In December 2024, an AP Clerk received a text from her “CEO” asking her to buy $3,000 in Apple gift cards and email the access codes. It looked legitimate during the holiday rush — until she realized the request was fake and the money was gone. That same month, a chemical manufacturer, suffered something far worse. An employee processed what appeared to be routine wire-transfer requests — they were in fact NOT legitimate — and cybercriminals walked away with $60 million, more than half the company’s annual profits.
Small businesses are no safer. Gift card scams cost companies over $217 million in 2023, and business email compromise (BEC) made up 73% of cyber incidents in 2024. The holidays are prime time because teams are busy, distracted and handling more transactions than usual.
5 Holiday Scams Your Employees Must Watch For
- Fake “Boss” Gift-Card Requests: Scammers impersonate owners/managers to pressure employees into buying gift cards.
- Prevent it: Create a written “no gift cards without two approvals” policy.
- Invoice & Payment Changes: Fraudsters send fake “updated banking details” or hijack vendor e-mail threads.
- Prevent it: Confirm all banking changes by calling a known number.
- Fake Shipping Notices: Phishing texts and e-mails mimic UPS/FedEx/USPS tracking links.
- Prevent it: Type carrier websites manually or use official bookmarks.
- Malicious Holiday Attachments: Files labeled “Holiday_Schedule” or “Party_List” install malware when opened.
- Prevent it: Block macros, scan attachments, verify unexpected files.
- Bogus Charity Campaigns: Scammers spoof charities or “company match” fundraisers.
- Prevent it: Share an approved charity list and use official donation portals.
Why These Attacks Work
Scammers use well-researched, realistic messages — not obvious spam. A quick response during holiday chaos is often all it takes.
- Regular phishing training can cut risk by 60%.
- MFA blocks 99% of unauthorized logins — yet many businesses don’t use it.
Your Holiday Security Checklist
- Two-Person Rule: Require verbal confirmation for financial transactions above your threshold.
- Written Gift-Card Policy: No requests by text or e-mail — ever.
- Vendor Verification: Confirm all payment changes by phone.
- Enable MFA Everywhere: E-mail, banking and cloud apps.
- Team Awareness: Review these five scams now.
The Real Cost
A $60 million loss makes headlines, but even smaller incidents can cripple a business through:
- halted operations
- cleanup hours
- customer mistrust
- higher cyber insurance premiums
The average BEC loss is $129,000 — enough to sink many small businesses during the busiest season of the year.
Keep Your Holidays Merry, Not Messy
One verification call could have saved Orion $60 million. With the right policies and quick training, your company can avoid becoming the next cautionary tale.
Want a quick holiday safety tune-up? Book a 10-minute discovery call for practical steps to secure your business before the New Year. Schedule Your Free Security Assessment — give your business peace of mind this season.
