This Holiday Scam Cost One Company $60 Million

Last December, an accounts payable clerk at a mid-sized company got an urgent text from her “CEO.”

“Please buy $3,000 in Apple gift cards for clients and send me the codes right away.”

It was the middle of the holiday rush. The message used the boss’s name, the request seemed plausible, and time was tight. Within minutes, the cards were bought, the codes were sent—and the money was gone.

That scam cost the company a few thousand dollars. But another business wasn’t as lucky. Around the same time, a European chemical manufacturer called Orion S.A. fell victim to a more advanced version of the same playbook. Employees received what looked like routine internal emails authorizing wire transfers. Everything looked legitimate—names, signatures, even tone. By the time they realized the emails were fake, cybercriminals had stolen $60 million, more than half the company’s annual profits.

Stories like these are more and more common. And while those headlines might sound extreme, the same types of scams are targeting small businesses every single day—especially during the holidays, when staff are busy, distracted, and moving fast.

In fact, gift card scams alone cost U.S. businesses over $217 million in 2023, and business email compromise (BEC) made up 73% of all cyber incidents in 2024.

5 Holiday Scams Every Business Should Watch For

The holiday season brings joy, sales, and new opportunities—but also a spike in cyber scams. Here are the five most common types your team needs to recognize before they cost you thousands.

1. “Your Boss Needs Gift Cards” – The $3,000 Text Trap

The scam:
Criminals impersonate business owners or managers, often through text or email, asking employees to buy gift cards “for clients” or “holiday bonuses.” They pressure staff to act fast and stay discreet. Interesting fact: in early 2024, nearly 38% of BEC attacks involved gift card requests.

How to prevent it:

  • Create a clear company policy: no gift card purchases without two approvals.
  • Train employees that legitimate requests will never come by text or personal email.

2. Invoice & Payment Switch-Ups

The scam:
Fraudsters pose as vendors or partners, claiming their bank details have changed. They often hijack real email conversations, making their messages look authentic. And in 2024, the Town of Arlington, MA, lost nearly $500,000 in a single incident.

How to prevent it:

  • Always verify any banking or payment change by phone using a known number, not the one in the email.
  • Adopt a “phone call rule” for all financial changes over $5,000.

3. Fake Shipping or Delivery Notices

The scam:
Phishing emails or texts appear to come from UPS, FedEx, or USPS, claiming a delivery issue and asking users to click a link. Those links often lead to malware or credential theft.

How to prevent it:

  • Never click delivery links in emails.
  • Instead, type the carrier’s website address directly into your browser or use official bookmarks.

4. “Holiday Party” Attachments Carrying Malware

The scam:
Hackers send emails with friendly-looking attachments like “Holiday_Schedule.pdf” or “Party_List.xls.” But once you open them, they silently install malware or ransomware.

How to prevent it:

  • Block macros in attachments.
  • Scan files before opening.
  • Encourage employees to verify unexpected attachments before clicking.

5. Bogus Holiday Fundraisers

The scam:
Fraudsters create fake charity sites or “company match” donation campaigns to steal money or harvest employee information. The idea is that employees wanting to participate in a company donation drive might not notice that the portal for donations isn’t genuine, and going to fun hackers instead.

How to prevent it:

  • Publish an approved charity list for company giving.
  • Require all donations to go through official, verified portals.

Why Holiday Scams Work So Well

Hackers succeed not because businesses are careless—but because they’re busy. The same tools that make your company efficient—email, digital payments, remote collaboration—also make it easy for criminals to impersonate you.

These aren’t the “Nigerian prince” scams of the early 2000s. Today’s cybercriminals research your business, learn who your vendors are, and mimic your tone of voice. They use AI to write perfect messages and time their attacks when you’re least likely to notice.

But here’s the good news: many of these attacks can be stopped with a few simple changes.

Your Holiday Cyber Defense Checklist

Before things get hectic, take 10 minutes to review these quick protections with your team:

  • The Two-Person Rule: Any large payment or transfer requires verbal confirmation from two people through different channels.
  • Gift Card Policy: Put it in writing—no gift cards by text or email, ever.
  • Vendor Verification: Confirm all bank account or invoice changes over the phone using known numbers.
  • Enable Multifactor Authentication (MFA): MFA blocks over 99% of unauthorized logins. Turn it on for all email, banking, and cloud accounts.
  • Run Security Awareness Training: Even a short session before the holidays can cut phishing risk by 60%.

The Real Cost of Falling for a Scam

The Orion S.A. case made headlines for its $60 million loss, but the truth is, smaller incidents happen all the time. And worse, they can hurt small businesses even more.

The average loss per business email compromise is now $129,000—enough to ruin cash flow during the busiest season of the year.

Beyond the money, the ripple effects can last long after the scam is over:

  • Downtime and lost productivity
  • Damaged client trust
  • Stressed employees
  • Higher insurance premiums

All from one mistaken click or a skipped verification call.

Keep Your Holidays Merry — Not Messy

The holidays should be a time for growth and celebration, not cleaning up after a cyberattack.

A quick policy update, a short training session, and a few technology safeguards can go a long way in keeping scammers out of your inbox and your books.

Remember: the employee at Orion could have stopped a $60 million loss with one simple phone call.

With the right awareness and a few smart habits, your business won’t become the next cautionary tale.

🎁 Give your business the gift of peace of mind this holiday season.

Schedule your FREE 17-minute Security Discovery Call with Haider Consulting. We’ll help you strengthen your defenses before cybercriminals have a chance to strike.

Book My 17-Minute Call

Download your free guide:

7 Steps for Better Cyber Security in Your Business

Cybercrime is at an all-time high, and hackers have set their sights on small and medium sized businesses. Don’t be their next victim!

Our 7 Steps will get you started in protecting the business you’ve worked so hard to build.

Fill out the form to get the guide now!