Energy Company Loses £700,000 in a Single Payment Fraud — How to Stop It Happening to Your Business

A UK-listed energy company has just lost £700,000 in a single transaction — not because its network was hacked, not because of ransomware, but because attackers quietly redirected a routine contractor payment into their own bank account. Zephyr Energy disclosed the incident on 9 April 2026, confirming that one of its American subsidiaries was targeted in what it called a highly sophisticated attack.

This type of fraud — known as payment diversion fraud or business email compromise (BEC) — is one of the most financially damaging cyber threats facing businesses today, and it does not require any technical hacking at all. If your business pays invoices, you are a target.

What Happened to Zephyr Energy?

According to the company's public disclosure, attackers intercepted the payment process for a legitimate contractor invoice. Instead of the funds reaching the intended recipient, they were diverted to a third-party account controlled by the attackers. The company only discovered the diversion after the money had already been sent.

Zephyr has since notified law enforcement and is working with banks and external consultants to attempt recovery. However, in these cases, recovery is far from guaranteed — once funds begin moving between accounts, they can be dispersed or withdrawn within hours.

The company has stated that its systems have been reviewed, the incident has been contained, and day-to-day operations remain unaffected. Additional security controls have been implemented, though the specifics have not been disclosed.

How Does Payment Diversion Fraud Work?

This type of attack typically follows a simple but effective pattern:

1. Reconnaissance: Attackers research your business, identify who handles payments, and learn which suppliers or contractors you work with. This information is often publicly available or obtainable through phishing.
2. Email compromise: The attacker gains access to a legitimate email account — either yours or your supplier's. This might happen through phishing, credential stuffing, or exploiting weak passwords.
3. The switch: At the right moment, the attacker sends an email (from the compromised account, or from a convincing lookalike address) requesting a change to the supplier's bank details. The email looks entirely legitimate because it often is from a legitimate account.
4. The payment: Your finance team processes the next invoice using the new bank details. The money goes to the attacker's account instead of the supplier.
5. The discovery: The fraud is usually only discovered when the real supplier chases the unpaid invoice — by which point the money has gone.

Why This Should Worry Every Small Business

You might think that a £700,000 fraud only happens to large companies. But the technique is exactly the same whether the payment is £700,000 or £7,000. In fact, smaller businesses are often more vulnerable because they have fewer controls around payment processes.

Consider how payments work in your business right now:

• If a supplier emailed you today asking to change their bank details, would your team verify it by phone before updating the records?
• Does one person have the authority to both set up new payees and authorise payments?
• Do you have multi-factor authentication on your email accounts?
• When was the last time you trained your staff on spotting fraudulent emails?

If any of those questions made you uncomfortable, you have work to do.

How to Protect Your Business

1. Verify Every Bank Detail Change by Phone

This is the single most effective defence. If anyone — a supplier, contractor, landlord, or even a colleague — sends you new bank details by email, always confirm the change by calling them on a known, trusted phone number. Do not use the phone number in the email requesting the change, as the attacker may have included their own number.

2. Implement Dual Authorisation for Payments

No single person should be able to both set up a new payee and authorise a payment to that payee. Segregation of duties is one of the oldest controls in finance, and it exists precisely to prevent this type of fraud.

3. Secure Your Email

Email compromise is the gateway to payment fraud. At a minimum, enable multi-factor authentication on all email accounts, use strong unique passwords, and monitor for unusual sign-in activity. If you use Microsoft 365 or Google Workspace, both offer security features that many small businesses never turn on.

4. Train Your Team

Your finance team, office manager, and anyone who handles payments needs to understand how this fraud works. Run through a real-world scenario with them. Show them what a fraudulent bank detail change request looks like. Make it clear that verifying by phone is not optional — it is policy.

5. Review Your Supplier Onboarding Process

When you first set up a new supplier, verify their bank details as part of the onboarding process. Keep a record of verified details and flag any subsequent changes for mandatory phone verification.

6. Check Your Insurance

Some business insurance policies cover cyber-related financial losses, but many do not. Review your policy to understand what is and is not covered. Cyber insurance is increasingly affordable for small businesses and can provide a vital safety net.

What to Do If You Think You Have Been a Victim

Speed is everything. If you suspect a payment has been diverted:

1. Contact your bank immediately. Ask them to recall the payment. The sooner you act, the better the chance of recovery.
2. Report to Action Fraud (0300 123 2040 or actionfraud.police.uk) — this is the UK's national reporting centre for fraud and cyber crime.
3. Notify your supplier so they can check whether their own email has been compromised.
4. Preserve evidence. Do not delete the fraudulent emails. Forward them to your IT support or cyber security adviser.
5. Review all recent payments to check for any other diversions you may not have noticed.

The Bottom Line

Zephyr Energy can absorb a £700,000 loss. Most small businesses cannot. Payment diversion fraud is devastatingly simple, alarmingly common, and almost entirely preventable with basic controls. A phone call to verify bank details costs nothing. Not making that call could cost you your business.