The Holiday Scam That Cost One Company $60 Million
(And How To Protect Your Business From the Same Fate)
Last December, an accounts payable employee at a midsize business received what looked like a routine, urgent text from her “CEO.” The request was simple: purchase $3,000 in Apple gift cards for clients, scratch off the codes, and email them immediately.
It felt a little strange — but it was peak holiday chaos, the sender name matched the boss, and everything sounded urgent. By the time she paused to double-check, the damage was done. The gift cards were gone, the scammer had cashed out, and the business absorbed the loss.
That incident was frustrating, but manageable. Other holiday scams are far more destructive.
That same month, Orion S.A., a Luxembourg-based chemical manufacturer, fell victim to a much larger scheme. An employee received what appeared to be legitimate internal emails requesting wire transfers — messages that looked routine, timely, and aligned with normal operations. Trusting the process, the employee approved multiple transfers without verifying the requests.
The outcome was devastating: $60 million wired directly to cybercriminals, wiping out more than half of the company’s annual profits through fraudulent transactions.
If you think your business is too small to be targeted, think again. Gift card scams alone cost businesses more than $217 million in 2023, and business email compromise (BEC) attacks made up 73% of all cyber incidents in 2024. The holiday season is prime time for these attacks because criminals know teams are stretched thin, distracted, and processing more transactions than usual.
5 Holiday Scams Your Employees Need To Know
(Before They Cost You Thousands)
1. “Your Boss Needs Gift Cards”
(The $3,000 Text Trap)
The scam: Attackers impersonate executives or owners and pressure employees into buying gift cards for “clients” or “employee appreciation.” In Q1 2024 alone, nearly 38% of BEC incidents involved gift card fraud.
Prevention: Make it policy — no gift card purchases without two approvals. Employees should know executives will never request gift cards via text or email.
2. Invoice & Payment Switch-Ups
(The Big Money Play)
The scam: Fraudsters send “updated banking details” or hijack vendor email threads right when invoices are due. In June 2024, the Town of Arlington, MA lost nearly $500,000 through this exact tactic.
Prevention: Verify all payment or banking changes using a known phone number, never the one listed in the email. Implement a mandatory call-back rule for financial changes over a set threshold (commonly $5,000).
3. Fake Shipping & Delivery Notices
The scam: Phishing emails or texts pose as UPS, FedEx, or USPS with links to “reschedule delivery” — especially common during peak shipping season.
Prevention: Train employees to navigate directly to the carrier’s official website instead of clicking links. Bookmark trusted tracking pages to avoid fake delivery notices.
4. Malicious “Holiday Party” Attachments
The scam: Emails arrive with attachments labeled things like “Holiday_Schedule.pdf” or “Party_List.xls,” which install malware when opened.
Prevention: Disable macros, scan all attachments, and create a culture where employees verify unexpected files before opening them.
5. Bogus Holiday Fundraisers
The scam: Fake donation pages or “company matching” campaigns mimic legitimate charities to steal money or personal information.
Prevention: Maintain an approved charity list and require all donations to be processed through official company portals.
Why These Attacks Work
(And How To Stop Them)
The very tools that keep businesses efficient — email, online banking, digital payments — are the same ones criminals exploit. These are not obvious “Nigerian prince” scams. They are carefully researched attacks that use social engineering, timing, and insider knowledge of your operations.
Organizations that run regular phishing simulations reduce risk by up to 60%, yet many small businesses never provide formal security training. Multifactor authentication can block 99% of unauthorized login attempts, but countless companies still rely on passwords alone.
Your Holiday Defense Checklist
Before the holiday rush hits full speed, make sure these protections are in place:
• The Two-Person Rule: Require verbal confirmation through a separate channel for transactions over your threshold.
• Gift Card Policy: Clearly state — no gift cards requested or approved via email or text.
• Vendor Verification: Confirm all banking or payment changes by phone using trusted contact info.
• Multifactor Authentication: Enable MFA on email, banking, and cloud accounts.
• Holiday Awareness Training: Brief your team on these five scams using real-world examples.
The Real Cost: More Than Just Money
While Orion’s $60 million loss made headlines, smaller businesses often feel the hidden impact more severely:
• Operations stalled during peak season
• Productivity lost during cleanup and recovery
• Customer trust damaged if data is compromised
• Cyber insurance premiums rising after an incident
The average loss from a business email compromise incident is $129,000 — enough to seriously threaten many small businesses at the worst possible time of year.
Keep Your Holidays Merry, Not Messy
The holiday season should focus on growth, celebration, and momentum — not recovering from wire fraud. A short team huddle, a few clear policies, and layered security controls can go a long way toward keeping criminals out of your books.
Remember: the employee at Orion could have stopped a $60 million loss with one verification phone call. With the right awareness and simple safeguards, your business does not have to become the next cautionary tale.
Want to make sure your team is locked down before the New Year?
Book a 15-minute discovery call and we’ll walk through practical, no-nonsense steps to protect your business.
Because the best gift you can give your business this holiday season is peace of mind.
Like this article? Share it!
The Best IT Support in Houston TX!
Check out our reviews to find out why!
Check out our TESTIMONIALS PAGE and you'll see we are the best choice for your IT Managed Services. We have the highest ratings in Houston Area for IT Services & Managed Services. Book a free consultation to find out how we can secure your business for you! IT Managed Services in Houston, Texas
READ MORE OF OUR ARTICLES!
AI tools are genuinely useful. They're also in every inbox, document editor, and project tool your team touches. The question isn't whether people are using them. It's whether anyone has thought through what happens when they do.
Attackers don't target your most experienced people. They target the ones who just walked in the door and haven't learned to say no yet.
Most Houston businesses think they're protected. Most of them are wrong, and the problem isn't complicated to fix.
Most providers won't post prices online. When you ask for a quote, you get "it depends." Here's the straight answer Houston small businesses actually need.
Gamers optimize. Businesses tolerate. And for Houston companies, that gap is a lot more expensive than most people realize.
Old laptops, forgotten servers, and cables nobody wants to touch. Every Houston business has a pile. The question is what to do with it.
Spring is peak season for cybercriminals. Your sharpest employees are their favorite targets.
The hardware supply chain crisis is back — and this time it's hitting your office, not your driveway.