The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, a finance employee at a mid-sized company received a surprising text from someone claiming to be her "CEO": Purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them. Though suspicious, the message bore the boss's name and it was a hectic holiday season. By the time she verified, the funds were lost, the scammer had vanished, and the company absorbed the loss.

Unfortunately, this was a minor blow compared to what happened at Orion S.A., a Luxembourg chemical firm, that same month. An employee was targeted with what looked like standard email requests to transfer funds — seemingly coming from trusted colleagues or partners. The messages appeared urgent and authentic, fitting normal business practices. Without pause, the employee executed multiple wire transfers as directed.

Consequently, $60 million was funneled directly into cybercriminals' hands — wiping out over half of the firm's annual profits through fraudulent wire transfers.

Think your small business is safe? Think again. Gift card scams alone cost businesses upwards of $217 million in 2023, and business email compromise attacks accounted for 73% of all cyber incidents in 2024. The holiday period is especially vulnerable as criminals exploit distraction, stress, and increased transaction volume within teams.

5 Critical Holiday Scams Your Employees Must Recognize to Protect Your Business

1. Impersonation for Gift Cards (The $3,000 Text Scam)

• The Scam: Fraudsters impersonate executives to pressure employees into buying gift cards for "clients" or "employee rewards." In early 2024, 37.9% of business email compromise cases involved gift card fraud.
• How to Prevent: Enforce a strict policy requiring two approvals for gift card purchases. Train staff that executives will never request gift cards via text message.

2. Invoice and Payment Fraud (The High-Stakes Switch)

• The Scam: Cybercriminals send fake "updated banking details" or intercept legitimate vendor emails near the year's end when payments are due. For instance, in June 2024, Arlington, MA lost almost half a million dollars from such a scheme.
• How to Prevent: Always verify banking changes via a known phone number — do not trust contact info in emails. Implement a "phone call rule" for any financial changes exceeding $5,000.

3. Fake Delivery Alerts

• The Scam: Phishing messages posing as carriers like UPS, FedEx, or USPS prompt users to "reschedule deliveries" via malicious links.
• How to Prevent: Educate employees to navigate to carrier websites manually and bookmark official pages. Avoid clicking links in suspicious messages.

4. Malicious Holiday Party Attachments

• The Scam: Emails containing attachments named "Holiday_Schedule.pdf" or "Party_List.xls" that inject malware when opened.
• How to Prevent: Block macros, scan all attachments, and encourage employees to verify unexpected files before opening.

5. Fraudulent Holiday Fundraisers

• The Scam: Phishing websites pretending to be charities or fake "company match" campaigns aimed at stealing money or personal information.
• How to Prevent: Distribute a vetted charity list and require donations to be processed exclusively through official company channels.

Why These Cyberattacks Thrive and What You Can Do to Combat Them

Tools that streamline business operations — emails, online banking, digital payments — are precisely what malicious actors exploit. These are not outdated scams; they are sophisticated, carefully crafted attacks leveraging social engineering and extensive company research.

Companies conducting regular phishing drills reduce their risk by 60%, yet many small businesses omit employee training. Multifactor authentication blocks 99% of unauthorized access, yet numerous organizations still rely solely on passwords.

Your Ultimate Holiday Security Checklist

Prepare your business for the holiday rush with these essential steps:

• Two-Person Authorization: Require verbal confirmation through a separate method for transactions exceeding your established threshold.
• Gift Card Policy: Establish a written rule prohibiting gift card purchases via email or text.
• Vendor Confirmation: Verify all changes in banking or payment details via pre-existing phone contacts.
• Multifactor Authentication: Activate MFA for all email, banking, and cloud platforms.
• Holiday Scam Awareness: Educate your team about these five scams using real scenarios.

The True Toll: Beyond Financial Loss

While Orion's $60 million theft grabbed headlines, smaller companies often suffer even more hidden damage:

• Interrupted operations during critical peak seasons
• Reduced productivity as employees scramble to recover
• Damaged customer trust if sensitive data is leaked
• Increased insurance premiums post-cyber incident

The average loss per business email compromise attack is $129,000 — a devastating blow that could cripple many small companies at their busiest time.

Keep Your Holiday Season Secure and Stress-Free

The holidays should be a time for growth and celebration — not damage control after cyber fraud. A brief team meeting, clear policies, and layered security measures can dramatically reduce your risk and safeguard your finances.

Remember: Orion's massive $60 million loss could have been prevented by a single verification call. By equipping your team with knowledge and simple safeguards, your business can avoid becoming the next headline.

Ready to fortify your team before the New Year? Click here or call us at (949) 537-2909 to schedule a 10-Minute Discovery Call and receive practical steps to safeguard your business. This holiday season, gift your company the priceless benefit of peace of mind.