The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last holiday season, a mid-sized company's accounts payable clerk received a suspicious text supposedly from her CEO: "Purchase $3,000 in Apple gift cards for clients, scratch off the backs, and email the codes." Although it seemed unusual, the message appeared to come directly from her boss during a hectic period. Unfortunately, by the time she verified the request, the scammer had already cashed out, leaving the company to absorb the financial loss.

While this scam caused a painful setback, some attacks can devastate entire organizations. That same month, Orion S.A., a chemical manufacturer from Luxembourg, endured a far deadlier breach. An employee received what looked like authentic email requests for wire transfers, seemingly from trusted partners or colleagues. Urgent and consistent with business practices, these requests were fulfilled without hesitation.

The consequence? Cybercriminals walked away with $60 million, wiping out over half the company's yearly profits via fraudulent wire transfers.

If you believe your small business is too insignificant to attract scammers, reconsider. In 2023 alone, gift card fraud drained over $217 million from businesses, while business email compromise (BEC) attacks represented 73% of cyber incidents in 2024. The holiday season creates the perfect storm—your team is busy, distracted, and juggling more transactions, making your company a prime target.

Top 5 Holiday Scams Every Employee Must Recognize to Avoid Costly Losses

1. "Urgent Gift Card Requests From Leadership" (The $3,000 Text Trap)

• How it works: Imposters impersonate executives, pressuring employees to purchase gift cards under the guise of client gifts or recognition. Gift-card scams made up 37.9% of BEC incidents in early 2024.
• How to prevent: Enforce a strict policy requiring dual approvals before any gift card purchase. Train your team that executives will never request gift cards through text messages.

2. Invoice & Payment Redirection Frauds (The High-Stakes Switch)

• How it works: Scammers send fake "updated banking info" or hijack vendor email threads right before year-end payments. For example, the Town of Arlington, MA lost nearly $500,000 to this scam in June 2024.
• How to prevent: Always confirm banking updates by calling verified phone numbers from existing records—not numbers included in emails. Implement a mandatory phone call verification for all financial changes over $5,000.

3. Fake Delivery Notifications

• How it works: Phishing emails or texts masquerade as UPS, FedEx, or USPS notifications, tricking employees into clicking malicious "reschedule delivery" links.
• How to prevent: Educate your team to visit carrier websites directly by typing URLs or using bookmarks. Avoid clicking on suspicious links in delivery notices.

4. Malicious Attachments Labeled as Holiday Party Details

• How it works: Emails with attachments like "Holiday_Schedule.pdf" or "Party_List.xls" can install malware when opened.
• How to prevent: Block macros, scan all attachments before opening, and create a culture where staff verify unexpected files before downloading.

5. Fraudulent Holiday Fundraising Appeals

• How it works: Phishing websites imitate charities or fake "company matching" campaigns aiming to steal money or sensitive data.
• How to prevent: Provide employees with a vetted list of approved charities and require that donations go exclusively through official company portals.

Why These Scams Succeed & How Your Business Can Defend Against Them

Modern business tools like email, online banking, and digital payments drive efficiency but also open doors for cybercriminals. These attacks aren't your grandma's Nigerian prince scams — they're sophisticated blends of social engineering and extensive company research.

Companies that conduct regular phishing tests reduce risks by up to 60%, yet many small businesses skip employee training altogether. Multifactor authentication (MFA) would block 99% of unauthorized access, but some businesses still rely solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare your team with these critical safeguards before the holiday rush:

• The Two-Person Rule: All transactions above your defined limit must be verbally confirmed through a separate channel.
• Strict Gift Card Policy: Clearly state that gift-card purchases are prohibited via email or text.
• Vendor Confirmation: Verify any payment or banking changes by calling established vendor contacts using numbers from your records.
• Enable Multifactor Authentication: Apply MFA to all email, banking, and cloud services.
• Holiday Scam Awareness: Educate your team on these five common scams using real-world examples.

The True Impact: Beyond Finances

Though Orion's $60 million loss gained media attention, smaller businesses often face even harsher hidden costs:

• Disrupted operations during critical peak periods
• Downtime and lost productivity as staff respond to breaches
• Damage to customer trust if sensitive client information is exposed
• Increased insurance premiums following cyber incidents

With an average loss of $129,000 per BEC attack, many small businesses face closure risks—especially during their busiest season.

Keep Your Holidays Bright and Secure

The holiday season should focus on growth and celebration—not cleaning up after cyber fraud. A quick team huddle, practical policies, and layered security measures can effectively keep thieves out of your financial records.

Remember: The Orion employee could have stopped a $60 million catastrophe with a single verification call. With proper awareness and simple checks, your business can be the one that thrives, not falls victim this holiday season.

Ready to secure your team before the New Year? Click here or call us at 303-415-2702 to schedule your 15-Minute Discovery Call. We'll guide you through fast, actionable steps to protect your business. Don't let cybercriminals ruin your holiday success—give your company the gift of peace of mind today.