The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize firm received a sudden text purportedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and send them by e-mail. Though it seemed suspicious, the message carried the boss's name, and the hectic holiday period left her little time to question it. By the time she verified, the cards were already gone, the scammer had vanished with the money, and the company was left to absorb the loss.

While that scam was costly, others can devastate an entire business. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a far more severe fraud. An employee received what appeared to be routine email requests for wire transfers, seemingly sent by trusted colleagues or partners. The requests appeared authentic, urgent, and in line with regular business activities. Without a second thought, the employee processed multiple transfers as instructed.

The consequence? Sixty million dollars lost to cybercriminals—over half the company's annual profits vanished through a series of fraudulent wire transactions.

Think your small business is safe from attack? Think again. In 2023 alone, gift-card scams cost companies over $217 million, and by 2024, business email compromise attacks made up 73% of cyber incidents. The holidays are prime targets because criminals exploit your team's distraction, stress, and increased transaction volume.

Top 5 Holiday Scams Your Employees Must Recognize (To Prevent Costly Losses)

1. "Your Boss Needs Gift Cards" (The $3,000 Text Scam)

• The scam: Impersonators pretend to be executives, pressuring employees to buy gift cards for "clients" or "employee rewards." In Q1 2024, gift-card scams accounted for 37.9% of business email compromise cases.
• Prevention: Establish strict company policies requiring dual approvals for gift card purchases. Train staff to never accept gift card requests via text messages from executives.

2. Invoice & Payment Diversions (The High-Stakes Fraud)

• The scam: Cybercriminals send fake "updated banking information" or hijack supplier email threads just before year-end payments. In June 2024, Arlington, MA lost nearly $500,000 this way.
• Prevention: Always verify banking changes using pre-existing, trusted phone numbers—not the ones provided in suspicious emails. Implement a "phone call confirmation" rule for all financial adjustments exceeding $5,000.

3. Fake Shipping and Delivery Alerts

• The scam: Phishing emails or texts impersonate UPS, FedEx, or USPS with links urging recipients to "reschedule delivery."
• Prevention: Instruct employees to access carriers' websites directly by typing URLs or using bookmarks instead of clicking suspicious links.

4. Malicious Attachments Disguised as Holiday Party Info

• The scam: Emails with attachments named "Holiday_Schedule.pdf" or "Party_List.xls" infect devices with malware upon opening.
• Prevention: Block macros, require scanning of all attachments, and encourage verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The scam: Fraudulent sites mimic charities or fake "company match" campaigns to steal money or personal data.
• Prevention: Distribute an approved list of trusted charities and require all donations to be processed through official company channels.

Why These Attacks Keep Succeeding—And How To Defend Against Them

The very technologies that streamline business—email, online banking, digital payments—are exploited by cybercriminals. These aren't just obvious scams from unknown senders; attackers use sophisticated social engineering combined with detailed company research.

Companies performing consistent phishing simulations cut their risk by 60%. Yet many small businesses skip employee training. Likewise, enabling multifactor authentication (MFA) blocks 99% of unauthorized access, but many organizations still rely solely on passwords.

Holiday Cybersecurity Checklist for Your Business

Get ahead of holiday scams with these essential steps:

• Dual Approval Rule: Any transaction exceeding your preset limit requires confirmation via a separate phone call.
• Gift Card Restrictions: Enforce a strict policy banning gift card purchases requested through emails or texts.
• Vendor Verification: Always verify payment or banking changes by contacting vendors on phone numbers already on file.
• Enable MFA: Activate multifactor authentication for all email, banking, and cloud platforms.
• Holiday Scam Awareness: Educate your team about these five common scams using real-life examples.

The True Price of Cyberattacks: Beyond Money Lost

Though Orion's $60 million setback attracted headlines, the hidden repercussions often hit smaller companies harder:

• Disrupted operations during your busiest season.
• Lost productivity as teams tackle remediation efforts.
• Diminished customer trust if sensitive data is compromised.
• Increased insurance costs following cyber incidents.

The average loss from a business email compromise event is $129,000—potentially devastating for many small businesses, especially during the critical holiday season.

Protect Your Holidays: Keep Them Happy, Not Hacked

The holidays are a time for growth and celebration—not recovering from wire fraud. A brief team meeting, clear policies, and layered security measures can significantly reduce your exposure to cybercrime.

Remember, the Orion employee could have stopped the $60 million loss with a quick verification call. By fostering awareness and performing simple checks, your business can avoid becoming the next cautionary story.

Want to ensure your team is cybersecure before the New Year? Click here or call us at 919-741-5468 to schedule a 15-Minute Discovery Call. We'll guide you through straightforward, effective steps to safeguard your business. Don't let cybercriminals ruin your holiday success. The best gift you can give your business this season is peace of mind.