The scams that empty a company's account at the holidays don't break in. Someone inside hands over the money. A few simple verification rules stop nearly all of them.
Last December, an accounts payable clerk at a midsize company got an urgent text that looked like it came from her CEO. Buy $3,000 in Apple gift cards for clients, scratch off the codes, email them over. She had doubts. The holiday rush made it feel real enough, so she sent them. By the time anyone caught it, the money was gone.
Orion S.A., a Luxembourg-based chemical manufacturer, lost far more the same month. An employee got emails posing as trusted colleagues asking for urgent wire transfers. The messages matched the way the company normally moved money, so the transfers went through with no questions. The total was $60 million, more than half of Orion's annual profits.
Plenty of Mac-based small businesses assume this is someone else's problem. It isn't. Gift card scams alone cost businesses over $217 million in 2023, and by 2024, 73% of cyber incidents involved business email compromise. The holidays give attackers exactly what they need: distracted people and a flood of legitimate-looking transactions to hide inside.
The five scams that show up every December
The urgent gift card request
A message impersonates an executive and pushes an employee to buy gift cards for clients or staff incentives, fast. This one move accounted for nearly 38% of business email compromise cases in early 2024. Stop it with a flat rule: any gift card purchase needs two separate approvals, and executives never ask for gift cards by email or text. Train people on that second part so they recognize the request as a scam on sight.
The swapped invoice or payment details
As year-end bills pile up, attackers send invoices with their own bank details or quietly hijack a real vendor's email thread. Arlington, Massachusetts lost nearly $500,000 this way in June 2024. The defense is a phone call. Verify any new or changed banking information by calling a contact you already know, never a number printed in the email, and make that call mandatory for any financial change above $5,000.
The fake shipping notification
Emails and texts pretend to be UPS, FedEx, or USPS and push you to click a link to "reschedule delivery." The link is the trap. Teach your team to skip it and go to the carrier's site directly, by typing the address or using a bookmark.
The malicious holiday invite
An attachment named something harmless like "Holiday_Schedule.pdf" or "Party_List.xls" runs malware the moment it opens. Disable macros, scan attachments before opening them, and tell people to confirm any unexpected file with the sender before they touch it.
The fake fundraiser
Scammers stand up fake charity sites or invent a company donation match to grab money or personal data while people feel generous. Give your team a short list of charities you've already vetted, and route every donation through an official, secured portal.
Why they keep working
These aren't sloppy spam blasts. Attackers research your company first, then write messages that match how you actually operate. That's what gets past a busy employee.
Two cheap habits cut most of the risk. Companies that run regular phishing drills lower their risk by up to 60%, and multifactor authentication blocks 99% of unauthorized logins. A lot of small Mac businesses skip the training and still get by on passwords alone. That's the gap attackers count on.
Your holiday checklist
Put these in place before the rush starts:
- Verify big transactions twice. For anything over your threshold, require a verbal approval through a separate channel.
- Ban gift cards by message. Write a policy that forbids buying gift cards on the strength of a text or email, and enforce it.
- Call to confirm vendor changes. Verify any banking or payment change by phone, using a number you already have on file.
- Turn on MFA everywhere. Enable multifactor authentication on email, banking, and every cloud account.
- Walk the team through these five. Show real examples so people know the scams when they land.
The money is only the start of it
Orion's $60 million made headlines. For a small business, the damage is quieter but still real. The breach hits during your busiest sales weeks and stalls operations. Staff drop their work to chase it down. Customers lose confidence if their data leaks. And your insurance premiums climb afterward.
Business email compromise costs small businesses $129,000 on average. During the holidays, a hit like that can sink a company.
None of this takes expensive tools. It takes training, a few clear policies, and MFA on every account that matters. The one verification call Orion never made would have saved them millions. Build that habit into your team now, and the holiday rush stays a rush instead of a crisis.