The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an alarming text that appeared to be from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately. Despite the unusual nature of the request, the message seemed authentic, and amid the holiday rush, she complied. By the time she verified, the gift cards were already redeemed by scammers, causing a costly loss to the business.

This kind of scam is painful, but far worse attacks exist. That same month, Orion S.A., a chemical manufacturer based in Luxembourg, suffered a catastrophic fraud. An employee received emails mimicking trusted partners that urgently requested wire transfers, perfectly timed with their routine business operations. Trusting the authenticity, multiple transfers were made as directed.

The devastating outcome? Cybercriminals stole $60 million—over half of the company's yearly profits—through fraudulent wire transfers.

Think your business is too small to be targeted? Think twice. In 2023 alone, scams involving gift cards cost businesses more than $217 million. Meanwhile, business email compromise attacks accounted for 73% of all cyber incidents in 2024. The holiday period is a prime opportunity for criminals because your team is busy, distracted, and handling increased transactions.

Top 5 Holiday Scams Every Employee Must Recognize to Prevent Costly Losses

1. "Your Boss Needs Gift Cards" Scam (The $3,000 Text Trap)

• Scam Details: Impersonators pose as executives urging employees to buy gift cards for "clients" or "employee appreciation." Early 2024 data shows 37.9% of business email compromise cases involved gift card fraud.
• Prevention Tips: Implement strict company policies requiring two approvals before any gift card purchases. Train staff to know that executives never request cards via text.

2. Invoice & Payment Manipulations (The Big Money Heist)

• Scam Details: Fraudsters send fake "updated banking details" or intercept legitimate vendor emails right before year-end payments. In June 2024, the Town of Arlington, MA, lost nearly $500,000 due to this tactic.
• Prevention Tips: Always verify any banking detail changes by calling a known number—not the one in the email. Enforce a "phone call confirmation" rule for any financial transaction over $5,000.

3. Fake Shipping and Delivery Notifications

• Scam Details: Phishing messages impersonate UPS, FedEx, or USPS asking recipients to "reschedule delivery" via malicious links.
• Prevention Tips: Encourage employees to visit carriers' official websites directly by typing URLs or using bookmarks, avoiding suspicious links.

4. Dangerous "Holiday Party" Email Attachments

• Scam Details: Emails with attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that, once opened, install malware.
• Prevention Tips: Disable macros, scan all attachments, and promote a culture where unexpected files are verified before opening.

5. Fake Holiday Fundraising Campaigns

• Scam Details: Phishing websites impersonate charities or fake company match donation campaigns to steal money or sensitive information.
• Prevention Tips: Share a vetted list of approved charities and mandate that all donations go through official platforms.

Why These Attacks Succeed and How You Can Defend Against Them

The very digital tools that streamline your business—emails, online payments, and banking portals—are what attackers exploit. These are no longer crude scams but highly sophisticated attacks leveraging social engineering alongside in-depth company research.

Businesses that conduct regular phishing simulations reduce their risk by up to 60%, yet many small companies skip employee training. Although multifactor authentication prevents 99% of unauthorized access, countless organizations still rely solely on passwords.

Your Essential Holiday Security Checklist

Prepare your team before the holiday crunch with these must-do actions:

• The Two-Person Authorization Rule: Require verbal confirmation via a separate communication method for transactions exceeding your set limit.
• Clear Gift Card Policy: Officially prohibit gift card purchases via email or text messages.
• Vendor Payment Verification: Always confirm banking or payment detail changes by phone using pre-existing contact numbers.
• Enable Multifactor Authentication: Apply MFA across all email, banking, and cloud services.
• Holiday Scam Awareness: Educate your team on these top five scams with actual case studies.

The True Cost of Scams: Beyond Just Financial Loss

While Orion's staggering $60 million loss made headlines, smaller companies often suffer deeper hidden impacts:

• Disruption of operations during crucial business periods
• Lower productivity as staff scramble to resolve issues
• Damaged customer trust if sensitive client data is exposed
• Spike in insurance premiums following cyber incidents

On average, each business email compromise incident results in $129,000 losses—enough to topple many small companies at their most vulnerable time.

Secure Your Holidays: Keep Them Joyful, Not Risky

This holiday season should be for growth and celebration—not scrambling to fix wire fraud aftermath. A few smart policies, staff training sessions, and layered security measures can create a formidable shield against cybercriminals.

Remember: The Orion employee could have prevented a $60 million loss with a simple verification call. With awareness and careful steps, your business won't become the next cautionary headline.

Ready to safeguard your team before the New Year? Click here or call us at (802) 331-1900 to schedule a Discovery Call. We'll guide you through practical, rapid solutions to protect your business. Don't let cyber crooks hijack your holiday success—give your company the gift of peace of mind this season.