The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a diligent accounts payable clerk at a midsize company received a suspicious text supposedly from her "CEO": Purchase $3,000 worth of Apple gift cards for clients, scratch off the codes, and send them via email. Despite the odd timing during the hectic holiday season, the message appeared legitimate. Tragically, by the time the clerk verified the request, the gift cards had vanishingly disappeared, cashed in by scammers, leaving the company with a costly lesson.

This scam, while painful, pales in comparison to others that can devastate a business. That same month, Luxembourg's Orion S.A., a chemical manufacturer, fell prey to a far more costly fraud. An employee received email requests resembling routine wire transfer instructions, seemingly from trusted colleagues or partners. The requests bore urgency, alignment with normal business demands, convincing the employee to authorize multiple transfers without hesitation.

The outcome? $60 million diverted to cybercriminals—over half of Orion's annual profits wiped out in a series of fraudulent wire transfers.

If you believe your small business isn't a target, reconsider. In 2023, gift card scams alone drained more than $217 million from businesses, while business email compromise attacks accounted for nearly three-quarters (73%) of cyber incidents in 2024. The holidays amplify these threats, as distracted, busy teams process elevated transaction volumes under stress.

5 Critical Holiday Scams Your Employees Must Recognize Before They Cost You Thousands

1. "Your Boss Needs Gift Cards" (The $3,000 Text Trap)

• The Scam: Impersonators pose as executives, pressuring staff to purchase gift cards "for clients" or "employee appreciation." In Q1 2024, gift card scams accounted for 37.9% of business email compromise incidents.
• Prevention: Enforce strict policies that require dual approvals for any gift card purchases. Educate employees that legitimate requests will never come via text.

2. Invoice & Payment Details Hijacking (The Large-Scale Money Grab)

• The Scam: Cybercriminals send fake banking updates or take over vendor email threads at critical billing times. For example, Arlington, MA, lost nearly $500,000 in June 2024 to such fraud.
• Prevention: Always verify banking changes through an independently confirmed phone number—not the one in the email. Implement a policy mandating phone verification for all financial modifications exceeding $5,000.

3. Deceptive Shipping and Delivery Alerts

• The Scam: Phishing emails or texts masquerade as UPS, FedEx, or USPS with links to "reschedule delivery," aiming to lure clicks to malicious sites.
• Prevention: Train employees to access carrier tracking by typing URLs directly into browsers and bookmarking official tracking pages, avoiding risky links.

4. Malicious Holiday Party Attachments

• The Scam: Emails containing attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that upon opening deploy malware.
• Prevention: Block macros, scan all attachments, and cultivate a culture where verifying unexpected files is mandatory.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fabricate "company match" campaigns to deceive employees into handing over data or money.
• Prevention: Distribute an official charity list, and require all donations to route through verified portals only.

Why These Attacks Succeed and How You Can Stop Them

Cybercriminals exploit the very technologies that streamline business—email, online banking, and digital payments. These sophisticated social engineering attacks, backed by targeted company research, bear no resemblance to outdated "Nigerian prince" scams.

Companies conducting regular phishing drills can reduce risks by 60%, yet many small businesses skip employee training altogether. Similarly, enabling multifactor authentication (MFA) blocks 99% of unauthorized access, but numerous firms still depend solely on passwords.

Your Essential Holiday Security Checklist

Prepare your team for the busy season with these vital steps:

• Two-Person Rule: Require verbal confirmation through separate channels for any transaction exceeding your designated limit.
• Gift Card Policy: Codify a strict rule banning gift card requests via email or text.
• Vendor Verification: Double-check all banking and payment changes over the phone, using pre-verified contact numbers.
• Multifactor Authentication: Activate MFA on all email, banking, and cloud accounts.
• Holiday Awareness: Educate your team with real-world examples of these five scams to enhance vigilance.

The True Price: Beyond the Dollars

Although Orion's $60 million loss captured headlines, smaller businesses often suffer more from hidden damages:

• Operational shutdowns during peak sales periods
• Significant productivity losses as teams scramble to recover
• Damaged client trust from data breaches
• Increased insurance premiums after cyber incidents

The average expense per business email compromise incident is $129,000—enough to devastate many small companies at the worst possible time.

Ensure a Joyful Holiday, Not a Costly Cleanup

Holidays should celebrate growth, not losses. A simple team meeting, clear policies, and layered security measures can fortify your defenses against cyber threats.

Consider this: the Orion employee could have prevented a $60 million loss with just one verification phone call. Build your business's resilience with awareness and practical checks to avoid becoming a cautionary story.

Ready to safeguard your business before the New Year? Click here or call us at 907-865-3100 to book a Discovery Call to explore quick, effective steps that protect your success. Don't let cybercriminals spoil your holiday season—the best gift you can give your business is peace of mind.