Holiday Scam Playbook: Five Cons Your Team Must SpotFinish Strong by being prepared: Holiday-Ready IT for the Pacific Northwest (Part 1 of 4)

December is the peak risk Month. Last year, gift-card schemes drained $217 million from businesses. In a single month, a manufacturer lost $60 million to bogus wire requests. Early 2024 data shows 37.9% of business e-mail compromise (BEC) incidents involved gift cards. This guide shows your staff/team how these scams work, the simple controls that stop them, and a short Pacific Northwest checklist you can run this week.

What Youll Get In Part 1 of The November Series

  • Five fast-moving holiday scams in Scam / Prevention format
  • Why they work and the exact friction points that stop them
  • A short story from a Corvallis/Albany financial institution
  • A practical checklist for Oregon, plus Seattle, Boise, Cheyenne, Phoenix, and NorCal offices

5 Holiday Scams Your Team Must Recognize

1) Your Boss Needs Gift Cards … Now.” (The $3,000 Text Trap)

  • The scam: Impostors spoof an owner or exec and pressure staff to buy gift cards for “clients” or “employee appreciation,” then demand the codes by text or e-mail.
  • Prevention: Put it in writing - no gift cards via text or e-mail. Require two approvals for any gift-card purchase. Teach staff that leaders never request codes.

2) Invoice & Payment Switch-Ups (The Big Money Play)

  • The scam: Criminals hijack vendor threads or send polished “updated banking details” right before year-end bills go out.
  • Prevention: Any bank detail change over your threshold triggers a call-back using the number already on file - never the one in the message. Add a second approver.

3) Fake Shipping & Delivery Notices

  • The scam: “Reschedule delivery” links from fake UPS/FedEx/USPS messages that steal credentials.
  • Prevention: Bookmark official carrier portals and type addresses directly. Don’t click shipping links in messages.

4) Malicious Holiday Party” Attachments

  • The scam: Files like pdf or Party_List.xls drop malware or pop credential prompts.
  • Prevention: Block macros, scan all attachments, and build a habit of verifying unexpected files with the sender via a separate channel.

5) Bogus Holiday Fundraisers

  • The scam: Look-alike donation pages that mimic real charities or pretend to be your company match portal.
  • Prevention: Publish an approved charity list and route all giving through official links

Quick help: Want a rapid, plain-English gap review? Book a Free Security Assessment via IT Assessments & Strategy Consulting: https://www.10dtech.com/services/it-assessments-consulting

10D Tech is your Oregon-based IT & cybersecurity partner (offices in Corvallis and Portland), serving Oregon & SW Washington.

Corvallis/Albany/Eugene/Bend (541) 243-4103 • Portland/Salem (503) 971-9103

Why These Attacks Work … And Easy Ways To Block Them

  • Speed + authority pressure. Add friction where it counts: a two-person rule and separate-channel call-backs.
  • Credential reuse. Turn on MFA for Microsoft/Google, banking, and cloud apps this week.
  • Untrained moments. Short simulations and two monthly micro-tips keep the topic fresh.

Need hands-on help? Managed Cybersecurity can harden policies and monitor trouble spots: https://www.10dtech.com/services/managed-cybersecurity

Example: Alexs November Wake-Up Call 

Alex is COO at Sage Brush Financial, a 68-person organization with admin offices in Corvallis and Albany. On November 15, Accounts Payable received an e-mail, apparently from a long-time vendor, asking to update ACH details “before Friday’s run.” It referenced a real contract and used the right jargon. The finance system paused the change for dual approval, which triggered the call-back rule. A Phone call to the known number: “No changes here.” Fraud stopped.

That same week, two branch managers got texts “from the CEO” asking for Apple gift cards for “member appreciation.” Thanks to a no-gift-cards-by-text policy, both reported the messages. Alex tightened controls: MFA on all mailboxes, a second approver for bank changes over $5,000, and positive pay on ACH.

  • Two attempts. Zero losses. Big Win

Holiday Defense Checklist 

  • Two-Person Rule + call-back for payment/bank changes
  • No gift cards via text/e-mail; two approvals required
  • MFA on Microsoft/Google, banking, and cloud
  • Mail rules flagging “urgent,” “wire,” “gift cards,” “bank change”
  • Bank controls: dual-control, transaction limits, anomaly alerts
  • A written incident plan and a 24/7 contact for Emergency IT Support & Incident Response: https://www.10dtech.com/services/emergency-it-support

Want micro-trainings your team will actually read? IT Help Desk & Remote Support can drop three bite-size drills into your comms this month: https://www.10dtech.com/cyber-security-tip-of-the-week/

Ready To Act?

Keep scammers out of your holiday budget. Get a fast review of approvals, MFA, and vendor verification, built for your employee teams.
 Book Your Free Security Assessment

10D Tech is your Oregon-based IT & cybersecurity partner (offices in Corvallis and Portland), serving Oregon & SW Washington.
Corvallis/Albany/Eugene/Bend (541) 243-4103 • Portland/Salem (503) 971-9103

FAQs You Can Use

  • Q1: What dollar amount should trigger dual approval and a call-back?
  • Q2: How do we verify a vendors new bank details safely?
  • Q3: Were only 15 people, who should be the second approver?
  • Q4: If we can only do one thing this week, what is it?
  • Q5: How do we keep staff aware without long trainings?

Run a quarterly phishing simulation plus two bite-size tips each month (screenshots + a 60-second read). (IT Help Desk & Remote Support can load these for you.) https://www.10dtech.com/services/it-help-desk-support