The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, amidst the holiday rush, an accounts payable clerk at a midsize firm received an urgent text, allegedly from her CEO: Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Despite doubts, the message seemed genuine, and in the chaos, she complied. By the time she verified, the scammer drained the cards, leaving the company with a costly loss.

While this scam hurt, other attacks can devastate businesses entirely. That same month, Luxembourg's Orion S.A., a chemical manufacturer, fell for a more severe fraud. An employee got what appeared to be routine wire transfer emails — seemingly from trusted colleagues or partners. The requests were urgent, timely, and aligned with regular business operations. Without verifying, the employee processed several transfers.

The outcome? Cybercriminals walked away with $60 million — over half the company's yearly profits — through fraudulent wire transfers.

Think your small business is safe? Gift card scams alone cost companies over $217 million in 2023, and business email compromise attacks made up 73% of cyber incidents in 2024. The holiday season is prime for these crimes, as criminals exploit your team's distraction and transaction overload.

Top 5 Holiday Scams Every Employee Must Recognize Before They Drain Your Funds

1. "Your Boss Needs Gift Cards" Scam — The $3,000 Text Trap

• The Scam: Impersonators pose as owners or executives, pressuring staff to buy gift cards for "clients" or "employee appreciation." In Q1 2024, gift card schemes accounted for 37.9% of business email compromise cases.
• How to Prevent: Enforce strict company rules: no gift cards without dual approvals. Train employees that executives never request gift cards via text.

2. Invoice & Payment Swaps — The High-Stakes Money Grab

• The Scam: Fraudsters send "updated banking info" or hijack vendor email threads when bills are due. For example, in June 2024, the Town of Arlington, MA lost nearly $500,000 using this tactic.
• How to Prevent: Always verify banking changes via a trusted phone number, never from an emailed contact. Adopt a mandatory "phone call rule" for all transactions over $5,000.

3. Fake Delivery Notices

• The Scam: Phishing emails or texts masquerade as UPS, FedEx, USPS, urging recipients to "reschedule delivery" through malicious links.
• How to Prevent: Teach staff to visit carrier websites directly by typing URLs and bookmark official tracking pages to avoid dangerous links.

4. Malicious "Holiday Party" Attachments

• The Scam: Emails carry malware-ridden attachments titled "Holiday_Schedule.pdf" or "Party_List.xls" that execute harmful code when opened.
• How to Prevent: Disable macros, scan attachments before opening, and build a culture of verifying unexpected files.

5. Fake Holiday Fundraisers

• The Scam: Phishing sites impersonate charities or fake "company match" drives aiming to steal donations or sensitive data.
• How to Prevent: Distribute an approved charity list and mandate all donations go through official platforms.

Why These Schemes Work & How You Can Fight Back

Scammers exploit the very tools designed for efficiency — email, online banking, and digital payments. These attacks are sophisticated, using social engineering and detailed research to mimic your company's trusted partners.

Businesses running regular phishing drills reduce breaches by 60%, yet many small companies skip employee training. Enabling multifactor authentication blocks 99% of unauthorized access, but too many still rely on simple passwords.

Your Essential Holiday Security Checklist

Before the busy season peaks, make sure to:

• Implement the Two-Person Rule: Require verbal confirmation via another communication method for transactions above your set limit.
• Enforce a Gift Card Policy: Document that gift cards should never be purchased via email or text.
• Verify Vendors Strictly: Confirm all banking changes by calling known contacts on file.
• Enable Multifactor Authentication: Secure all email, financial, and cloud accounts with MFA.
• Educate Your Team: Share these five scam examples to heighten holiday awareness.

The True Price: Beyond Financial Loss

While Orion's $60 million theft made the news, small businesses often suffer even more hidden damages:

• Business operations paralyzed during peak times.
• Staff productivity plummets as they deal with cleanup.
• Loss of customer trust if sensitive data is breached.
• Rising insurance costs post-incident.

With an average loss of $129,000 per business email compromise event, many small companies face potential ruin at the year's worst moment.

Keep Your Holidays Stress-Free and Secure

The holidays should be about growth and joy — not fraud recovery. A quick staff briefing, clear policies, and layered defenses can keep cybercriminals far from your financial records.

Remember, the Orion employee could have stopped a $60 million loss with a single verification call. By fostering awareness and performing simple checks, your business can avoid becoming the next shocking cautionary tale.

Ready to shield your team before the New Year? Click here or call us at 916-626-4000 to arrange a 15-Minute Discovery Call. We'll guide you through easy yet powerful steps to protect your business — because the greatest gift this holiday season is peace of mind.