The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

Last December, an accounts payable clerk at a midsize company received an urgent text claiming to be from her "CEO": Buy $3,000 in Apple gift cards for clients, scratch off the backs, and email the codes. Though it felt suspicious, the message came from the boss's name during peak holiday chaos. By the time she verified the request, the scammer had already drained the funds, leaving the company to absorb the loss.

While painful, this scam pales compared to others that can devastate entire businesses. That same month, Orion S.A., a Luxembourg chemical manufacturer, was hit by a far more severe fraud. An employee received seemingly routine emails requesting wire transfers—appearing to come from trusted colleagues or partners. The messages were urgent and matched typical business transactions, prompting the employee to execute multiple transfers without hesitation.

The outcome? Cybercriminals made off with $60 million—over half of the company's annual profits—through a string of fraudulent transfers.

If you believe your small business is too minor a target for such scams, think again. Gift-card fraud alone cost businesses over $217 million in 2023, and business email compromise attacks represented 73% of all cyber incidents in 2024. The holiday season is a prime window for attackers who exploit distracted, stressed teams handling increased transaction volumes.

5 Holiday Scams Your Employees Must Recognize (Before They Drain Your Wallet)

1. "Your Boss Wants Gift Cards" (The $3,000 Text Scam)

• The Scam: Fraudsters impersonate executives, pressuring staff to buy gift cards for "clients" or "employee rewards." In Q1 2024, 37.9% of business email compromises involved gift card schemes.
• How to Prevent: Enforce a strict company policy requiring two separate approvals for gift card purchases. Train employees that executives never request gift cards via text.

2. Fake Invoice & Payment Updates (The Big Money Heist)

• The Scam: Cybercriminals send "updated bank details" or hijack vendor email threads just as year-end invoices are due. For example, in June 2024, the Town of Arlington, MA lost nearly $500,000 this way.
• How to Prevent: Always verify banking changes using known phone numbers—not the contact info provided in the email. Implement a "phone call rule" for all financial changes exceeding $5,000.

3. Counterfeit Shipping & Delivery Alerts

• The Scam: Phishing emails or texts pretending to be UPS, FedEx, or USPS with links to "reschedule delivery."
• How to Prevent: Advise staff to access carrier websites directly by typing the URL themselves. Bookmark official tracking pages to avoid dangerous links.

4. Toxic "Holiday Party" Attachments

• The Scam: Emails carrying attachments like "Holiday_Schedule.pdf" or "Party_List.xls" that unleash malware once opened.
• How to Prevent: Disable macros, use attachment scanning tools, and create a culture where verifying unsolicited files is mandatory.

5. Fake Holiday Fundraisers

• The Scam: Phishing websites imitating charities or fake "company match" donation drives steal money or personal data.
• How to Prevent: Distribute an approved charity list and require all donations to be made through official company portals.

Why These Scams Succeed (And How to Defend Your Business)

The very tools that streamline business operations—email, online banking, and digital payments—are exploited by scammers. These attacks aren't outdated "Nigerian prince" emails but sophisticated schemes combining social engineering and targeted research on your company.

Companies running regular phishing simulations cut their risk by 60%, yet many small businesses overlook employee training. Multifactor authentication (MFA) blocks 99% of unauthorized logins, but numerous firms still depend solely on passwords.

Your Holiday Security Checklist

Prepare your team ahead of the busy season with these essential steps:

• The Two-Person Rule: Require verbal confirmation through a separate channel for any transaction above your threshold.
• Strict Gift Card Policy: Prohibit gift card purchases via email or text and document this policy formally.
• Vendor Verification Procedures: Validate all payment or banking changes by calling numbers already on file.
• Enable Multifactor Authentication: Activate MFA across all email, banking, and cloud services.
• Holiday Scam Awareness: Educate your staff on these top five scams using authentic real-world examples.

The True Price of Cybercrime: Beyond Financial Loss

While Orion's $60 million loss grabbed headlines, the hidden impacts usually hit smaller businesses the hardest:

• Disruptions during critical peak seasons
• Lost productivity as employees scramble to address the damage
• Eroded customer trust if sensitive data is compromised
• Higher insurance premiums following a cyber incident

The average financial hit from a business email compromise is $129,000—enough to endanger many small businesses during their most critical time.

Keep Your Holidays Secure, Smooth, and Profitable

The holiday season should focus on growth and celebration—not recovering from wire fraud. A quick team briefing, clear policies, and layered security controls go a long way to keep criminals away from your finances.

Remember: The Orion employee who lost $60 million could have prevented it with a simple verification call. Empower your business with awareness and straightforward checks to avoid becoming the next cautionary story.

Ready to protect your team and business before the New Year? Click here or call us at 1300 765 014 to book a 15-Minute Discovery Call where we'll guide you through practical, quick steps to safeguard your company. Don't let cybercriminals ruin your holiday success; the greatest gift you can give your business this season is peace of mind.