The Holiday Scam That Cost One Company $60 Million (And How To Protect Yours)

At first glance, holding off on IT upgrades or employee security training during the holiday season may seem like a cost-saving move. But one overlooked message, one unverified invoice, or one well-crafted scam could cost your company more than you think—just ask Orion S.A., a chemical manufacturer that lost $60 million to a holiday phishing scam.

Whether you're a small business or a mid-size company, cybercriminals are counting on you being too distracted to notice their tricks. If you want to protect your business this season, it starts with knowing what to look for—and how to lock it down with smart Network Security.

The Real Cost of Holiday Scams

Scams targeting businesses peak during the holidays, when employees are rushing to meet deadlines and processing more transactions than usual. In one now-infamous case, a clerk received a message—allegedly from the CEO—requesting $3,000 in Apple gift cards for “client gifts.” By the time she questioned it, the codes had already been sent and redeemed. But that’s small potatoes compared to Orion’s loss: $60 million wired to scammers via a fake email exchange mimicking a trusted vendor.

And it’s not just big corporations at risk. In 2023, businesses lost over $217 million to gift-card scams alone. Business email compromise (BEC) made up 73% of all cyber incidents in 2024.

5 Holiday Scams Your Employees Need To Know

1. "Your Boss Needs Gift Cards"

The Scam: Attackers spoof a company executive’s email or phone number and urgently request gift cards for clients or staff.

Prevention: Implement a strict no-gift-cards policy without dual verbal approval. Remind staff that executives will never make these requests via text.

2. Invoice & Payment Switch-Ups

The Scam: Hackers hijack vendor threads or send fake “updated banking info” during billing season.

Prevention: Verify payment changes over the phone using a known number—not one provided in the email.

3. Fake Shipping Notices

The Scam: Phishing emails mimic FedEx, UPS, or USPS and link to fake delivery updates.

Prevention: Train staff to type URLs directly into their browser. Bookmark carrier sites to avoid accidental clicks.

4. "Holiday Party" Malware Attachments

The Scam: Malicious attachments labeled “Holiday_Schedule.pdf” or “Party_Invite.xls” infect your network when opened.

Prevention: Disable macros, scan attachments, and educate your team to report suspicious files.

5. Bogus Fundraisers & Charity Scams

The Scam: Fraudulent campaigns that mimic real charities or pretend to match donations.

Prevention: Provide a vetted list of approved charities and require all donations to go through internal channels.

Why These Attacks Work

These aren’t amateur efforts. Most modern cyberattacks are a mix of social engineering and professional-level research. Scammers target your team with messages that seem routine—because they are designed to blend in with your daily operations.

Most small businesses skip phishing simulations and rely solely on passwords—making them easy targets. In reality, multifactor authentication blocks 99% of unauthorized login attempts, and phishing training cuts risk by over 60%.

Your Holiday Cybersecurity Checklist

Here’s what to review before year-end:

• Two-Person Rule: Require dual verbal confirmation for any transaction above a set threshold.

• Gift Card Policy: Ban gift card requests over email or text.

• Vendor Verification: Always call to verify payment changes using known contacts.

• Multifactor Authentication: Enable MFA for email, cloud storage, and financial accounts.

• Employee Awareness: Host a holiday security training using real-life examples.

Hidden Costs of a Cyber Incident

Even if you recover the money, the long-term damage can be far worse:

• Downtime during your busiest season

• Staff burnout from handling the aftermath

• Loss of customer trust if sensitive data is exposed

• Increased insurance premiums or coverage denial

The average loss per BEC incident is $129,000—more than enough to sink a small business already stretched thin in Q4.

Give Your Business the Gift of Peace of Mind

The employee at Orion could’ve stopped a $60 million scam with one phone call. With the right IT strategy and proactive cybersecurity, your business can avoid becoming the next headline.

Need help implementing these protections before the holidays hit? Schedule a free discovery call with Lazer IT Consultants and we’ll map out a fast, budget-friendly strategy to secure your team.

Because the best gift you can give your business this holiday season… is peace of mind.