What happened
A hacker stole £700,000 from a UK energy company after diverting a payment intended for a contractor into an attacker-controlled account. The victim, Zephyr Energy, said the theft affected one of its U.S.-based subsidiaries and disclosed the incident in a regulatory filing. The company said it is now working with banks and consultants to try to recover the diverted funds. It did not explain how the attack happened, but said the incident has been contained and that operations are continuing normally. Zephyr Energy also said it used industry-standard practices for its technology and payment platforms and has since added extra layers of security following the incident.
Who is affected
The direct impact falls on Zephyr Energy and the subsidiary whose contractor payment was redirected. The incident centers on company funds rather than customer-facing disruption, and Zephyr Energy said operations are running normally.
Why CISOs should care
This incident matters because it shows how a single redirected payment can create a significant financial loss even when broader business operations stay online. It also highlights the continuing risk around payment workflows, vendor transactions, and the controls used to verify banking details before funds are released.
3 practical actions
- Tighten payment change controls: Require stronger validation before bank account or routing details are updated for contractor or vendor payments.
- Review financial workflow exposure: Assess whether email, accounting, or payment processes create openings for attackers to alter payment instructions before funds are sent.
- Use this as a treasury-risk scenario: Treat payment diversion as a core cyber-fraud risk, not just an accounting issue, because the financial loss can be immediate and material.
For more news about intrusions and fraud affecting business operations, click Cyberattack to read more.