The Holiday Scam That Cost One Company $60 Million (And How to Protect Yours)

4 Nov 2025

The Holiday Scam That Cost One Company $60 Million (And How to Protect Yours) 


Last December, an accounts payable clerk at a midsize company received an urgent text from her “CEO”: buy $3,000 worth of Apple gift cards, scratch the backs, and email the codes. It sounded unusual, but it came from the boss’s name, and it was peak holiday chaos. By the time she double-checked, the cards were gone, the scammer had cashed out, and the business had taken the hit.

Unfortunately, some scams aren’t just costly—they can be devastating. That same month, Orion S.A., a Luxembourg-based chemical manufacturer, fell victim to a much bigger con. An employee received what looked like routine emails requesting wire transfers, likely from a trusted colleague or partner. The requests seemed legitimate, urgent, and aligned with normal business operations. Without hesitation, multiple transfers were made. The result? $60 million sent straight to cybercriminals—more than half the company’s annual profits lost in a series of fraudulent transfers.  

 

Think your business is too small to be a target? Think again. Gift card scams alone cost Australian and international businesses millions each year, and business email compromise attacks accounted for 73% of all cyber incidents in 2024. The holiday period is peak season for these attacks because teams are distracted, stressed, and processing more transactions than usual. 

 

5 Holiday Scams Your Team Needs to Know 

  • 1. “Your Boss Needs Gift Cards” 

  • The scam: Impersonators pose as executives and pressure staff to buy gift cards for “clients” or “employee appreciation”. In Q1 2024, 37.9% of business email compromise incidents involved gift-card schemes. 

  • How to prevent it: Implement a strict company policy—no gift cards without two approvals. Train employees that executives will never request gift cards via text. 

  •  

  • 2. Invoice & Payment Switch-Ups 

  • The scam: Criminals send “updated banking details” or hijack vendor emails just as bills are due. In June 2024, the Town of Arlington, MA, lost nearly $500,000 this way. 

  • How to prevent it: Always verify banking changes using a known phone number, not the one in the email. Establish a “phone call rule” for transactions over $5,000. 

  •  

  • 3. Fake Shipping & Delivery Notices 

  • The scam: Phishing emails or texts pose as UPS, FedEx, or USPS, asking recipients to “reschedule delivery” via a link. 

  • How to prevent it: Train staff to type the carrier’s website directly into the browser and bookmark official tracking pages. 

  •  

  • 4. Malicious “Holiday Party” Attachments 

  • The scam: Emails with attachments such as “Holiday_Schedule.pdf” or “Party_List.xls” that install malware when opened. 

  • How to prevent it: Block macros, scan attachments, and make verifying unexpected files a standard practice.  

  •  

  • 5. Bogus Holiday Fundraisers 

  • The scam: Phishing websites mimic charities or fake “company match” campaigns to steal money or data. 

  • How to prevent it: Maintain an approved charity list and ensure all donations go through official channels. 

  •  

  • Why These Attacks Work 

  • The very tools that make business more efficient—email, online banking, digital payments—are exactly what cybercriminals exploit. These aren’t obvious “Nigerian prince” scams. They’re sophisticated attacks combining social engineering and research on your business. Regular phishing simulations reduce risk by 60%, yet most small businesses never run them. Multifactor authentication (MFA) blocks 99% of unauthorised logins, but many companies still rely on passwords alone. 

Your Holiday Cybersecurity Checklist 

Before the holidays hit full swing: 

Two-Person Rule: Any transaction above your set threshold requires verbal confirmation through a separate channel. 

Gift Card Policy: No gift cards via email or text. 

Vendor Verification: Confirm banking or payment changes by phone using numbers already on file. 

Multifactor Authentication: Enable MFA on all email, banking, and cloud accounts. 

Holiday Awareness: Brief your team on these five scams using real examples. 

 

The Real Cost: More Than Money 

Orion’s $60 million loss made headlines, but for small businesses, hidden costs can be even worse: operations stalled during peak season, lost productivity as staff scramble to recover, eroded customer trust if client data is exposed, increased insurance premiums after a cyber incident. The average loss per business email compromise incident is $129,000—enough to seriously impact a small business at the worst possible time of year. 

 

Keep Your Holidays Merry, Not Messy 

The holidays should be about growth and celebration, not cleaning up cybercrime. A short team briefing, a few smart policies, and layered protections can make all the difference. The employee at Orion could have stopped a $60 million loss with a single verification phone call. With awareness and simple checks, your business can avoid becoming the next cautionary tale. Want to lock down your team before the New Year? Book a 15-minute discovery call with BlueReef Technology, and we’ll walk you through quick, practical steps to keep your business safe. Schedule Your Free Security Assessment. The best gift you can give your business this holiday season is peace of mind. 

Share:

Most Recent Posts

 

Holiday Scams In Disguise: What To Watch Out For When Donating Online

 

Tech Wins That Actually Made Small Business Life Easier This Year

 

The Holiday Scam That Cost One Company $60 Million (And How to Protect Yours)

 

The One Button That Could Save Your Digital Life

 

Are Your Smart Cameras Spying On You? What You Need to Know Before You Plug In

Microsoft Gold Partner.png   Territory Proud Member   Authorised_Reseller_2ln_wht_UK_071717.png

© 2008 - 2020 BlueReef Technology (Tropical Business Solutions Pty Ltd)