The $60 Million Holiday Fraud That Devastated A Company (And How To Safeguard Yours)

During the hectic holiday season last December, a mid-level accounts payable staffer at a medium-sized business received a text that appeared to come directly from her CEO. The message sounded urgent: she needed to pick up $3,000 worth of Apple gift cards for clients, scratch off the codes, and email them right away. Although the request seemed slightly unusual, the sender’s name matched her boss’s, and in the rush of end-of-year tasks, she complied without hesitation. Unfortunately, by the time she verified the request, the scammer had already drained the cards — leaving the company to absorb the $3,000 loss.

While that scam was painful, others have the potential to completely cripple a company. During that same December, Orion S.A., a chemical manufacturing firm based in Luxembourg, was hit by a much more sophisticated and damaging scheme. One of its employees received what looked like ordinary email instructions for wire transfers, seemingly coming from a trusted coworker or business associate. Everything about the messages appeared legitimate, urgent, and consistent with standard company procedures. Acting in good faith, the employee completed several transfers before realizing the deception.

The outcome was devastating: sixty million dollars were wired straight to cybercriminals, wiping out more than half of the company’s yearly profits through a string of fraudulent transfers.

If you believe your small business is too insignificant to attract scammers, it’s time to reconsider. In 2023, gift card fraud alone cost companies more than $217 million, while business email compromise schemes made up 73 percent of all cyber incidents in 2024. The holiday season is a particularly vulnerable period because attackers know employees are busy, under pressure, and managing higher volumes of transactions than usual.

5 Holiday Scams Your Team Must Recognize (Before They Drain Your Profits)

1. “Your Boss Needs Gift Cards” (The $3,000 Text Scam)
   
   
   • The scam: Fraudsters impersonate business owners or senior managers and pressure employees to purchase gift cards, claiming they’re for clients or staff rewards. In the first quarter of 2024, gift card cons made up 37.9% of all business email compromise cases.
   • How to prevent it: Establish a clear policy that no gift card purchases can occur without at least two levels of approval. Educate staff that company leaders will never ask for gift cards through text messages or informal communication channels.
2. Invoice And Payment Switch-Ups (The Big Money Scam)
   
   
   • The scam: Cybercriminals intercept or imitate vendor communications and send fake “updated banking information” just as year-end payments are being processed. In one notable case from June 2024, the Town of Arlington, Massachusetts, lost nearly $500,000 after funds were unknowingly wired to fraudulent accounts.
   • How to prevent it: Always verify any changes to payment or banking information by calling a trusted contact using a phone number already on file — never the one listed in the suspicious email. Implement a mandatory call-back rule for all financial adjustments exceeding $5,000 to confirm legitimacy before any transfer occurs.
3. Fake Shipping And Delivery Alerts
   
   
   • The scam: Scammers send phishing emails or text messages pretending to be UPS, FedEx, or USPS, often including links that claim you need to “reschedule” a delivery. Clicking these links can lead to malware infections or stolen credentials.
   • How to prevent it: Educate employees to always visit the carrier’s official website directly rather than clicking on links in messages. Encourage bookmarking legitimate tracking pages to ensure they never fall for fraudulent links.
4. Dangerous "Holiday Party" Files
   
   
   • The scam: Cybercriminals send emails with attachments labeled as holiday-related documents, such as “Holiday_Schedule.pdf” or “Party_List.xls.” Opening these files can trigger malware or ransomware infections.
   • How to prevent it: Disable macros by default, scan all attachments before opening, and encourage employees to verify unexpected files with the sender as part of your company’s security culture.
5. Fake Holiday Fundraising Appeals
   
   
   • The scam: Scammers create phishing websites that impersonate legitimate charities or fabricate “company match” donation campaigns in order to steal money or personal information.
   • How to prevent it: Provide employees with a pre-approved list of charitable organizations and ensure all donations are processed only through official, verified portals.

Why These Scams Succeed (And How To Prevent Them)

The very tools that streamline business operations—email, online banking, and digital payment systems—are also the ones cybercriminals exploit. These attacks aren’t the old “Nigerian prince” scams; they are sophisticated operations that combine social engineering with detailed research on your company.

Companies that regularly conduct phishing simulations can cut their risk by up to 60%, yet many small businesses skip employee training altogether. Similarly, implementing multifactor authentication can prevent 99% of unauthorized logins, but too many organizations still rely solely on passwords.

Essential Holiday Cybersecurity Checklist

Here’s what to do before the holiday madness begins:

• The Two-Person Approval: Require verbal confirmation through a separate communication channel for any transaction that exceeds your set threshold.
• Gift Card Guidelines: Clearly state in company policy that gift cards should never be purchased or sent via email or text.
• Vendor Verification: Always verify any changes to banking or payment information by calling a trusted number already on file.
• Enable Multifactor Authentication: Protect all email, banking, and cloud accounts with MFA to prevent unauthorized access.
• Holiday Scam Training: Review the five most common holiday scams with your team, using real-world examples to ensure awareness.

The True Impact: Beyond Financial Loss

Although Orion’s $60 million loss grabbed headlines, the less visible consequences often affect small businesses even more severely:

• Operations can stall during the busiest season.
• Staff productivity drops as employees deal with the aftermath.
• Customer trust can be damaged if sensitive client data is exposed.
• Cyber incidents often lead to higher insurance premiums.

On average, a single business email compromise costs $129,000, an amount that can devastate many small companies, especially during peak holiday periods.

Keep Your Holidays Joyful, Not Risky

The holiday season should focus on growth and celebration, not scrambling to recover from fraudulent wire transfers. A quick team meeting, a few well-designed policies, and layered security measures can go a long way toward keeping scammers away from your accounts.

Keep in mind: the Orion employee could have prevented a $60 million loss with just one verification call. With proper awareness and simple safeguards, your business can stay protected and avoid becoming the next cautionary example.

Want to ensure your team is fully protected before the New Year? Book a 15-minute discovery call with us, and we’ll guide you through simple, actionable steps to safeguard your business. Don’t let cybercriminals jeopardize your holiday success.

Schedule Your Free Discovery Call

Remember, the greatest gift you can give your business this holiday season is peace of mind.