The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a medium-sized firm received a seemingly urgent text from her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Although it felt suspicious, the message appeared to come from the CEO's number amidst the holiday rush. By the time she verified, the gift cards were already cashed, and the company suffered the loss.

While this scam is painful, some attacks can devastate entire businesses. That same month, Luxembourg-based chemical company Orion S.A. fell prey to a much larger fraud. An employee was tricked by emails that looked like standard wire transfer requests from trusted colleagues or partners. Believing them urgent and authentic, the employee processed multiple transfers without hesitation.

The outcome? Cybercriminals walked away with $60 million—over half of the company's annual profits lost through fraudulent wire transfers.

If you assume your business is too small to be targeted, think again. In 2023 alone, gift card scams drained over $217 million from companies, and in 2024, 73% of cyberattacks involved business email compromise (BEC). The holiday season creates a perfect storm for cybercriminals as teams get distracted, stressed, and handle increased transaction volumes.

Protect Your Business: 5 Holiday Scams Every Employee Must Recognize to Avoid Costly Losses

1. "Urgent CEO Gift Card Requests" - The $3,000 Text Trap

• The Scam: Impersonators pose as executives requesting staff to buy gift cards for "clients" or "employee rewards." In early 2024, 37.9% of BEC attacks involved gift card schemes.
• How to Prevent: Enforce a strict policy requiring dual approvals before any gift card purchase. Train employees that executives never request gift cards via text or email.

2. Invoice and Payment Details Hijacking - The Big Money Theft

• The Scam: Cyber thieves send fake "updated banking information" or intercept legitimate vendor emails at critical payment times. In June 2024, the Town of Arlington, MA lost nearly $500,000 to this scheme.
• How to Prevent: Always verify banking changes by calling a trusted contact number, never relying on email details alone. Implement a "phone call confirmation" rule for transactions over $5,000.

3. Fraudulent Shipping and Delivery Alerts

• The Scam: Phishing messages impersonate UPS/FedEx/USPS asking recipients to "reschedule delivery" through malicious links.
• How to Prevent: Educate your team to avoid clicking on links. Instead, type the carrier's website URL directly or use bookmarked official tracking pages.

4. Malicious Attachments Disguised as Holiday Files

• The Scam: Emails with attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that install malware upon opening.
• How to Prevent: Disable macros, use antivirus scanning on attachments, and encourage a verification culture around unexpected files.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites impersonate charities or fake "company match" fundraising campaigns to steal money and personal data.
• How to Prevent: Circulate a vetted charity list and require all donations to go through official donation portals only.

Why These Scams Succeed and How to Defend Your Business

The digital tools that streamline business — email, online banking, and digital payments — are the very methods scammers exploit. These attacks are highly targeted and sophisticated, combining social engineering with in-depth research on your organization.

Companies conducting regular simulated phishing training reduce their risk by 60%, yet many small businesses neglect this essential step. Additionally, implementing multifactor authentication (MFA) prevents 99% of unauthorized logins, but many still rely solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare your business before the holiday rush with these key actions:

• Two-Person Rule: Require verbal confirmation via a separate channel for transactions exceeding your set limit.
• Gift Card Regulations: Establish clear guidelines: absolutely no gift card purchases via email or text.
• Vendor Verification: Always verify payment or banking changes by phone using contacts already stored in your system.
• Implement Multifactor Authentication: Activate MFA across all email, banking, and cloud services.
• Holiday Awareness Training: Educate your staff on these five common scams with real-life examples.

The True Price of Cybercrime: Beyond Financial Losses

Though Orion's $60 million loss dominated headlines, smaller businesses often face even harsher hidden impacts:

• Disruptions to critical operations during peak periods
• Lost productivity as staff scramble to resolve incidents
• Damaged customer trust when sensitive data leaks
• Higher insurance premiums following cyber incidents

On average, each business email compromise incident results in $129,000 in losses—enough to devastate many small businesses during their busiest seasons.

Keep Your Holidays Secure and Stress-Free

The holiday season should focus on growth and celebration—not recovering from fraud. A simple team briefing, clear policies, and layered security measures can stop cybercriminals from stealing your hard-earned revenue.

Remember: The employee at Orion could have averted a $60 million loss with just one verification call. Equip your team with awareness and practical checks to keep your business safe this holiday season.

Ready to fortify your team before year-end? Click here or call us at 610-628-2461 to schedule an IT Clarity Call. We'll guide you through fast, actionable steps to protect your business. Don't let cybercriminals ruin your holiday success—give your business the ultimate gift of peace of mind today.