The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received a suspicious text from someone claiming to be the "CEO": "Purchase $3,000 in Apple gift cards for clients, scratch the backs, and email the codes." Though it sounded unusual, the message appeared to come from the boss, and with holiday chaos in full swing, the employee complied. By the time they realized the fraud, the gift cards were redeemed, and the company suffered the loss.

While this scam was costly, some attacks can devastate a business completely. That same December, Orion S.A., a chemical manufacturer based in Luxembourg, fell prey to a much more severe scam. An employee received emails that mimicked legitimate wire transfer requests, seemingly from trusted colleagues or partners. The requests appeared urgent and routine, prompting the employee to approve multiple transfers without hesitation.

The outcome? Cybercriminals siphoned $60 million—over half the company's annual profits—through fraudulent wire transfers.

Think your small business is safe from such attacks? Think again. Gift card scams alone cost businesses more than $217 million in 2023, and business email compromise attacks accounted for 73% of cyber incidents in 2024. The holidays provide an ideal window for criminals, as teams are distracted, stressed, and processing a higher volume of transactions.

5 Critical Holiday Scams Every Employee Must Recognize to Protect Your Business

1. "The Boss Needs Gift Cards" Scam (The $3,000 Trap)

• The Scam: Fraudsters impersonate executives, pressuring employees to buy gift cards for "clients" or as "appreciation gifts." In Q1 2024, 37.9% of business email compromises involved such gift card scams.
• How to Prevent: Establish a strict company policy requiring two approvals for gift card purchases. Educate staff that executives never request gift cards via text messages.

2. Invoice & Payment Diversion Schemes (The Costly Deception)

• The Scam: Criminals send emails with "updated bank details" or hijack vendor email chains right before year-end payments are due. For example, in June 2024, the Town of Arlington, MA lost nearly half a million dollars from this scam.
• How to Prevent: Confirm any changes to banking info by calling a trusted phone number, never relying on information from the email itself. Implement a "phone call verification" rule for all financial transactions over $5,000.

3. Fake Shipping and Delivery Alerts

• The Scam: Phishing emails or texts impersonate UPS, FedEx, or USPS, offering links to "reschedule delivery."
• How to Prevent: Train your team to visit carrier websites directly by typing the URL or using bookmarked official tracking pages instead of clicking suspicious links.

4. Malicious Holiday Party Attachments

• The Scam: Emails with file attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that secretly install malware when opened.
• How to Prevent: Block macros, scan all attachments for threats, and cultivate a culture where verifying unexpected or unusual files is standard practice.

5. Fake Holiday Fundraiser Scams

• The Scam: Phishing websites impersonate charities or false "company match" donation campaigns to steal money or personal details.
• How to Prevent: Provide employees with an approved charity list and require donations to be made exclusively through official channels.

Understanding Why These Scams Succeed and How to Stop Them

Cybercriminals exploit the very tools that streamline business, such as email, online banking, and digital payment systems. These scams are highly sophisticated, leveraging social engineering and detailed research on your company—not outdated "Nigerian prince" schemes.

Companies that conduct regular phishing drills reduce their risk by up to 60%, but many small businesses fail to train their employees. Multifactor authentication can block 99% of unauthorized access, yet numerous organizations still rely on passwords alone.

Your Essential Holiday Cybersecurity Checklist

Prepare your business for the holiday season with these key steps:

• The Two-Person Verification Rule: Require verbal confirmation via a separate communication channel for any transaction exceeding your set limit.
• Strict Gift Card Policy: Clearly document that gift card purchases are prohibited via email or text.
• Vendor Payment Confirmation: Verify all banking or payment information changes by calling verified phone numbers already on file.
• Enable Multifactor Authentication: Activate MFA across all email, banking, and cloud services.
• Holiday Scam Awareness Training: Educate your team about these five scams using real-world examples.

The True Price of Cybercrime: Beyond Financial Losses

While Orion's $60 million theft made headlines, the unseen impacts tend to be even more damaging for small businesses:

• Disrupted operations during critical seasons
• Lost productivity as employees manage damage control
• Damaged customer trust if sensitive data is breached
• Rising cyber insurance premiums post-incident

With an average loss of $129,000 per business email compromise incident, many small businesses risk closure—often at the worst time of year.

Keep Your Holiday Season Secure and Joyful

Holidays should be filled with growth and celebration—not tangled in fraud investigations. A simple team briefing, clear policies, and layered security measures can effectively keep attackers out of your finances.

Remember: The Orion employee could have prevented a $60 million breach with just one verification call. With awareness and basic safeguards, your business can avoid becoming the next cautionary headline.

Ready to secure your team before the New Year? Click here or call us at 332-217-0601 to Speak to an Expert - we'll guide you through effective, practical steps to safeguard your business. Don't let cybercriminals steal your holiday success; the best gift this season is peace of mind.