The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received a suspicious text purportedly from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them. Though it seemed unusual, the message bearing her boss's name during the hectic holiday rush felt urgent. By the time she verified, the scammers had already cashed out, and the company suffered the financial loss.

While this scam causes a sting, some attacks can devastate businesses. In the same month, Luxembourg-based chemical firm Orion S.A. fell prey to a more severe fraud. An employee received email requests that appeared to be routine wire transfers, seemingly from a trusted partner or colleague. The urgent and plausible emails matched normal procedures, leading the employee to approve multiple transfers without hesitation.

The outcome? Cybercriminals siphoned off $60 million—over half of the company's annual profits—in a series of fraudulent wire transfers.

Think your small business is safe? Think again. Gift card scams alone cost companies over $217 million in 2023, with business email compromise attacks representing 73% of cyber incidents in 2024. During the holidays, criminals exploit distractions and increased transaction volumes to launch attacks.

Top 5 Holiday Scams Your Employees Must Recognize (To Prevent Costly Losses)

1. "Your Boss Wants Gift Cards" (The $3,000 Text Scam)

• The Scam: Impersonators claim to be executives, urging staff to purchase gift cards for "clients" or "employee rewards." In Q1 2024, 37.9% of business email compromises involved such gift card scams.
• How to Defend: Implement strict company policies requiring two approvals before buying gift cards. Train your team that executives will never request gift cards via text messages.

2. Invoice & Payment Diversions (Costly Financial Frauds)

• The Scam: Fraudsters send emails with "updated bank info" or hijack vendor email threads just before year-end payments. For example, in June 2024, Arlington, MA, lost nearly $500,000 this way.
• How to Defend: Always verify banking changes via a known phone number, never using contacts from the email alone. Adopt a "phone call approval" policy for financial changes above $5,000.

3. Fake Shipping or Delivery Alerts

• The Scam: Phishing emails or texts impersonate UPS, FedEx, or USPS, offering links to "reschedule delivery" that lead to malicious sites.
• How to Defend: Instruct employees to access shipment trackers only by typing the carrier's official website URL directly into the browser or using bookmarks to avoid phishing links.

4. Malicious Attachments Tied to Holiday Events

• The Scam: Emails featuring attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that infect systems with malware when opened.
• How to Defend: Disable macros, scan attachments thoroughly, and cultivate a culture where employees verify unexpected files before opening.

5. Fake Holiday Fundraising Schemes

• The Scam: Fraudulent websites mimicking charities or fake "company match" campaigns designed to steal money or sensitive data.
• How to Defend: Provide an approved charity list and require that all donations be processed only through official company portals.

Why These Scams Succeed and How You Can Stop Them

While tools like email, online banking, and digital payments streamline business, these same systems are exploited by cybercriminals. These are not crude scams—they're advanced social engineering attacks crafted using detailed research about your organization.

Companies conducting regular phishing simulations reduce their risk by 60%, yet many small businesses forgo employee training. Multifactor authentication blocks 99% of unauthorized logins, but numerous firms still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare before the holiday rush with these vital steps:

• The Two-Person Rule: Require verbal confirmation through a different communication channel for any transaction exceeding your set threshold.
• Strict Gift Card Policy: Enforce a written policy forbidding gift card purchases via email or text.
• Vendor Validation: Always verify any banking or payment information changes by calling numbers already on file.
• Enable Multifactor Authentication: Apply MFA across all email, banking, and cloud services.
• Raise Holiday Awareness: Educate your staff on these five scams using real-world examples.

The True Price: Beyond Financial Loss

Though Orion's $60 million cyber theft attracted headlines, smaller enterprises often bear hidden damages:

• Disrupted operations during critical peak periods
• Lost productivity as employees remediate breaches
• Damaged customer trust following data breaches
• Rising insurance premiums after cyber incidents

With an average business email compromise costing $129,000, many small companies face existential threats, especially during the holiday season.

Enjoy a Safe and Stress-Free Holiday Season

The holidays should be about growth and celebration—not costly wire fraud cleanups. A quick team meeting, clear policies, and layered security steps dramatically reduce your risk of falling victim.

Remember: The employee at Orion could have prevented a $60 million theft with a simple verification call. With the right vigilance and practical steps, your business can avoid becoming the next cautionary headline.

Ready to secure your business before the New Year? Click here or call us at 507-718-4288 to schedule a 15-Minute Call. We'll guide you through straightforward, effective strategies to safeguard your business. Protect your holiday success and give your company the priceless gift of peace of mind.