The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a midsize company's accounts payable clerk received a startling text from someone pretending to be her CEO: "Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately." Although it seemed suspicious, the message appeared to come from her boss, and during the hectic holiday season, she acted quickly. By the time she realized it was a scam, the gift cards were already redeemed and the company suffered the financial loss.

While this scam causes financial pain, some attacks can devastate a business completely. That same month, Luxembourg-based chemical firm Orion S.A. faced an even more severe fraud. An employee received what looked like normal wire transfer requests, seemingly from trusted colleagues or partners. The urgent and routine nature of the emails led the employee to process multiple transfers without hesitation.

The outcome? Cybercriminals fraudulently withdrew $60 million—more than half of Orion's annual profits—through a series of fake wire transfers.

Think your small business is safe? Gift card scams alone drained over $217 million from companies in 2023, and business email compromise (BEC) attacks made up 73% of all cyber incidents in 2024. Attackers capitalize on the holiday season, knowing teams are distracted, stressed, and handling increased transaction volumes.

Top 5 Holiday Scams Your Employees Must Recognize to Prevent Costly Losses

1. "Urgent Gift Card Requests from Your Boss" (The $3,000 Text Scam)

• How it works: Scammers impersonate executives, pressuring staff to buy gift cards labeled for clients or employee appreciation. In early 2024, nearly 38% of BEC incidents involved gift card fraud.
• How to prevent it: Enforce a strict company policy requiring two approvers for gift card purchases. Train employees that leaders will never request gift cards via text messages.

2. Invoice & Payment Diversion (High-Stakes Financial Deception)

• The scam: Fraudsters send "updated bank details" or hijack vendor email conversations near payment deadlines. For example, the Town of Arlington, MA, lost close to $500,000 to this scam in June 2024.
• Preventive steps: Always verify any banking changes by calling a trusted phone number unrelated to the email. Implement a "phone call confirmation" policy for transactions over $5,000.

3. Fake Shipping & Delivery Alerts

• Scam details: Phishing emails or texts masquerade as delivery services like UPS, FedEx, or USPS, including links to "reschedule deliveries."
• Protection tips: Educate staff to type courier websites directly into their browsers and bookmark official tracking pages to avoid clicking on fraudulent links.

4. Malicious Holiday Party Email Attachments

• How it works: Emails contain attachments such as "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware upon opening.
• Preventive measures: Block macros in documents, run attachment scans, and cultivate a culture where unexpected files are verified before opening.

5. Fraudulent Holiday Fundraising Schemes

• Scam details: Phishing websites spoof legitimate charities or fake "company match" initiatives to steal donations and sensitive data.
• How to defend: Publish an approved charity list and mandate that all donations be processed through official channels.

Why These Scams Succeed and How You Can Stop Them

Modern business tools—email, online banking, and digital payments—are also the avenues cybercriminals exploit. These are highly sophisticated, targeted social engineering attacks, not the generic "Nigerian prince" emails.

Companies conducting frequent phishing simulations reduce their risk by 60%, yet many small businesses skip employee training. Multifactor authentication (MFA) blocks 99% of unauthorized access, but numerous firms still rely on passwords alone.

Your Essential Holiday Cybersecurity Checklist

Prepare your team before the holiday rush with these critical steps:

• Two-Person Verification: Require verbal confirmation via a different communication channel for all transactions exceeding your threshold.
• Gift Card Policy: Establish and enforce a written rule forbidding gift card purchases through email or texts.
• Vendor Banking Confirmation: Always validate payment or bank details changes via known phone numbers.
• Enable Multifactor Authentication: Activate MFA across email, banking platforms, and cloud services.
• Holiday Scam Awareness: Educate your team on these top five scams using real-life examples.

The True Impact: Beyond Financial Loss

Though Orion's $60 million theft was headline news, smaller companies often experience deeper hidden consequences:

• Disrupted operations during peak holiday season.
• Falling productivity as teams scramble to resolve issues.
• Damaged customer trust if client data is compromised.
• Increased insurance costs following cyber incidents.

The average business email compromise loss reaches $129,000—enough to critically damage many small businesses at the worst time of the year.

Keep Your Holiday Season Secure and Stress-Free

Holidays should focus on growth and celebration—not recovering from wire fraud attacks. A simple team briefing, smart policies, and layered security measures can protect your business from cybercriminals.

Remember, a single verification call could have prevented Orion's $60 million loss. With the right awareness and straightforward checks, your business won't become the next cautionary story.

Ready to fortify your team before the New Year? Click here or call us at 503-210-5203 to schedule a Systems Assessment. We'll guide you through simple, effective steps to safeguard your business. Protect your holiday success with the invaluable gift of peace of mind.