The Holiday Scam That Cost One Company $60 Million — And How to Protect Yours

Introduction

Every year, as offices begin to hum with festive plans and end-of-year goals, another kind of operation quietly intensifies — cybercrime. The holiday season, while joyous for most, is also the busiest time of the year for digital con artists.

In one stunning case that made national headlines, a single company lost $60 million in what experts now call the “Holiday Scam of the Decade.” As someone who has worked in cybersecurity for over two decades, I can tell you — that figure is not an exaggeration. I’ve seen versions of this play out in organizations both large and small, from local manufacturers in North Carolina to national logistics firms.

This post will break down what really happened, why these scams work so well, the different forms they take, and — most importantly — how you can protect your business.

What Exactly Is a Holiday Scam?

Let’s clear one misconception upfront: “holiday scams” aren’t limited to fake online stores or phishing emails targeting consumers. Businesses are increasingly the preferred victims.

A holiday scam is any fraudulent or deceptive cyber-attack that leverages the seasonal chaos — the increased workload, reduced staff, and emotional goodwill — to bypass normal controls. The scammers rely on one key factor: people drop their guard when the holidays arrive.

A common example: an accounts-payable employee gets an email that appears to be from the CEO:

“Hey [Name], we’re running short on time — can you process a quick vendor payment before the holiday? Here’s the new banking info.”

The email looks real. The signature block matches. The timing feels urgent but plausible. Within minutes, tens of thousands — sometimes millions — are gone.

That’s exactly what happened in the $60 million case: a perfect storm of trust, timing, and technology.

Why These Scams Work

After 20 years in cybersecurity, I’ve learned that technology rarely fails — humans do. Attackers understand people better than most managers do. They prey on emotion, habit, and distraction. Here’s why holiday scams are so devastatingly effective:

1. Distraction and overload. December is financial year-end. Teams are rushing to close books, approve invoices, and plan bonuses. Attention is divided.
2. Staff turnover and time off. Key approvers are often on vacation. Substitute staff may not know the usual process — or feel pressured not to “bother” superiors.
3. Emotional manipulation. The holidays evoke generosity. Scammers know employees are more likely to approve “gift card” or “donation” requests without scrutiny.
4. Urgency bias. Messages are crafted with “immediate deadlines” — “before we close today” — triggering fast reactions.
5. Legitimacy camouflage. Attackers hijack real e-mail threads or vendor correspondence, so messages seem authentic.

When you combine human psychology with minimal verification controls, you have the perfect environment for social-engineering success.

Common Types of Holiday Scams Targeting Businesses

Having investigated dozens of incidents, I can tell you that while every scam feels unique, the underlying tactics repeat. Below are the most prevalent forms — each costing North Carolina businesses thousands every season.

1. Gift Card Scams (“Fake CEO” Requests)

A favorite trick: an employee receives a text or e-mail from what appears to be their CEO or manager requesting urgent purchase of gift cards for clients or staff.

“Can you grab 10 Amazon cards for $200 each? I’m in meetings, send me the codes.”

Within 10 minutes, the cards are sent, the scammer vanishes, and the company is out a few thousand dollars.

Why it works: it sounds kind, festive, and authoritative. Few employees question the boss in December.

2. Vendor Payment Change Fraud

Known in cybersecurity circles as Business Email Compromise (BEC), this scam involves attackers impersonating legitimate vendors. They send realistic emails saying:

“Please note our new banking details effective immediately for December payments.”

If your finance team updates the details without verification, the next payment goes straight to the attacker’s account. The $60 million case? Exactly this.

3. Holiday Charity and Donation Frauds

Cybercriminals exploit goodwill by creating fake charity websites or spoofing known foundations. Employees feel pressured to “donate before year-end,” often through links that steal payment information or install malware.

4. Phishing via Holiday Party Invites and Bonuses

In one memorable case, an HR “bonus spreadsheet” attachment turned out to be ransomware. The email had perfect branding, correct HR signatures — and a malicious macro. Within hours, servers were encrypted.

5. Shipping and Delivery Scams

With increased shipments, attackers send fake “UPS Delivery Notification” or “Reschedule Shipment” messages to infiltrate logistics or inventory systems.

The True Cost of a Holiday Scam

When I talk to business owners, they often assume, “We’ll just call the bank and reverse it.” Unfortunately, wire transfers are instantaneous and often irreversible. The real cost extends far beyond the stolen amount.

1. Direct financial loss: obviously devastating, but sometimes only part of the damage.
2. Operational downtime: teams halt all payments to investigate, freezing normal operations.
3. Reputation damage: clients and partners lose confidence in your controls.
4. Insurance impact: cyber-insurance may not cover social-engineering scams unless explicitly stated.
5. Legal and regulatory exposure: if employee or vendor data is compromised, compliance penalties may follow.
6. Employee morale: staff involved in the mistake often experience guilt, stress, or even turnover.

For small or mid-sized companies, especially those across Raleigh, Durham, or Fayetteville, such an incident can mean layoffs, lost contracts, or closure.

The Holiday Cybersecurity Checklist

Having performed dozens of post-incident reviews, I’ve distilled the following checklist that any North Carolina business can implement before the holidays.

