The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a mid-sized company's accounts payable clerk received an urgent text impersonating her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Although it seemed suspicious, the message appeared to come from her boss during the hectic holiday season. By the time she verified, the gift cards were already used, the scammer had vanished, and the business suffered the financial loss.

This type of scam can be damaging, but some attacks can devastate a business completely. That same month, Luxembourg's chemical manufacturer Orion S.A. fell prey to a far more severe fraud. An employee received what looked like routine wire transfer requests via email—seemingly from trusted partners or colleagues. The instructions were urgent and appeared consistent with regular business. Without question, the employee executed multiple wire transfers.

The outcome? Cybercriminals siphoned $60 million—over half the company's annual profits—through a series of sophisticated fraudulent transfers.

Think your small business is safe from these threats? Think again. Businesses lost more than $217 million to gift card scams in 2023 alone, and up to 73% of all cyber incidents in 2024 were business email compromise (BEC) attacks. The holiday season is a prime period for scammers, exploiting the distractions, stress, and increased financial activity your team faces.

Top 5 Holiday Scams Your Employees Must Recognize Before They Drain Your Budget

1. "Your Boss Needs Gift Cards" Scam (The $3,000 Text Trap)

• About the scam: Fraudsters impersonate executives, pushing employees to buy gift cards for "clients" or "appreciation." In Q1 2024, nearly 38% of BEC incidents involved gift card scams.
• How to prevent: Implement strict company policies requiring dual approvals before purchasing any gift cards. Educate your team that executives will never request gift cards via text message.

2. Fake Invoice & Payment Changes (The High-Stakes Switch)

• About the scam: Cybercriminals send fake "updated banking information" or hijack vendor email threads during billing cycles. For example, Arlington, MA lost nearly $500,000 in June 2024 due to this scheme.
• How to prevent: Always verify banking or payment changes by calling established phone numbers—not those provided in emails. Enforce mandatory verbal confirmation for all financial transactions exceeding $5,000.

3. Fraudulent Shipping & Delivery Alerts

• About the scam: Phishing emails or texts pretend to be UPS, FedEx, or USPS, urging recipients to click links to "reschedule" deliveries.
• How to prevent: Train employees to avoid clicking links in such messages. Instead, visit the carrier's official website directly or bookmark legitimate tracking pages.

4. Malicious Holiday Party Email Attachments

• About the scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" can install malware once opened.
• How to prevent: Block macros, scan all email attachments rigorously, and make a culture of verifying unexpected files routine.

5. Fake Holiday Fundraiser Scams

• About the scam: Phishing websites imitate charities or mythical "company match" campaigns to steal donations or sensitive data.
• How to prevent: Distribute an approved charity list and require all donations to be processed through official company channels.

Why These Attacks Succeed and How to Defend Your Business

The very tools that streamline your operations—like email, online banking, and digital payments—are exploited by cybercriminals. These aren't crude scams; they're calculated attacks that combine social engineering with targeted research on your company.

Companies that conduct regular phishing drills cut their risk by 60%, yet many small businesses overlook employee cybersecurity training. While multifactor authentication (MFA) blocks 99% of unauthorized access, many still rely solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare your team before the holiday rush with these crucial steps:

• The Two-Person Rule: Require verbal confirmation via a separate communication channel for any transaction above your set limit.
• Strict Gift Card Policy: Establish a written policy that forbids purchasing gift cards through email or text.
• Vendor Payment Verification: Confirm any banking or payment information changes by calling known contacts from existing records.
• Use Multifactor Authentication: Enable MFA across all email, banking, and cloud platforms.
• Holiday Scam Awareness: Educate your employees on these five scams using real-world examples.

The True Impact: Beyond Financial Loss

While Orion's $60 million loss grabbed headlines, smaller businesses often bear even harder consequences:

• Business operations slowed or halted during peak seasons
• Decline in productivity as staff deal with fallout
• Erosion of customer trust if data breaches occur
• Higher insurance premiums following cyber incidents

The average loss from each business email compromise incident is $129,000—an amount that can destroy many small companies during the busiest time of year.

Keep Your Holidays Secure, Stress-Free, and Profitable

The holidays are meant for growth and celebration, not financial disasters caused by wire fraud. Holding a quick team meeting, implementing a few key policies, and layering your security can dramatically reduce your risk.

Remember, the employee at Orion could have prevented the $60 million theft by making one verification call. With heightened awareness and simple precautionary steps, your business can steer clear of becoming another cybercrime headline.

Ready to safeguard your team before the New Year? Click here or call us at 281-402-2620 to schedule a 15-Minute Discovery Call. We'll guide you through straightforward, effective strategies to protect your business. Don't let cybercriminals hijack your holiday success; the best gift you can give your business this season is peace of mind.