The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an alarming text message supposedly from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them immediately. Although it felt suspicious, the request bore the boss's name and came amid the hectic holiday season. By the time she verified, the scammer had already drained the funds, leaving the company to suffer the loss.

While that scam was painful, some attacks can devastate a business completely. In the same month, Orion S.A., a Luxembourg chemical manufacturer, fell prey to a far more catastrophic fraud. An employee received what looked like standard, urgent email requests for wire transfers—seemingly from trusted colleagues or partners. Without hesitation, the employee executed multiple transfers as directed.

The outcome? A staggering $60 million diverted straight to cybercriminals—over half of the company's annual profit wiped out by fraudulent wire transfers.

Think your small business is safe? Think again. Gift card scams alone cost businesses more than $217 million in 2023, while business email compromise (BEC) accounted for 73% of all cyber incidents in 2024. The holiday rush is a prime season for scammers who know your team is distracted, stressed, and handling a surge of transactions.

Top 5 Holiday Scam Alerts Your Employees Must Know to Prevent Costly Losses

1. "Urgent Boss Request for Gift Cards" (The $3,000 Text Deception)

• Scam Overview: Impersonators masquerade as executives pressing staff to buy gift cards for "clients" or "employee rewards." Gift card scams made up 37.9% of BEC incidents in early 2024.
• Defense Strategy: Enforce a strict policy requiring dual approvals for gift card purchases. Train employees that company leaders will never request gift cards via text.

2. Invoice & Payment Diversion Scams (The High-Stakes Switch)

• Scam Description: Cybercriminals send fake "updated banking info" or hijack vendor emails at critical billing times. For example, in June 2024, Arlington, MA, lost nearly $500,000 due to this fraud.
• How to Prevent: Always verify banking changes by calling a known phone number—not the one in the email. Implement a "phone call rule" for all financial changes exceeding $5,000.

3. Fake Shipping Notifications

• Scam Tactic: Deceptive emails or texts impersonate UPS, FedEx, or USPS asking recipients to "reschedule delivery" via malicious links.
• Protection Measures: Educate staff to always type carrier URLs manually and bookmark official tracking sites to avoid phishing links.

4. Harmful "Holiday Party" Email Attachments

• Scam Details: Emails containing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that deploy malware when opened.
• Preventive Action: Disable macros, scan all attachments thoroughly, and promote a culture of verifying unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• The Scam: Fake charity websites or bogus "company match" donation drives aiming to steal money or sensitive data.
• How to Stay Safe: Provide a vetted list of approved charities and ensure all donations go through official channels.

Why These Scams Succeed & How to Counteract Them

Today's business tools—email, online banking, digital payments—are exactly what scammers exploit. These are not outdated "Nigerian prince" scams but highly sophisticated operations that combine social engineering with intel about your company.

Organizations conducting regular phishing drills reduce risks by 60%. Still, many small businesses lack employee training. Multifactor authentication (MFA) can block 99% of unauthorized access, yet many rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare your team and systems with these key steps before holiday volume peaks:

• Two-Person Rule: Require verbal confirmation via a separate channel for transactions above your set limit.
• Gift Card Policy: Establish and communicate a no gift card purchase rule via email or text.
• Vendor Verification: Always validate changes in payment info by calling known contacts.
• Enable Multifactor Authentication: Protect all email, financial, and cloud accounts with MFA.
• Holiday Scam Awareness: Educate your team on these five holiday scams using real-world examples.

The True Toll: Beyond Just Monetary Loss

While the $60 million theft at Orion made headlines, smaller businesses often bear even heavier hidden costs, including:

• Operational shutdowns during critical peak periods
• Lost productivity as teams scramble to resolve incidents
• Damaged customer trust if sensitive data is leaked
• Increased insurance costs following cyber breaches

The average business email compromise loss of $129,000 can devastate smaller firms, especially during the high-stakes holiday season.

Keep Your Holiday Season Joyful & Fraud-Free

The holidays should focus on growth and celebration—not recovering from wire fraud. A simple team meeting, clear policies, and layered security measures significantly enhance your defense against cyber threats.

Remember, the Orion employee could have stopped a $60 million loss with a single verification call. With the right knowledge and basic checks, your business can avoid becoming the next cautionary headline.

Ready to secure your team before the New Year? Click here or call us at 630-895-8208 to schedule a Consult. We'll guide you through practical, fast solutions to protect your business. The best holiday gift is peace of mind—don't let cybercriminals spoil your season.