1. Payment and Approval Controls

• Enforce a two-person verification for all payments above a threshold.
• Require out-of-band verification (phone call or video confirmation) for any vendor bank-detail change.

2. Email Security

• Deploy multi-factor authentication (MFA) on every e-mail and financial account.
• Enable DMARC, DKIM, and SPF to prevent spoofing of your domain.
• Quarantine or flag e-mails with external reply-to domains that mimic internal ones.

3. Employee Training

• Run a holiday-themed phishing simulation.
• Teach employees to pause when seeing words like urgent, confidential, immediate wire transfer.
• Make it easy — even rewarded — to report suspicious messages.

4. Gift Card and Charity Policies

• Create a written policy that no executive will request gift cards via e-mail or text.
• Maintain an approved list of verified charities.

5. Incident Response Preparation

• Keep a response playbook printed and accessible.
• Confirm who is on-call during holidays.
• Maintain current bank contact numbers for fraud escalation.

6. System and Network Readiness

• Patch systems before December.
• Test backups and confirm you can restore quickly.
• Monitor logs for anomalous logins or payment activity.

7. Communication and Coverage

• Brief leadership on escalation paths.
• Review cyber-insurance fine print — ensure social-engineering fraud is included.
• Communicate preventive measures company-wide; repetition breeds awareness.

How Businesses Can Protect Against Holiday Email Scams

Email remains the weapon of choice for fraudsters because it combines anonymity with credibility. In my investigations, 90% of holiday scams start with a single compromised or spoofed e-mail.

To defend effectively:

• Harden your domain: implement DMARC enforcement (“p=reject”) so spoofed emails are blocked.
• Monitor for look-alike domains: attackers often register domains like computebilitles.com (notice the subtle typo).
• Isolate finance systems: keep payment systems off general email workstations; separate credentials.
• Use AI-powered email security filters that detect intent (e.g., “urgent wire transfer”) rather than just keywords.
• Educate leadership: ironically, executives are often least trained and most impersonated. Hold short, high-impact awareness sessions for them.

Why This Scam Keeps Returning Every Holiday

I once likened it to “holiday flu” — it mutates but returns annually. Why? Because it works.

Cybercriminals don’t need advanced zero-day exploits; they need one distracted employee. With modern social-engineering toolkits, attackers can spoof phone numbers, clone websites, and scrape executive details from LinkedIn in minutes.

For them, the ROI is astronomical. For you, the cost could be catastrophic.

The solution isn’t paranoia — it’s preparation.

How Computerbilities Can Help Your Business

At Computerbilities, we’ve spent over two decades helping North Carolina businesses secure their technology — from healthcare clinics and law firms to manufacturers and logistics providers. Our approach blends technology with human awareness.

Here’s how we can help protect you this holiday season:

1. Holiday Security Audit: a comprehensive review of your email, payment, and vendor processes before year-end.
2. Simulated Holiday Phishing Campaigns: real-world tests to identify at-risk employees and provide immediate feedback.
3. Managed Detection & Response (MDR): continuous monitoring for suspicious payments, logins, and account behavior — even while your team is on vacation.
4. Incident Response & Containment: if something happens, we act fast — isolating affected accounts, coordinating with banks, and minimizing damage.
5. Security Awareness Workshops: tailored training sessions that combine real case studies with simple prevention tactics.
6. Vendor Management Policy Implementation: we help set up structured vendor-bank-detail verification workflows.

Our philosophy is simple: technology can detect threats, but only trained people can stop them.

Lessons From the $60 Million Holiday Scam

When analyzing that headline-making loss, three lessons stand out:

1. Trust needs verification. The CFO believed the email thread was legitimate — until it was too late.
2. Policies must be practiced. Having a “two-person rule” on paper doesn’t help if it’s ignored under pressure.
3. Awareness beats apathy. Every organization that trains regularly reports fewer incidents.

In essence: your people are either your strongest defense or your weakest link. Which they become depends entirely on how well you prepare them.

Best Practices for Companies During Holiday Scam Season

To summarize the best defensive posture:

• Treat December as “heightened threat season.”
• Require secondary approval for all payments.
• Publicize anti-gift-card-fraud policy across departments.
• Perform phishing awareness refreshers before Thanksgiving.
• Keep incident response contacts visible.
• Review insurance and coverage clauses.
• Engage your IT partner (Computerbilities or equivalent) early to patch systems and tighten permissions.

Cybersecurity isn’t a one-time project; it’s a seasonal routine.

Conclusion

The story of the company that lost $60 million isn’t a far-off cautionary tale — it’s a mirror of what can happen when vigilance takes a holiday.

As someone who has spent more than 20 years helping businesses recover from breaches, I can tell you this: the victims are rarely reckless. They’re simply human — busy, kind, and trusting.

But awareness changes everything. With structured policies, training, and proactive IT support, your organization can turn the holidays back into what they should be — a season of joy, not loss.

So this year, before you hang the lights or close the books, take an hour to review your cybersecurity checklist. Because nothing ruins the holidays like discovering your company just funded someone else’s.