The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a mid-sized company received a puzzling, urgent text from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them immediately. Though it felt suspicious, the message appeared to come from the boss, and with holiday demands piling up, she complied. By the time she verified the request, the scammer had disappeared with the cards, and the business suffered the loss.

This type of scam is painful, but some attacks are far more destructive. That same month, Orion S.A., a Luxembourg-based chemical firm, faced a devastating fraud. An employee received what looked like routine emails requesting wire transfers, seemingly from trusted partners or colleagues. The messages felt urgent and aligned with usual operations. Without hesitation, the employee processed multiple wires.

The consequence? Cybercriminals walked away with $60 million—over half the company's yearly profits lost through these fraudulent transfers.

Think your business is too small to attract scammers? Think again. In 2023, gift card scams alone drained more than $217 million from companies, while business email compromise attacks accounted for 73% of all cyber incidents in 2024. The holiday season is a prime hunting ground because criminals exploit your team's distraction, stress, and increased transaction volume.

5 Holiday Scams Every Employee Must Know to Prevent Costly Mistakes

1. "Your Boss Needs Gift Cards" (The $3,000 Text Scam)

• The Scam: Impostors impersonate executives, pressuring staff to buy gift cards for "clients" or "employee rewards." In early 2024, 37.9% of business email compromise attacks involved gift card scams.
• How to Stop It: Enforce a strict policy requiring two approvals before purchasing gift cards. Educate employees that executives will never ask for gift cards via text.

2. Invoice and Payment Diversions (The Costly Financial Swap)

• The Scam: Fraudsters send fake "updated bank details" or hijack vendor email threads right before year-end payments. In June 2024, the Town of Arlington, MA lost nearly $500,000 to this tactic.
• How to Stop It: Always verify any banking information changes by calling a trusted number—not the one in the email. Adopt a "phone call rule" for financial transactions above $5,000.

3. Fraudulent Shipping and Delivery Alerts

• The Scam: Phishing emails or texts pretending to be UPS, FedEx, or USPS ask recipients to "reschedule delivery" via malicious links.
• How to Stop It: Train employees to navigate directly to official carrier websites, bookmarking authentic tracking pages instead of clicking unknown links.

4. Dangerous "Holiday Party" Attachments

• The Scam: Emails containing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" install malware upon opening.
• How to Stop It: Disable macros, scan all attachments, and foster a culture where employees verify unexpected files before opening.

5. Fake Holiday Fundraisers

• The Scam: Phishing sites impersonate charities or create bogus "company match" donation campaigns to steal money or sensitive data.
• How to Stop It: Distribute an approved charity list and require all donations to be made through official company channels.

Why These Scams Succeed (And How to Prevent Them)

Business tools like email, online banking, and digital payments streamline work but also open doors for scammers. These aren't your typical "Nigerian prince" emails. They're sophisticated attacks combining social engineering with detailed company research.

Companies running regular phishing simulations reduce their risks by 60%, yet many small businesses neglect employee training. While multifactor authentication blocks 99% of unauthorized access, many organizations still depend on simple passwords.

Your Holiday Security Checklist

Prepare your business before the busy season:

• The Two-Person Verification Rule: Require verbal confirmation via a separate channel for transactions exceeding set limits.
• Strict Gift Card Policy: Clearly prohibit purchasing gift cards through email or texts.
• Vendor Change Validation: Confirm all banking or payment modifications by calling verified numbers on file.
• Enable Multifactor Authentication: Activate MFA on all email, banking, and cloud accounts.
• Holiday Awareness Training: Educate your team on these five scams with real-world examples to boost vigilance.

The Hidden Price: Beyond Financial Loss

Though Orion's $60 million loss dominated headlines, smaller companies suffer hidden damages that can be even more devastating:

• Business operations stalled during peak season
• Productivity drops as teams scramble to recover
• Client trust damaged if sensitive data leaks
• Insurance costs rise sharply following cyber incidents

The average loss from a business email compromise incident is $129,000—enough to shutter many small businesses at their most vulnerable time.

Keep Your Holidays Joyful and Secure

The holiday season should be a time for prosperity and celebration, not chasing fraud fallout. A focused team briefing, clear policies, and layered security measures can effectively block cybercriminals from draining your resources.

Remember: A simple phone call verification could have stopped Orion's $60 million loss. With proper awareness and straightforward safeguards, your business can dodge becoming the next cautionary example.

Ready to fortify your team before New Year's? Click here or call us at 859-245-0582 to book a Discovery Call. We'll guide you through quick, actionable steps to safeguard your business. Don't let cybercriminals ruin your holiday success—give your company the gift of peace of mind this season.