The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Just last December, an accounts payable clerk at a mid-sized company received a suspicious urgent text "from the CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. It seemed unusual, but the message bore the boss's name during a hectic holiday season. By the time she verified, the scam was complete—the gift cards were gone, the cybercriminals had cashed out, and the company suffered the loss.

While that scam stings, others can devastate businesses entirely. That same month, Luxembourg's Orion S.A., a chemical manufacturer, fell prey to a far more destructive fraud. An employee received what looked like routine wire transfer requests—appearing to come from trusted colleagues or partners. The urgent and seemingly normal requests led the employee to execute multiple transfers without hesitation.

The outcome? A staggering $60 million transferred straight to cybercriminals—over half of the company's annual profits lost through fraudulent wire transfers.

Think your small business is safe? Think again. In 2023, businesses lost more than $217 million to gift card scams alone, and in 2024, business email compromise attacks made up 73% of all cyber incidents. The holidays present the perfect storm—your team is busy, under stress, and handling an influx of transactions.

Top 5 Holiday Scams Your Employees Must Recognize (Before They Cost You Thousands)

1. The "Boss Needs Gift Cards" Text Scam ($3,000 Trap)

• The Scam: Impersonators pretend to be executives, pressuring staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, gift card schemes accounted for 37.9% of business email compromise incidents.
• Prevention: Enforce a company policy requiring two approvals before any gift card purchase. Train employees that executives will never ask for gift cards via text.

2. Invoice and Payment Hijacking (The Costly Money Grab)

• The Scam: Fraudsters send fake "updated banking details" or intrude on vendor email threads near year-end payment deadlines. In June 2024, the Town of Arlington, MA lost nearly $500,000 to this scheme.
• Prevention: Always verify banking changes via a trusted phone number—not the one in the email. Implement a "phone call rule" for all financial changes above $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or texts posing as UPS, FedEx, or USPS asking recipients to "reschedule delivery" through malicious links.
• Prevention: Educate employees to type carrier websites directly into browsers. Bookmark official tracking pages to avoid risky links.

4. Dangerous "Holiday Party" Attachments

• The Scam: Emails containing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that install malware when opened.
• Prevention: Disable macros, scan all attachments, and encourage verifying unexpected files as routine practice.

5. Fake Holiday Fundraising Campaigns

• The Scam: Phishing sites mimic charities or create bogus "company match" campaigns to steal money or personal data.
• Prevention: Distribute a list of approved charities and require donations to be made only through official company portals.

Why These Attacks Succeed—and How You Can Stop Them

The tools driving business efficiency—email, online banking, digital payments—are also exploited by scammers. These aren't your typical "Nigerian prince" emails; they are carefully crafted, targeted attacks combining social engineering with detailed company research.

Companies that run regular phishing drills reduce their risk by 60%, yet many small businesses never train staff. Multifactor authentication prevents 99% of unauthorized logins, but numerous organizations still depend solely on passwords.

Your Essential Holiday Security Checklist

Get prepared before the holiday rush with these key steps:

• Two-Person Verification: Any transaction exceeding your set threshold requires verbal confirmation through a separate communication channel.
• Strict Gift Card Rules: Establish and communicate a firm policy banning gift cards bought via email or text.
• Vendor Confirmation: Always verify any banking or payment changes by calling trusted numbers already on file.
• Enable Multifactor Authentication: Apply MFA across all email, banking, and cloud services.
• Holiday Scam Awareness: Educate your team on these five key scams, using real examples for clarity.

The True Price: Beyond Financial Loss

The $60 million loss at Orion made headlines, but the hidden impacts often hit small businesses hardest:

• Business operations freeze during crucial peak periods
• Worker productivity drops as time is spent managing fallout
• Client trust diminishes if sensitive data is compromised
• Cyber insurance premiums rise sharply post-incident

On average, business email compromise drains each victim about $129,000—enough to shutter many small companies at the worst time possible.

Protect Your Holidays: Stay Secure and Stress-Free

The holiday season should mean growth and celebration—not recovering from wire fraud. A simple team briefing, clear policies, and layered security controls can keep your financial books secure from predators.

Remember: At Orion, a single verification call could have prevented a $60 million theft. With the right vigilance and basic safeguards, your business can avoid becoming the next headline.

Ready to secure your team before the New Year? Click here or call us at (541) 726-7775 to schedule a 15-Minute Discovery Call. We'll guide you through fast, practical steps to safeguard your business and ensure your holiday success isn't derailed. After all, the best gift you can give your company this season is peace of mind.