The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text apparently from her CEO: "Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately." Though suspicious, the request seemed genuine due to the sender's name and the seasonal holiday rush. Unfortunately, by the time she verified, the fraudsters had disappeared with the funds, leaving the company to bear the financial loss.

This kind of scam is painful, but some attacks can devastate a business completely. In that same month, Luxembourg-based chemical firm Orion S.A. suffered a catastrophic breach. An employee received what looked like routine emails requesting wire transfers—apparently from trusted colleagues or partners. These urgent, seemingly legitimate demands aligned with regular operations, leading the employee to proceed without hesitation.

The devastating outcome? Cybercriminals walked away with $60 million—over half of the company's yearly profits—through a series of fraudulent wire transfers.

Thinking your small business is immune? Think again. Gift card scams alone drained over $217 million from companies in 2023, and business email compromise attacks made up 73% of cyber incidents in 2024. The holiday season is especially vulnerable since criminals exploit the busy, distracted, and high-volume transaction periods.

Top 5 Holiday Scams Your Employees Must Recognize To Avoid Costly Mistakes

1. "CEO Needs Gift Cards" Scam (The $3,000 Text Fraud)

• How it works: Scammers impersonate executives, pressuring employees to buy gift cards for "clients" or "employee rewards." In early 2024, this scheme accounted for 37.9% of business email compromise cases.
• How to prevent: Implement strict policies requiring dual approvals before purchasing gift cards. Educate your team that leadership will never request gift cards via casual texts.

2. Invoice & Payment Hijacking (Major Monetary Fraud)

• How it works: Fraudsters send fake "updated banking info" or intercept vendor email conversations at critical billing times. For example, Arlington, MA lost nearly $500,000 in June 2024 due to such an attack.
• How to prevent: Always confirm bank details changes through trusted phone numbers—not those in phishing emails. Enforce a "phone call rule" for financial changes above $5,000.

3. Fake Delivery Notifications

• How it works: Phishing emails or texts pretending to be UPS, FedEx, or USPS ask recipients to "reschedule deliveries" through malicious links.
• How to prevent: Train employees to directly visit courier websites by typing URLs or using bookmarked official tracking pages. Avoid clicking suspicious links.

4. Malicious Holiday Party Attachments

• How it works: Emails claiming to share files like "Holiday_Schedule.pdf" or "Party_List.xls" contain malware that activates upon opening.
• How to prevent: Block macro-enabled files, scan all incoming attachments, and cultivate a culture of verifying unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• How it works: Phishing websites imitate legitimate charities or fake company match programs to steal money or sensitive information.
• How to prevent: Provide an approved list of charities and ensure all donations go through official, verified portals only.

Why These Scams Succeed—and Strategies To Defend Your Business

The very technologies that enhance business efficiency—email, online banking, digital payments—are the tools cybercriminals exploit. These threats aren't outdated "Nigerian prince" scams but sophisticated attacks combining social engineering with detailed company reconnaissance.

Firms who run routine phishing simulations decrease their risk by 60%, yet many small businesses neglect employee training. While multifactor authentication blocks 99% of unauthorized access, countless companies still depend solely on passwords.

Your Essential Holiday Cybersecurity Checklist

Prepare your team before the holiday rush:

• Two-Person Verification: Require verbal confirmation via a separate communication channel for transactions beyond your set limit.
• Strict Gift Card Rules: Enforce a zero-tolerance policy on purchasing gift cards through email or text requests.
• Vendor Details Confirmation: Verify any changes to payment information by calling previously stored phone numbers.
• Enable Multifactor Authentication: Secure all email, banking, and cloud accounts with MFA.
• Holiday Scam Education: Brief your employees on these five prevalent scams using real-world examples.

The True Impact: Beyond Financial Losses

Although Orion's headline-making $60 million loss is staggering, smaller businesses often suffer even more from hidden fallout:

• Disruptions during peak business seasons caused by operational shutdowns.
• Reduced productivity as employees focus on incident recovery.
• Damage to customer trust if sensitive client data is compromised.
• Increased insurance costs following cyber incidents.

The average financial hit from a business email compromise is $129,000—enough to jeopardize many small enterprises during critical times.

Keep Your Holiday Season Safe and Successful

The holidays should focus on growth and celebration—not dealing with costly cyber fraud. A quick team meeting, clear policies, and layered security measures can protect your business and keep scammers at bay.

Remember, a simple verification call could have averted Orion's massive $60 million loss. With the right knowledge and easy precautions, your business can steer clear of becoming the next cautionary headline.

Ready to secure your team before the New Year? Click here or call us at 1-310-798-0405 to schedule a 15-Minute Discovery Call and learn practical, fast steps to protect your business. Don't let cybercriminals ruin your holiday success—the greatest gift you can give your company this season is peace of mind.