How One Firm Lost $60 Million Over the Holidays (And What CPA Owners in Salt Lake Can Learn From It)
Last December, a staff accountant at a mid-sized financial firm got a text from her “Managing Partner”: Buy $2,000 in Amazon gift cards for client appreciation gifts. Scratch the backs and email the codes.
She didn’t question it. It was the holiday rush. She was juggling audits, 1099s, and year-end reconciliations. By the time she double-checked, the scammer had already drained the cards.
But that was a small hit compared to what happened to Orion S.A., a global firm that lost $60 million when an employee fell for a phishing email disguised as a vendor request. The email looked normal. The request felt routine. A few wire transfers later, over half the company’s annual profits were gone.
Still think your Salt Lake CPA firm is too small to be a target? Think again.
Gift card scams alone cost businesses over $217 million in 2023. Business email compromise (BEC) made up 73% of cyberattacks in 2024.
And the holidays? They’re open season. You’re short-staffed. Everyone’s distracted. And cybercriminals know exactly how to exploit that.
5 Holiday Scams Every Salt Lake CPA Firm Needs To Spot Before It’s Too Late
- The "Managing Partner" Gift Card Scam
The setup: Someone impersonates you (or your partners) and pressures staff to buy gift cards for "clients" or "holiday bonuses."
Why it works: Your team is moving fast. They want to help. And the email or text looks real.
What to do: Set a firm-wide policy: No gift card requests via text or email. Ever. Require dual approval for all gift card purchases.
- Vendor Payment Switch-Ups
The setup: A hacker mimics a trusted vendor or software provider (like your cloud accounting platform) and sends a "new banking info" email right before payment is due.
Real story: In 2024, a city in Massachusetts lost nearly $500K this way.
What to do: Confirm all payment changes with a phone call—using the number you already have on file, not the one in the email.
- Fake Shipping Notifications
The setup: A phishing link disguised as a package delivery notice from FedEx, UPS, or USPS.
Why it works: During the holidays, everyone is expecting deliveries. Clicks happen fast.
What to do: Train staff to never click links in shipping emails. Go directly to the shipper’s website. Bookmark them.
- Malicious "Holiday Party" Attachments
The setup: An email titled "Holiday_Schedule.pdf" or "Employee_Gift_List.xls" with an attachment that hides malware.
What to do: Disable macros. Never open unexpected attachments. Scan everything first.
- Bogus End-of-Year Charity Campaigns
The setup: Fake websites posing as real charities or company-sponsored donation matches.
Why it works: CPAs are generous. Many give this time of year. Scammers count on it.
What to do: Share a vetted list of approved charities with your team. Make sure all donations go through verified platforms.
Why These Attacks Work So Well (Especially on CPA Firms)
Let’s be real: You rely on the very tools these hackers are exploiting.
- Email? That’s your primary communication hub.
- Online banking? Standard operating procedure.
- Client portals and digital signatures? All part of the job.
But those same tools make you vulnerable if you don’t have the right protections in place. And most Salt Lake CPA firms don’t.
Here’s the scary part: Firms that implement phishing simulations lower their cyber risk by 60%. But most CPAs we talk to have never done a single one.
Even worse? Multifactor authentication (MFA) blocks 99% of unauthorized logins—and yet many CPA firms still rely solely on passwords.
Your Salt Lake Holiday Cybersecurity Checklist
Before the holiday madness hits, check these boxes:
- The Two-Person Rule
For any transaction over $2,500, require a verbal confirmation through a second channel (phone, internal chat, etc.). - Clear Gift Card Policy
Put it in writing: Partners never request gift cards via text or email. - Vendor Payment Verification Protocol
Confirm all banking info changes by phone using a pre-approved vendor contact list. - Mandatory MFA
Enable multifactor authentication across email, remote logins, and cloud platforms. - 15-Minute Security Huddle
Hold a quick team training. Walk them through these five scams. Show them real examples.
It’s Not Just the Money You’re Risking
Let’s say a scammer steals $100,000 from your firm. That’s brutal.
But the real cost?
- Operations grind to a halt during year-end close
- Clients panic about data exposure
- Your reputation takes a hit
- Cyber insurance premiums spike
The average business email compromise attack costs $129,000. That kind of hit can tank a mid-sized CPA firm just as you're preparing for tax season.
Salt Lake CPAs: Stay Protected This Holiday Season
You didn’t become a CPA to fight cybercrime. But if you don’t take basic precautions, you’re making your firm a sitting duck.
The good news? It doesn’t take much to get protected.
- A 15-minute training
- A few policy updates
- The right IT partner backing you up
At Qual IT, we specialize in cybersecurity and managed IT services for CPA firms in Salt Lake City. We understand your deadlines. Your compliance requirements. And your need for zero downtime.
Want to make sure your firm’s secure before the holidays hit full swing?
Click here to book your free network assessment.
Because the best gift you can give your firm this year is peace of mind.
--
Austin McDonald, Qual IT
Helping Salt Lake CPAs lock down their tech, stay compliant, and sleep better at night.
