When a Holiday Message Becomes a Million-Dollar Mistake
Last December, an accounts payable clerk received a text from her “CEO”:
“Please pick up $3,000 in Apple gift cards for clients and email the codes right away.”
It seemed unusual, but it came from her boss’s name — and the holiday rush was on. By the time she double-checked, the scammer had already cashed out.
That loss stung. But another company’s story was far worse.
That same month, Orion S.A., a European manufacturer, received a series of “routine” payment requests that appeared legitimate — complete with accurate language, branding, and sender addresses. The result?
$60 million wired directly to cybercriminals. Half a year’s profits — gone.
Why It Matters for Nonprofits
Nonprofits often assume, “We’re too small to be a target.” Unfortunately, cybercriminals don’t see it that way.
End-of-year donations, grant deadlines, and staff time off make the holidays a prime window for cyberattacks. In 2023 alone, gift card scams cost U.S. organizations $217 million, and in 2024, business email compromise accounted for 73% of all reported cyber incidents.
These aren’t random “spam” messages — they’re social engineering attacks that exploit trust, emotion, and timing.
5 Holiday Scams Nonprofits Need to Watch
1️⃣ “Your Executive Needs Gift Cards”
The Scam: Attackers impersonate leaders, asking staff to urgently buy and send gift cards.
The Prevention: Create a written policy — no gift card purchases without two-person approval. Reinforce that executives will never request gift cards via text or personal email.
2️⃣ Vendor Payment “Updates”
The Scam: Scammers send “new banking details” for an upcoming payment.
The Prevention: Always verify payment changes through a phone call with a known contact. Require a verbal confirmation for any transfer over your organization’s threshold.
3️⃣ Fake Shipping or Delivery Notices
The Scam: Phishing emails mimic FedEx or UPS with links to “reschedule deliveries.”
The Prevention: Never click tracking links in unsolicited messages. Go directly to the carrier’s website using a saved bookmark or manual search.
4️⃣ “Holiday Party” Attachments
The Scam: Files labeled “Holiday_Schedule.pdf” or “Party_List.xls” contain malware.
The Prevention: Train staff to verify unexpected attachments and block macros across your network.
5️⃣ Fake Charity or Fundraising Appeals
The Scam: Fraudulent “charity match” or donation pages steal donor data or credit card information.
The Prevention: Publish a list of verified campaigns internally and ensure all donations flow through secure, official portals.
Why These Attacks Work — and How to Prevent Them
Cybercriminals no longer rely on brute-force hacking.
They rely on something much easier to exploit: human behavior.
The same tools that make nonprofits efficient — email, cloud storage, digital payments — also give scammers new entry points.
- Organizations that run regular phishing simulations reduce their risk by up to 60%.
- Enabling multifactor authentication (MFA) prevents 99% of unauthorized logins.
Still, most small organizations skip these simple safeguards, leaving major gaps in their cyber liability posture.
Your Holiday Cyber Readiness Checklist
✅ The Two-Person Rule: Require verbal confirmation for any transfer or purchase over a set amount.
✅ Gift Card Policy: No approvals? No gift cards.
✅ Vendor Verification: Confirm all banking or payment changes via known contacts.
✅ MFA Everywhere: Enable multifactor authentication on email, accounting, and donor databases.
✅ Staff Awareness: Spend 10 minutes reviewing these five scams before the holidays.
The Real Cost of Cyber Liability
While Orion’s $60 million loss made headlines, smaller organizations suffer the greatest impact from smaller scams.
- 📉 Operations interrupted during peak fundraising
- 💔 Donor trust damaged by a data breach
- 💸 Rising insurance premiums after an incident
- 🕒 Productivity lost during recovery
The average loss per business email compromise (BEC) incident is $129,000 — enough to derail a year-end campaign or disrupt critical services.
Keep Your Holidays Focused on Mission — Not Mayhem
The holiday season should be about celebrating your impact, not recovering from fraud.
A few proactive steps today can protect your data, your donors, and your peace of mind.
Remember, the Orion breach started with one unverified message.
A single phone call could have prevented a $60 million loss.
This year, give your team the tools to spot scams before they start — and protect the mission you’ve worked so hard to build.
