The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received a suspicious text from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them. Although it seemed unusual, the message appeared to come from the boss and holiday chaos was at its peak. By the time she verified, the scammer had already cashed out, and the company suffered the loss.

While this gift card scam hurt, others can devastate a business completely. In the same month, Luxembourg's chemical manufacturer Orion S.A. fell prey to a far more destructive scheme. An employee received what looked like standard urgent wire transfer requests—seemingly from trusted colleagues or partners. Without hesitation, they processed several transfers as instructed.

The outcome? $60 million vanished into the hands of cybercriminals—over half the company's annual profits lost through a series of fraudulent wire transfers.

Think your small business isn't a target? Think again. In 2023 alone, gift card scams cost businesses more than $217 million, while business email compromise attacks accounted for 73% of cyber incidents in 2024. The holiday season is prime time for attackers exploiting distractions, stress, and increased transactional volume.

5 Critical Holiday Scams Every Employee Must Know to Protect Your Business

1. "Your Boss Needs Gift Cards" - The $3,000 Text Trap

• The Scam: Impersonators pose as executives and pressure employees to buy gift cards for "clients" or "staff appreciation." Gift card scams made up 37.9% of business email compromise cases in early 2024.
• How to Prevent It: Enforce a strict policy requiring two approvals before any gift card purchases. Train staff that executives will never request gift cards via text messages.

2. Invoice & Payment Details Fraud - The High-Stakes Money Play

• The Scam: Fraudsters send "updated banking info" or hijack vendor email threads near billing deadlines. For example, Arlington, MA lost nearly $500,000 this way in June 2024.
• How to Prevent It: Always verify banking changes by calling known numbers—not those provided in emails. Establish a "phone call rule" for all financial changes exceeding $5,000.

3. Fake Shipping & Delivery Notifications

• The Scam: Phishing emails or texts impersonate UPS, FedEx, or USPS, containing links claiming to "reschedule delivery."
• How to Prevent It: Teach employees to access carrier websites by typing the URL directly or bookmarking official tracking pages rather than clicking suspicious links.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails including attachments titled "Holiday_Schedule.pdf" or "Party_List.xls" may contain malware that installs when opened.
• How to Prevent It: Block macros, scan all attachments, and promote a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Fraudulent websites mimic charities or fake "company match" giving campaigns to steal money or sensitive data.
• How to Prevent It: Develop an approved list of charities, directing all donations through verified company portals only.

Why These Attacks Succeed & How to Protect Your Business

The digital tools that streamline business—like email, online banking, and digital payments—are the very channels scammers exploit. These are not the outdated "Nigerian prince" scams, but sophisticated attacks expertly blending social engineering with company-specific research.

Businesses that regularly conduct phishing simulations reduce their risk by 60%, yet most small businesses neglect employee training. Though multifactor authentication blocks 99% of unauthorized access attempts, many companies still rely solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Before the holiday rush, make sure to:

• Two-Person Verification Rule: Require verbal confirmation via separate channels for any transaction over your company's threshold.
• Gift Card Policy: Clearly state no gift card purchases by email or text are allowed.
• Vendor Check-In: Confirm all banking or payment info changes by calling pre-existing numbers on file.
• Enable Multifactor Authentication: Protect all email, banking, and cloud services with MFA.
• Holiday Scam Awareness: Educate your team on these five scams using real-world examples.

The True Impact: More Than Just Financial Losses

While Orion's $60 million loss made headlines, smaller businesses often face hidden damages such as:

• Disrupted operations during peak sales periods
• Lost productivity as staff scramble to respond
• Damaged customer trust if client data is compromised
• Increased insurance premiums after cyber incidents

On average, each business email compromise incident costs $129,000—enough to cripple many small companies at their busiest and most vulnerable times.

Keep Your Holidays Safe, Secure, and Stress-Free

The holidays should focus on growth and celebration—not recovery from wire fraud. By holding staff briefings, implementing smart policies, and layering security measures, you can significantly reduce your risk.

Remember: A simple verification call prevented the $60 million loss at Orion. With the right training and safeguards, your business can avoid becoming the next cautionary story.

Want to secure your team before the New Year? Click here or call us at 920-818-0900 to schedule a 15-Minute Discovery Call. We'll guide you through practical steps to protect your business. Ensure your holiday success isn't stolen—give your business the priceless gift of peace of mind.