business.

While that scam hurt, some are far more destructive. That same month, Orion S.A., a chemical manufacturer in Luxembourg, was targeted by a sophisticated fraud. An employee got emails mimicking routine wire transfer requests, likely appearing from trusted partners or colleagues. These messages were urgent, seemed legitimate, and matched typical business operations. Without hesitation, the employee completed multiple wire transfers as instructed.

The outcome? Cybercriminals received $60 million — over half the company's annual profits — through fraudulent transfers.

Think your small business is safe from such attacks? Think again. Gift card scams alone caused losses exceeding $217 million in 2023, while business email compromise (BEC) attacks formed 73% of cyber incidents in 2024. The holiday season is a prime target because criminals capitalize on your team's distraction, stress, and increased transaction volume.

5 Critical Holiday Scams Every Employee Must Recognize to Prevent Costly Losses

1. "Your Boss Needs Gift Cards" Scam (The $3,000 Trap)

• The Scam: Impersonators pretend to be executives, pressuring staff to buy gift cards for "clients" or "employee appreciation." In Q1 2024, 37.9% of BEC incidents involved such gift card schemes.
• Prevention: Enforce a strict policy that no gift card purchases proceed without two separate approvals. Train employees that executives never request gift cards via text.

2. Invoice & Payment Alteration Frauds (The High-Stakes Money Switch)

• The Scam: Scammers send fake "updated banking details" or hijack vendor email conversations right when year-end payments are due. For example, in June 2024, the Town of Arlington, MA, lost nearly $500,000 due to this tactic.
• Prevention: Always verify banking changes by calling a previously known phone number—not the one provided in the email. Apply a "phone call confirmation rule" for all financial changes exceeding $5,000.

3. Fake Shipping & Delivery Alerts

• The Scam: Phishing emails or texts claim to be from UPS, FedEx, or USPS, urging recipients to click links to "reschedule delivery."
• Prevention: Instruct staff to enter carrier websites directly into their browser and bookmark official tracking pages to avoid phishing links.

4. Malicious Attachments Disguised as Holiday Party Info

• The Scam: Emails with attachments labeled "Holiday_Schedule.pdf" or "Party_List.xls" that deploy malware upon opening.
• Prevention: Block macros, scan all attachments, and encourage a culture of verifying unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fake "company match" donation campaigns to steal money or personal information.
• Prevention: Provide employees with an approved charity list and require all donations to be made through official company channels.

Why These Scams Succeed and How You Can Defend Your Business

The same technology that streamlines your business—email, online banking, digital payments—is what hackers exploit. These are not crude scams; they involve sophisticated social engineering combined with in-depth company research.

Firms running regular phishing simulations slash their risk by 60%, yet many small businesses never train staff. Multifactor authentication (MFA) blocks 99% of unauthorized access, but many still rely on passwords alone.

Your Essential Holiday Security Checklist

Prepare your business ahead of the busy season with these critical steps:

• The Two-Person Confirmation Rule: Require verbal verification via a separate channel for transactions above your threshold.
• Strict Gift Card Policy: Document a no-gift-card purchase rule via email or text.
• Vendor Payment Verification: Call vendor numbers from existing records to confirm any banking or payment updates.
• Enable Multifactor Authentication: Protect all email, banking, and cloud accounts with MFA.
• Holiday Scam Awareness: Brief your team on these five common scams using real-life examples.

The True Cost of Scams: Beyond Just Money

Though Orion's $60 million loss grabbed headlines, small businesses often suffer deeper hidden impacts:

• Operations halted during peak sales periods
• Lost productivity as teams scramble to respond
• Damaged customer trust if sensitive data is exposed
• Higher insurance premiums following cybercrimes

The average cost of a single business email compromise incident is $129,000 — a devastating blow that can sink many small businesses at the most critical time of year.

Keep Your Holidays Bright and Protected

The holiday season should focus on growth and celebration, not recovering from wire fraud. Regular team meetings, clear policies, and layered security measures create a formidable barrier against cybercriminals.

Remember: One phone call verification could have prevented Orion's $60 million loss. With proper awareness and simple safeguards, your business can avoid becoming the next cautionary story.

Ready to secure your team before the New Year? Click here or call us at (918) 770-9150 to book a 15-Minute Discovery Call. We'll guide you through practical, rapid steps to fortify your business. This holiday season, the greatest gift you can give your company is peace of mind.