The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text seemingly from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Although the request felt suspicious, the message bore the boss's name, and amid the holiday rush, she trusted it. Unfortunately, by the time she verified, the gift cards were gone, the scammer had vanished with the funds, and the company suffered the loss.

While such scams are painful, others can devastate an entire organization. That same month, Orion S.A., a chemical manufacturing firm based in Luxembourg, was targeted by an even more severe fraud. An employee received emails that appeared to be standard wire transfer requests, likely from trusted partners or colleagues. The messages were convincing, urgent, and consistent with usual operations. Without hesitation, multiple transfers were executed.

The outcome? A staggering $60 million funneled straight to cybercriminals—over half of Orion's annual profits lost to fraudulent wire transactions.

Think your small business is safe from these threats? Think again. Gifts card scams alone cost businesses more than $217 million in 2023. Business email compromise (BEC) attacks accounted for 73% of all cyber incidents in 2024. The holiday season heightens risks, as criminals exploit the distractions, stress, and increased transaction volume your team faces.

5 Holiday Scams Your Employees Must Recognize (Before They Drain Your Wallet)

1. "Urgent Boss Request for Gift Cards" (The $3,000 Text Scam)

• The Scam: Pretenders impersonate executives demanding gift cards for "clients" or "employee rewards." In Q1 2024, nearly 38% of BEC incidents involved gift-card fraud.
• How to Prevent: Implement a strict policy requiring two approvals before any gift card purchase. Train your team that executives will never request gift cards via text messages.

2. Invoice and Payment Diversions (The Large-Scale Financial Frauds)

• The Scam: Cybercriminals send "updated banking details" or hijack vendor email threads right before payments are due. In June 2024, Arlington, MA, lost nearly $500,000 to this tactic.
• Prevention: Always verify banking changes by calling a known number, never the one provided in emails. Adopt a mandatory "phone call confirmation" policy for all financial changes above $5,000.

3. Fraudulent Shipping and Delivery Alerts

• The Scam: Phishing emails or texts masquerading as UPS, FedEx, or USPS with links prompting users to "reschedule deliveries."
• Prevention: Educate employees to visit official carrier websites by typing URLs directly or using bookmarks instead of clicking suspicious links.

4. Malicious Attachments Disguised as Holiday Party Details

• The Scam: Emails containing files like "Holiday_Schedule.pdf" or "Party_List.xls" that deploy malware once opened.
• How to Prevent: Disable macros where possible, scan all attachments, and establish a culture of verifying unexpected files before opening.

5. Fake Holiday Fundraising Campaigns

• The Scam: Phishing websites posing as charitable organizations or false "company match" drives designed to steal funds or data.
• Prevention: Circulate a vetted list of approved charities and require donations to be made exclusively through official channels.

Why These Scams Succeed and How to Defeat Them

Modern business relies on tools like email, online banking, and digital payment platforms—precisely what scammers exploit. These aren't your typical "Nigerian prince" scams; they are elaborate schemes weaving social engineering with targeted company research.

Businesses running regular phishing drills cut risks by up to 60%, yet many small companies neglect employee training. Multifactor authentication (MFA) prevents 99% of unauthorized logins, but too many still rely solely on passwords.

Essential Holiday Security Checklist

Prepare your business for the busy season with these crucial steps:

• Two-Person Verification: Ensure any transaction exceeding your threshold is verbally confirmed through a separate communication channel.
• Gift Card Protocol: Establish a clear policy forbidding gift card purchases initiated via email or text.
• Vendor Confirmation: Verify any banking or payment updates by phone using pre-existing contact numbers.
• Enable MFA: Activate multifactor authentication across all email, banking, and cloud services.
• Holiday Scam Briefings: Inform your team about these five scams, using real-world examples for clarity.

The True Impact: Beyond Financial Loss

Orion's $60 million theft grabbed headlines, but hidden consequences often wreak havoc on small businesses:

• Operations halt during critical busy periods
• Staff productivity plunges as they manage crisis aftermath
• Client trust suffers if customer data is compromised
• Cyber incident insurance costs surge afterward

With the average BEC-related business loss hitting $129,000, many small enterprises risk collapse—especially during peak seasons.

Protect Your Holidays: Keep Success, Lose the Risk

The holidays should focus on growth and celebration, not recovery from wire fraud. A brief team meeting, smart policies, and layered security measures can significantly deter criminals from accessing your funds.

Remember: The Orion employee could have prevented a $60 million loss simply by making one verification call. With proper awareness and simple safeguards, your business can stay safe and avoid becoming a cautionary story.

Ready to secure your team before the New Year? Click here or call 985-302-3083 to arrange A Quick Call with us. We'll guide you through practical, quick strategies to safeguard your business. Don't let cybercriminals ruin your holiday season—give your business the invaluable gift of peace of mind.