The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an unexpected text message supposedly from her CEO: "Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them." Although it felt suspicious, the message appeared to come from the boss, and the year-end frenzy left little time to question it. Unfortunately, by the time she confirmed the request, the gift cards were gone, the scammers had vanished with the funds, and the company bore the loss.

While this scam resulted in a painful loss, others can destroy a company entirely. Just that month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a far more destructive fraud. An employee received emails that looked like routine wire transfer requests from trusted colleagues or partners. The messages appeared authentic, urgent, and consistent with normal operations. Acting quickly, the employee authorized multiple transfers as directed.

The devastating outcome: $60 million transferred directly into the hands of cybercriminals—over half of Orion's annual profits wiped out in a series of fraudulent wire payments.

Think your small business is too small to target? Think again. Gift card scams drained more than $217 million from businesses in 2023 alone, while business email compromise (BEC) attacks made up 73% of all cyber incidents in 2024. The holiday season presents a prime opportunity for cybercriminals who exploit distracted, stressed teams handling increased transaction volumes.

Top 5 Holiday Scams Your Employees Must Spot (Before They Drain Your Accounts)

1. The Fake Boss Gift Card Request ($3,000 Text Scam)

• The Scam: Impersonators masquerade as executives, pressuring staff to buy gift cards for "clients" or "employee bonuses." In Q1 2024, 37.9% of BEC attacks involved gift card fraud.
• How to Prevent: Implement a strict policy requiring two levels of approval before any gift card purchase. Train employees that executives will never request gift cards via text messages.

2. Altered Invoice and Payment Details (The High-Stakes Money Grab)

• The Scam: Cybercriminals send fake "updated banking info" or hijack vendor email threads right before year-end payments. For example, in June 2024, the Town of Arlington, MA, lost nearly $500,000 to this deception.
• How to Prevent: Always confirm any changes to banking information through a previously verified phone number—not the email. Enforce a "phone call rule" for all monetary changes over $5,000.

3. Deceptive Shipping and Delivery Alerts

• The Scam: Phishing emails or texts impersonate UPS, FedEx, or USPS, often including links to "reschedule" deliveries that install malware.
• How to Prevent: Educate employees to visit carrier websites directly by typing the URL or using bookmarks, avoiding suspicious links.

4. Malicious Attachments Disguised as Holiday Party Files

• The Scam: Emails with attachments labeled "Holiday_Schedule.pdf" or "Party_List.xls" that secretly install malware when opened.
• How to Prevent: Disable macros, scan all attachments thoroughly, and promote a culture where unexpected files are always verified.

5. Fake Holiday Fundraising Campaigns

• The Scam: Phishing websites pretending to be legitimate charities or fake "company match" drives to steal money or data.
• How to Prevent: Distribute an approved charity list and mandate donations only through official platforms.

Why These Scams Succeed—and How You Can Defend Your Business

Efficiency tools like email, online banking, and digital payments also open doors for cybercriminals. These aren't your typical "Nigerian prince" scams—they are highly sophisticated social engineering attacks tailored to your company.

Companies that conduct regular phishing drills reduce their risk by up to 60%, yet many small businesses skip this essential training. Multifactor authentication (MFA) blocks 99% of unauthorized logins, but too many still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare your team before the holiday season takes full charge:

• The Two-Person Rule: Require verbal confirmation through a separate channel for any transaction exceeding your preset limit.
• Strict Gift Card Policy: Establish written rules forbidding gift card purchases via email or text.
• Vendor Verification: Verify any changes to banking or payment information by calling numbers you already have on file.
• Enable Multifactor Authentication: Protect all email, banking, and cloud services with MFA.
• Raise Holiday Awareness: Educate your team about these five scams using real-world examples.

The True Impact Goes Beyond Money

While Orion's $60 million loss hit headlines, the invisible costs can be even harsher for smaller companies:

• Disruption of operations during your busiest seasons.
• Lost productivity as employees scramble to recover.
• Damaged customer trust if sensitive data leaks.
• Increased insurance premiums following a cyber breach.

On average, business email compromise incidents cost companies $129,000—enough to sink many small businesses at the worst time of year.

Protect Your Holidays From Chaos

The holiday season should focus on growth and celebration—not recovery from wire fraud. Small team meetings, clear policies, and layered security measures can effectively keep fraudsters out of your financial workflows.

Remember: A simple verification call could have stopped Orion's catastrophic $60 million loss. With the right mindset and checks, your business can avoid becoming the next cautionary story.

Ready to secure your team before the New Year? Click here or call us at 703-879-2070 to arrange a 15-Minute Discovery Call. We'll guide you through practical, fast steps to protect your business from cyber threats. This holiday season, give your company the invaluable gift of peace of mind.