The holiday season, with its flurry of activity and reduced vigilance, creates fertile ground for scammers to target businesses. According to Shameela Gonzalez, Financial Services Lead at CyberCX, this period sees a significant rise in cyberattacks, including ransomware, phishing, and business email compromise (BEC) scams.
Below, we explore common holiday scam trends, warning signs for accounts payable (AP) teams, and best practices for mitigating risks during this busy time.
Scam trends businesses should watch out for
Scammers often exploit the holiday season's reduced alertness. BEC scams remain a critical concern for businesses, where fraudsters impersonate vendors or internal stakeholders to trick AP teams into redirecting payments to illegitimate accounts.
Phishing emails (often disguised as urgent payment requests) are another prevalent tactic. These schemes rely on employees' distraction during the holidays, including the often chaotic year-end panic to wrap up loose ends before the end of the calendar year.
Fraudsters also use deepfake technology to impersonate a company executive, famously leading to one finance worker transferring millions into a fraudulent account. This scam and many others are often a type of BEC tactic.
And those tactics cost organizations millions. According to the FBI’s 2024 IC3 report, Business Email Compromise (BEC) remains one of the most costly cybercrimes in the US, with 21,442 reported incidents causing approximately $2.77 billion in losses in 2024 alone. Despite relatively low volumes compared to other scams, BEC’s ability to exploit trusted business processes results in outsized financial damage.
And the problem is worldwide. FBI IC3 data shows that over 305,000 BEC incidents globally have led to more than $55 billion in exposed losses, impacting organizations across 180+ countries.
What AP teams should look out for
AP teams should remain vigilant for:
Unusual payment requests: Particularly those claiming urgent deadlines or requesting changes to vendor banking details.
Emails with slight anomalies: This includes subtle typos, mismatched sender addresses, or an unfamiliar tone.
Requests from unknown or unexpected sources: Fraudsters often impersonate trusted brands or government agencies to lend credibility to their requests.
As Gonzalez notes, "Businesses should operate under the assumption that scam attempts are constant. When AP teams maintain this mindset, they can detect and mitigate threats more effectively."
Preparing AP teams to respond to scams
Preparation is key to mitigating financial and reputational damage caused by scams. Gonzalez highlights the importance of implementing crisis plans that include the following elements:
Incident response protocols: Identify the bare-minimum team required to make quick decisions if fraud occurs.
Supplier and customer communication plans: Ensure key contacts are documented and accessible in case systems are compromised.
Automated alerts and monitoring: Use tools that detect anomalies and send immediate notifications.
Additionally, AP teams should conduct pre-holiday risk assessments to identify potential vulnerabilities and strengthen weak points.
Best practices for scam prevention during the holidays
Implementing consistent processes can significantly reduce the likelihood of falling victim to scams. Here's a checklist of best practices for AP leaders recommended by Gonzalez:
Enable multi-factor authentication (MFA): Add a critical layer of security to payment systems and other key platforms.
Restrict access based on roles: Ensure only authorized personnel can access sensitive financial systems and information.
Regularly review vendor records: Validate vendor details and verify any changes to banking information directly with the supplier.
Educate employees: Conduct holiday-specific training to increase awareness of common scams and phishing tactics.
Implement payment verification protocols: Require dual approval or additional verification for high-value transactions.
Automate processes where possible: Use technology to reduce manual errors and identify suspicious activity.
Maintain regular backups: Secure critical financial data to minimise downtime in case of a breach.
Monitor transactions closely: Encourage employees to review bank statements frequently and flag unusual activity immediately.
Practical advice for AP leaders
To mitigate risks, businesses must prioritise education and preparation. Gonzalez advises, "Never assume your business won't be targeted. Fraudsters don't take holidays. The key is building processes that reduce reliance on human judgement alone."
Additionally, AP leaders should:
Foster a culture of vigilance: Encourage employees to trust their instincts. If something feels "too good to be true," it likely is.
Stay updated on scam trends: Regularly review reports from the National Anti-Scam Centre to understand evolving tactics.
Collaborate with IT and security teams: Ensure AP systems are protected with effective cybersecurity measures, such as endpoint protection and penetration testing.
