The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received an urgent and unusual text from someone impersonating the "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and e-mail them immediately. Despite suspicion, the hectic holiday rush and the apparent legitimacy of the message led to compliance. By the time she verified the request, the fraudster had vanished with the money, leaving the company to absorb the loss.

Such scams are painful, but some are far more damaging. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a much larger fraud. An employee received what seemed to be standard urgent wire transfer requests, appearing to come from trusted colleagues or partners. Without delay, multiple transfers were sent.

The devastating outcome? Cybercriminals walked away with $60 million—over half of the company's yearly profits lost through fraudulent wire transfers.

Think your small business won't be targeted? Think again. In 2023 alone, gift card scams cost companies more than $217 million, and business e-mail compromise (BEC) attacks represented 73% of cyber incidents in 2024. The holiday season is a prime target since employees are busy, distracted, and handling increased transaction volumes.

5 Holiday Scams Your Employees Must Recognize (Before They Drain Your Funds)

1. "Urgent Gift Card Requests from Execs" (The $3,000 Text Trap)

• The Scheme: Cyber imposters pose as company leaders, ordering staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, nearly 38% of all BEC incidents involved gift card fraud.
• How to Prevent: Enforce a strict policy: two levels of approval before any gift card purchase. Train staff that executives never request gift cards via text messages.

2. Invoice and Payment Alterations (The Costly Financial Switch)

• How It Works: Fraudsters send fake "updated banking details" or compromise vendor communications right before payments are due. For example, Arlington, MA lost almost $500,000 in June 2024 to this scam.
• Protection Tips: Always verify banking changes via a trusted phone number—not the one provided in the suspicious email. Establish a "phone call rule" for all financial changes exceeding $5,000.

3. Fraudulent Shipping and Delivery Alerts

• Scam Tactic: Phishing emails or texts pretending to be from USPS, UPS, or FedEx ask recipients to "reschedule delivery" through misleading links.
• How to Stay Safe: Train employees to avoid clicking on links by typing the carrier's official website directly into browsers or bookmarking trusted tracking pages.

4. Dangerous "Holiday Party" Attachments

• Malicious Content: Emails containing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that secretly install malware upon opening.
• Mitigation Steps: Block macros, scan all attachments carefully, and build a culture where employees verify unexpected files before opening.

5. Fake Holiday Fundraisers

• The Fraud: Phishing websites masquerading as legitimate charities or phishing for donations with false "company match" programs to steal money or sensitive data.
• What to Do: Maintain and share a verified charity list, and mandate that all donations funnel through official company portals.

Why These Scams Succeed (and How to Shield Your Business)

The very digital tools that boost business productivity—email, online banking, and digital payments—are precisely what scammers manipulate. These are not outdated "Nigerian prince" scams; they are highly sophisticated attacks combining social engineering with detailed research on your company.

Companies conducting regular phishing awareness simulations reduce their risk by 60%, yet many small businesses neglect this essential training. Multifactor authentication (MFA) can block 99% of unauthorized access attempts, but many organizations still depend solely on passwords.

Your Must-Do Holiday Security Checklist

Prepare your company before the busy season ramps up:

• The Two-Person Rule: Require verbal confirmation via a separate communication method for any transaction above your set threshold.
• Gift Card Policy: Establish a clear written rule forbidding gift cards requests through email or texts.
• Vendor Verification: Always confirm any vendor banking or payment changes using pre-existing phone numbers.
• Enable MFA: Activate multifactor authentication on all email, banking, and cloud service accounts.
• Holiday Scam Awareness: Educate your team on these top five scams using real-world examples.

The Real Impact: Beyond Just Financial Loss

While Orion's $60 million theft made global headlines, smaller businesses often suffer impacts even harder to recover from, including:

• Disruption to critical operations during peak sales periods
• Decline in productivity as staff divert efforts to damage control
• Loss of customer trust if sensitive data is breached
• Increased insurance premiums following cyber incidents

On average, companies lose $129,000 per BEC incident, a devastating blow for many small businesses, especially during the holidays.

Keep Your Holidays Safe and Stress-Free

The holiday season should be for growth and celebration—not scrambling to fix wire fraud damages. A quick team briefing, smarter policies, and layered security measures create a powerful shield against cybercriminals.

Remember: A simple phone verification could have stopped Orion's $60 million loss. With heightened awareness and straightforward safeguards, your business can avoid becoming a cautionary tale.

Ready to protect your team before the New Year? Click here or call us at 801-356-9333 to schedule a 15-Minute Discovery Call. We'll guide you through practical, effective steps to secure your business and ensure your holiday success remains untouched.