Last December, an accounts payable clerk at a midsize company received a text message, seemingly from her CEO, directing her to purchase $3,000 in Apple gift cards for clients. The request was unusual, but the timing—during the busy holiday season—added a sense of urgency and distraction. Trusting that the message was legitimate, she followed the instructions, scratching off the backs and e-mailing the codes as told. By the time she paused to double-check, the scammer had already cashed out the gift cards, leaving the business to absorb the loss.
That sting was eclipsed by a far larger incident that same month at Orion S.A., a chemical manufacturer headquartered in Luxembourg. There, an employee received a series of e-mails requesting urgent wire transfers. The messages mimicked the routine workflow and included the names of trusted colleagues, making them difficult to detect as fraudulent. Relying on the appearance of legitimacy, the employee processed several transfers as instructed—only to later discover that a total of $60 million, more than half the company’s annual profit, had been sent directly to cybercriminals.
These incidents are stark reminders: No business is too small or too seasoned to be targeted. In 2023 alone, gift card scams drained over $217 million from businesses, and by 2024, business e-mail compromise accounted for 73% of all cyber incidents reported. The holiday season presents an even greater risk, as teams are often overwhelmed, multitasking, and moving quickly to meet deadlines. Cybercriminals count on this distracted environment to successfully impersonate executives, hijack communications, and manipulate well-meaning employees into costly mistakes.
5 Holiday Scams Your Employees Need To Know (Before They Cost You Thousands)
“Your Boss Needs Gift Cards” (The $3,000 Text Trap)
The scam: Cybercriminals impersonate business owners or managers—often spoofing phone numbers or faking familiar profiles—and send urgent messages to employees with instructions to purchase gift cards for “clients” or to support an impromptu “employee appreciation” gesture. These messages typically appear during high-pressure periods, like the holidays, when staff are juggling multiple priorities and less likely to question a sudden request. According to Securafy’s analysis of Q1 2024 data, 37.9% of all business e-mail compromise (BEC) incidents exploited this scheme, making it one of the most prevalent attacks targeting SMBs. Attackers count on trust, speed, and limited internal verification to quickly cash out the codes before the fraud is detected.
Prevention: Establish a documented company policy: no employee may authorize or fulfill any gift card purchase request without written approval from at least two separate managers. Reinforce this through regular awareness training, making it clear that no executive, manager, or owner will ever request gift cards by text or email, especially on short notice. Share recent examples with your team to help them spot the red flags.
Invoice & Payment Switch-Ups (The Big Money Play)
The scam: Attackers infiltrate ongoing vendor correspondence or send convincing notices about “updated banking details” just as companies are settling year-end invoices or large payments. By gaining access to internal or vendor email threads—sometimes after weeks or months of preparation—fraudsters time their swap to coincide with legitimate transaction cycles. A recent, high-profile loss: In June 2024, the Town of Arlington, MA, transferred nearly $500,000 to fraudsters after a phony payment instruction slipped in just before a deadline.
Prevention: Implement a requirement to verbally confirm any changes to vendor banking information using a trusted phone number from your records, never one provided in an unsolicited email. Adopt a “phone call rule” for all financial transactions exceeding $5,000—no exceptions. Document every change and keep a record of the verification alongside the payment request.
Fake Shipping & Delivery Notices
The scam: Employees receive emails or SMS messages that appear to be from shipping providers like UPS, FedEx, or USPS, claiming there’s an issue with a delivery or requesting that a package be rescheduled. The messages contain links leading to fake tracking sites or credential-stealing forms. With online orders and business shipments peaking during the holiday period, even experienced staff can be caught off guard.
Prevention: Train personnel to avoid clicking links in unsolicited delivery messages. Instead, instruct them to navigate directly to the carrier’s website by typing the official URL in their browser or using pre-approved bookmarks to check tracking details. Consider distributing a list of legitimate carrier sites companywide to reduce risk from spoofed messages.
Malicious “Holiday Party” Attachments
The scam: E-mails promoting holiday schedules, party invitations, or gift lists arrive with attachments named “Holiday_Schedule.pdf” or “Party_List.xls.” These files are often engineered to deliver hidden malware—such as ransomware or spyware—upon opening or by enabling macros. Attackers rely on the festive context and the appearance of workplace routine to lower scrutiny.
Prevention: Enforce policies that block macros by default and require all incoming attachments to be automatically scanned for malware. Cultivate a workplace habit of verifying any unexpected file—even if it seems to come from a known colleague—by contacting the sender through a separate communication channel. Remind staff that legitimate event details should always be shared via secure, internal systems.
Bogus Holiday Fundraisers
The scam: Threat actors impersonate real charities or fabricate matching gift campaigns that look like official company initiatives. Fraudulent emails or websites solicit donations under the guise of supporting popular causes or leveraging an employer match, preying on employees’ generosity during the holidays. These ploys are designed to harvest payment details or company credentials.
