Hacker diverts £700,000 from UK energy firm through payment redirection scam

British oil and gas company Zephyr Energy has revealed that approximately £700,000 (nearly $1 million) was fraudulently diverted from one of its U.S.-based subsidiaries after a payment intended for a contractor was redirected to a hacker-controlled account.

In an official regulatory filing submitted to the London Stock Exchange on Thursday, the company confirmed that it is actively “working with the corresponding banks and consultants to attempt to recover the diverted funds.”

Although the company did not disclose the exact method used in the incident, such attacks are commonly linked to business email compromise schemes. In these cases, attackers gain unauthorised access to corporate email systems or financial platforms and manipulate payment details, such as bank account numbers or routing information, during legitimate transactions or invoice processing.

According to the Federal Bureau of Investigation, these types of attacks remain one of the most significant sources of cyber-enabled financial losses. In its most recent annual internet crime report released earlier in April, the agency noted that business email compromise scams accounted for more than $3 billion in losses during 2025 alone.

Zephyr Energy stated that the incident has been contained and emphasised that its day-to-day operations continue without disruption. The company also noted that it had been following “industry standard practices” across its technology and payment systems at the time of the breach. Following the incident, Zephyr said it has introduced “additional layers of security” to strengthen its defences against similar attacks.