November 2, 2025
The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)
Last December, an accounts payable clerk at a midsize company received a text from her “CEO”:
“Buy $3,000 in Apple gift cards for clients, scratch the backs, and email me the codes.”
It seemed strange, but the message came from her boss’s name—and it was peak holiday chaos. By the time she double-checked, the cards were gone, the scammer had cashed out, and the business had eaten the loss.
That sting was small compared to what happened next. Around the same time, Orion S.A., a Luxembourg-based manufacturer, lost $60 million in a highly sophisticated email scam. Posing as trusted partners, cybercriminals sent realistic payment requests that appeared completely legitimate. By the time anyone noticed, multiple wire transfers—more than half of Orion’s annual profits—were gone.
Why Your Business Could Be Next
Think your company is too small to be a target? Think again.
Gift card scams alone cost U.S. businesses over $217 million in 2023.
Business email compromise (BEC) accounted for 73% of all cyber incidents in 2024.
And during the holidays, the risk skyrockets—when teams are distracted, overwhelmed, and rushing to wrap up the year.
5 Holiday Scams Your Employees Need to Spot (Before They Cost You Thousands)
1. “Your Boss Needs Gift Cards” (The $3,000 Text Trap)
The Scam: Impostors pose as executives and pressure employees to buy gift cards for “clients” or “staff appreciation.” In early 2024, nearly 38% of BEC attacks used this tactic.
Prevention: Create a written rule—no gift card purchases without two levels of approval. Train employees that executives will never make these requests by text or personal email.
2. Invoice & Payment Switch-Ups (The Big Money Play)
The Scam: Hackers intercept vendor emails and send “updated banking info” right before year-end payments are due. The Town of Arlington, MA, lost nearly $500,000 this way in 2024.
Prevention: Always confirm banking changes via a known phone number—never the one in the email. Require verbal confirmation for any financial change over $5,000.
3. Fake Shipping & Delivery Notices
The Scam: Phishing emails or texts that appear to come from UPS, FedEx, or USPS with links to “reschedule a delivery.”
Prevention: Teach staff to go directly to the carrier’s website by typing it into their browser. Bookmark official tracking pages—never click random links.
4. Malicious “Holiday Party” Attachments
The Scam: Attachments like Holiday_Schedule.pdf or Party_List.xls that actually install malware when opened.
Prevention: Block macros, scan all attachments, and train employees to verify unexpected files before opening.
5. Bogus Holiday Fundraisers
The Scam: Phishing sites mimic charities or create fake “company match” campaigns to steal donations or personal data.
Prevention: Publish a list of approved charities and require all donations to go through official channels.
Why These Attacks Work (And How to Stop Them)
Today’s cybercriminals don’t rely on clumsy “Nigerian prince” emails. They use real names, authentic-looking emails, and convincing language—backed by research on your company’s staff and workflows.
The good news?
Companies that run regular phishing simulations reduce their risk by 60%.
Multifactor authentication (MFA) blocks 99% of unauthorized logins, yet many businesses still rely on passwords alone.
Your Holiday Cyber Defense Checklist
Before your team gets swept up in year-end madness, make sure you’ve got these in place:
✅ Two-Person Rule: Require verbal confirmation for all transactions above a set amount.
✅ Gift Card Policy: Document that no executive requests gift cards via text or email.
✅ Vendor Verification: Confirm payment or banking changes by phone using numbers already on file.
✅ Multifactor Authentication: Enable MFA across email, banking, and cloud platforms.
✅ Team Briefing: Review these five scams in a short pre-holiday meeting—with real examples.
The Real Cost: More Than Money
While Orion’s $60 million loss made headlines, the hidden fallout often hurts smaller businesses even more:
Operations grind to a halt during peak season.
Staff waste hours on damage control.
Customer trust takes a hit if data is exposed.
Insurance premiums skyrocket after a claim.
The average BEC loss per incident is $129,000—enough to sink a small business just as the holiday rush begins.
Keep Your Holidays Merry, Not Messy
The holidays should be about celebration, not crisis cleanup. A few smart policies, quick verification's, and timely training sessions can save your business from becoming the next headline.
Remember: the employee at Orion could have prevented a $60 million disaster with one phone call.
Want to make sure your team is ready?
Book a 15-minute security discovery call with us. We’ll walk you through fast, practical ways to lock down your systems before the holidays hit full swing.
🎁 Schedule Your Free Security Assessment — because the best gift you can give your business this season is peace of mind.