Prevention: Publish and regularly update an approved list of charity partners and ensure that all donations are routed exclusively through official company fundraising portals. Communicate to employees that sanctioned charitable campaigns will always be announced internally, never through external or personal channels. Encourage anyone unsure about a request to reach out to HR or IT for confirmation before taking action.
Why These Attacks Work (And How To Stop Them)
The very technologies businesses rely on every day—e-mail, online banking, digital payment platforms—are the same avenues cybercriminals use to infiltrate organizations. Today’s attackers don’t rely on outdated, obvious scams. Instead, they deploy highly targeted social engineering campaigns, often fueled by detailed research into your company’s personnel, processes, and seasonal workflows.
What makes these tactics so successful is their ability to mimic legitimate communications and exploit human trust—especially when teams are hurried or distracted. Without proper defenses, even diligent employees can be deceived by convincing e-mails or texts that appear to come from trusted leaders or vendors.
Fortunately, the most effective strategies for reducing risk are both practical and proven. Businesses that implement regular phishing simulations actually cut their phishing-related risk by 60%, dramatically increasing employee awareness and response. Yet, the majority of small businesses still overlook this vital training step, leaving themselves vulnerable.
Likewise, while multifactor authentication (MFA) is capable of preventing 99% of unauthorized account access, many companies have not deployed it organization-wide and continue to depend solely on passwords—despite the known risks. Addressing these gaps with focused training and layered authentication significantly increases your resilience to cyber threats and can stop most attacks before they have a chance to succeed.
Your Holiday Defense Checklist
Here’s your pre-holiday action plan to reduce risk and keep your business protected:
1. Enforce the Two-Person Verification Rule: Require that any financial transaction above your designated approval threshold receives verbal confirmation through a separate communication channel—never just email or text. This extra step ensures oversight and can thwart fraudulent payment requests disguised as urgent holiday tasks.
2. Strengthen Gift Card Controls: Make it a written company policy—no employee should fulfill gift card requests received via email or text, period. All legitimate gift card purchases must be documented and approved through your standard procurement process, closing a major loophole cybercriminals exploit during busy times.
3. Lock Down Vendor Payment Changes: Institute a practice where any vendor banking or payment info updates are confirmed by making a phone call to a trusted contact number you already have on file—not one provided in an email. Document each verification step and retain a record alongside every payment change request to ensure accountability.
4. Require Multifactor Authentication Everywhere: Enable MFA across all business-critical platforms—this includes email, banking, cloud services, and remote access tools. MFA stops the majority of unauthorized access attempts, drastically reducing your company’s exposure to account compromise.
5. Run a Holiday Scam Briefing: Assemble your team for a short training session outlining the five main holiday scams detailed above. Use recent, real-world incidents and behavioral cues to make the risks tangible. Encourage everyone to stay alert, ask questions, and share any red flags they encounter—especially during high-volume, high-pressure periods.
Taking these steps now will help your organization stay ahead of seasonal threats and protect your people, your data, and your bottom line.
The Real Cost: More Than Just Money
While Orion’s $60 million loss made headlines, the hidden costs often hit small businesses harder:
- Operations can grind to a halt during critical periods, interrupting services and delaying fulfillment when it matters most.
- Productivity is quickly lost as staff scramble to respond—shifting their focus from core responsibilities to damage control, recovery, and investigation.
- If client data is exposed or misused, the resulting erosion of customer trust can lead to lost contracts, negative reviews, and long-term reputational harm—risks few SMBs can afford.
- Even after the incident is contained, insurance premiums frequently surge, compounding financial strain at a time when resources are already stretched thin.
These are not hypothetical risks. The average loss per business e-mail compromise incident is now $129,000—an amount substantial enough to threaten the survival of many small businesses, particularly during the high-stakes holiday season when cash flow is critical and operational demands are at their peak. The fallout extends beyond immediate financial losses: missed opportunities, customer attrition, and long-term competitive disadvantages often follow, underscoring why proactive cybersecurity isn’t just a technical decision—it’s vital for business continuity and growth.
Keep Your Holidays Merry, Not Messy
The holiday season is meant for growth and meaningful milestones, not untangling the aftermath of fraud. With a focused team discussion, carefully crafted policies, and well-integrated security measures, you can build strong barriers that keep cybercriminals away from your finances and sensitive data.
Consider this: At Orion S.A., a single verification phone call could have blocked the $60 million wire fraud that crippled their operations. The takeaway for every business leader is clear—equipping your staff with security awareness and providing simple, actionable procedures isn’t optional. It’s essential protection.
As the New Year approaches, now is the time to ensure every member of your team is up to speed on the latest threats and empowered with practical defenses. Securafy can help you strengthen your safeguards in just 15 minutes. Book a discovery call with our experts; we’ll guide you through proven steps—like two-person verification, MFA rollouts, and targeted employee training—to shield your company from costly disruptions. Protect your holiday momentum and give yourself one less thing to worry about. Don’t leave your business open to criminals when vigilance is the smarter investment.
Because the best gift you can give your business this holiday season is peace of mind.
Join the Conversation