The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a midsize company's accounts payable clerk received a surprising and urgent text allegedly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Though suspicious, the message bore the boss's name and holiday chaos was in full swing. By the time she confirmed, the scammer had vanished with the gift cards, leaving the company to bear the financial loss.

This scam was costly, but some attacks can devastate businesses. For instance, in the same month, Orion S.A., a Luxembourg chemical manufacturer, faced a far graver deception. An employee received seemingly routine wire transfer emails, appearing to come from trusted colleagues or partners. The requests felt genuine and urgent, mirroring typical business activities. Without hesitation, multiple wire transfers were executed.

The impact? Cybercriminals stole $60 million—over half of Orion's annual profits—in a series of fraudulent wire transfers.

Think your small business is safe from such threats? Think again. In 2023 alone, gift card scams cost businesses more than $217 million, and by 2024, business email compromise (BEC) attacks made up 73% of cyber incidents. The holiday season creates the perfect distraction, as teams manage increased transactions amid stress.

Top 5 Holiday Scams Your Employees Must Recognize to Avoid Massive Losses

1. "CEO Gift Card Requests"—The $3,000 Text Scam

• The Scam: Impersonators pretend to be executives, urging staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, nearly 38% of BEC attacks involved gift card fraud.
• How to Prevent: Enforce a strict company policy requiring two independent approvals before purchasing gift cards. Train employees that no executive will request gift cards via text.

2. Invoice and Payment Hijacking—The High-Stakes Money Grab

• The Scam: Scammers send fake "updated banking information" or infiltrate vendor email exchanges just as big bills are due. For example, in June 2024, Arlington, MA lost nearly $500,000 through this tactic.
• How to Prevent: Always verify banking changes by calling a known, trusted phone number—not the one in the email. Adopt a mandatory phone confirmation for all financial changes over $5,000.

3. Fake Shipping and Delivery Notices

• The Scam: Phishing emails or texts impersonate carriers like UPS, FedEx, or USPS, containing links to "reschedule deliveries."
• How to Prevent: Teach employees to visit carrier websites directly by typing URLs or using bookmarks, rather than clicking suspicious links.

4. Malicious Holiday Party Attachments

• The Scam: Emails bearing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that secretly install malware if opened.
• How to Prevent: Block macros, ensure attachment scanning is in place, and foster a culture where verifying unexpected files is standard.

5. Fraudulent Holiday Fundraisers

• The Scam: Phishing sites impersonate charities or fake "company matching" campaigns to steal funds or sensitive data.
• How to Prevent: Provide an approved charity list and require all donations be processed exclusively through official portals.

Why These Scams Succeed and How to Defend Against Them

The digital tools that streamline business—email, online banking, digital payments—are exploited by scammers using highly sophisticated social engineering backed by targeted company research. These aren't generic scams; they are crafted to fool even vigilant professionals.

Organizations that perform regular phishing simulations reduce their risk by 60%, yet many small businesses neglect such training. Multifactor authentication (MFA) prevents 99% of unauthorized access, but numerous companies rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare now before the holiday rush:

• Two-Person Verification: Require verbal confirmation through a separate channel for any transaction exceeding your set threshold.
• Gift Card Policy: Enforce a strict no-gift-card purchases via email or text rule.
• Vendor Verification: Confirm all payment or bank info changes by phone using numbers already on file.
• Activate MFA Everywhere: Apply multifactor authentication across all email, banking, and cloud systems.
• Holiday Scam Awareness: Educate your team on these five scams using real-world examples.

The True Costs Exceed Monetary Loss

Though Orion's $60 million theft grabbed headlines, smaller firms often face even harsher hidden consequences:

• Severe disruption during critical peak season
• Lost productivity as teams handle damage control
• Damaged client trust if sensitive data is exposed
• Increased insurance costs following cyber incidents

On average, each business email compromise incident costs $129,000—an amount that can devastate smaller businesses especially during crucial year-end periods.

Keep Your Holidays Joyful and Secure

The holiday season should be about growth and celebration—not financial disasters caused by fraud. A brief team meeting, clear policies, and layered security can dramatically protect your business accounts.

Remember, a simple verification call could have prevented Orion's $60 million loss. With the right training and safeguards, your business can avoid becoming a cautionary tale.

Ready to fortify your team before the New Year? Click here or call us at 833-863-2120 to arrange a Consult where we'll guide you through straightforward, effective steps to safeguard your business. Don't let cybercriminals ruin your holiday success; the ultimate gift this season is peace of mind.