The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a mid-sized company received a sudden text from her "CEO" instructing her to purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them back. Though it felt suspicious, the request appeared to come directly from her boss during the hectic holiday season. By the time she verified, the gift cards were already gone, the scammer had vanished, and the company suffered a costly financial loss.

While that scam was painful, other cybercrimes can devastate businesses even more. That same month, Luxembourg-based chemical firm Orion S.A. was targeted by a sophisticated scam. An employee received seemingly normal email requests for wire transfers—appearing to come from trusted colleagues or partners. Because the requests were urgent and routine, the employee authorized several transfers without hesitation.

The outcome was catastrophic: $60 million sent directly to cybercriminals—over half of the company's annual profits vanished in fraudulent wire transfers.

If you believe your small business is immune, think twice. In 2023, gift card scams alone caused over $217 million in damages, and business email compromise attacks made up 73% of all cyber incidents in 2024. The holiday season is particularly vulnerable because criminals exploit the distractions, stress, and increased transaction volume your team faces.

5 Critical Holiday Scams Your Team Must Recognize (Before They Drain Your Finances)

1. "Urgent Boss Gift Card Requests" (The $3,000 Text Scam)

• The Scam: Impersonators pose as executives urging employees to buy gift cards for "clients" or "employee rewards." In Q1 2024 alone, 37.9% of business email compromise incidents involved gift card scams.
• How to Prevent: Enforce a strict company policy requiring two separate approvals for gift card purchases. Educate staff that executives will never request gift cards via text messages.

2. Invoice and Payment Diversions (High-Stakes Fraud)

• The Scam: Hackers send fake "updated banking info" or hijack vendor emails as year-end payments approach. For example, in June 2024, the Town of Arlington, MA lost nearly $500,000 due to this tactic.
• How to Prevent: Always confirm banking changes through a known phone number, never the one provided in email. Implement a "phone call rule" for any financial changes over $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or texts impersonate UPS, FedEx, or USPS with links inviting victims to "reschedule deliveries."
• How to Prevent: Train employees to manually type carrier websites in their browsers or bookmark verified tracking pages, avoiding suspicious links.

4. Infectious "Holiday Party" Email Attachments

• The Scam: Emails with attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that secretly install malware when opened.
• How to Prevent: Disable macros, scan incoming attachments thoroughly, and foster a culture of verifying unexpected files before opening.

5. Fraudulent Holiday Fundraising Campaigns

• The Scam: Fake charity websites or bogus "company match" donation drives designed to steal funds or personal information.
• How to Prevent: Provide an approved charity list and require all donations to be processed via official channels.

Why These Cyber Attacks Succeed (And How to Defend Against Them)

While digital tools like email, online banking, and electronic payments streamline your operations, they also create vulnerabilities scammers exploit. These aren't crude "Nigerian prince" scams but highly tailored attacks blending social engineering with detailed company knowledge.

Businesses conducting regular phishing simulations reduce risks by 60%. Yet many small enterprises skip comprehensive employee training. Multifactor authentication can block 99% of unauthorized logins, but many still depend solely on passwords.

Holiday Security Checklist: Shield Your Business Today

Before the holiday rush, implement these vital safeguards:

• Two-Person Authorization: All transactions exceeding your established limit need verbal confirmation via a separate communication channel.
• Gift Card Protocol: Clearly document: No purchasing gift cards requested through email or texting.
• Vendor Verification: Verify any banking or payment updates by calling phone numbers on file, never relying on emailed info.
• Enable Multifactor Authentication: Activate MFA on all email, banking, and cloud systems.
• Holiday Scam Awareness: Educate your team about these five common scams using real-life examples.

The Hidden Toll: Beyond Financial Loss

While Orion's $60 million loss captured headlines, smaller businesses often suffer in less visible ways:

• Operations freeze during peak sales periods
• Lost productivity as staff tackle recovery efforts
• Deterioration of customer trust if sensitive data leaks
• Rising insurance premiums following cyber incidents

The average cost per business email compromise hit $129,000—an amount capable of sinking many small enterprises at the worst possible moment.

Protect Your Holidays: Stay Safe and Celebrate Successfully

The holiday season should focus on growth and celebration—not recovering from wire fraud. With a quick team briefing, smart policies, and layered security, you can effectively keep cybercriminals away from your finances.

Remember: Orion's employee could have averted a $60 million loss with one simple phone call verification. With the right vigilance and easy checklists, your business won't be the next cautionary story.

Want to lock down your team before the New Year? Click here or call us at 801-997-8000 to book a 10-Minute Discovery Call and discover quick, practical strategies to safeguard your business. Don't let cyber thieves ruin your holiday achievements—give your company the gift of peace of mind this season.