British oil and gas company Zephyr Energy reported that a hacker stole £700,000 (approximately $1 million) from a U.S.-based subsidiary by redirecting a payment intended for a contractor into a hacker-controlled account. In a regulatory filing with the London Stock Exchange on Thursday, the company stated it is working with corresponding banks and consultants to attempt to recover the diverted funds.
The incident illustrates a recurring pattern in enterprise security: attackers may not need to exploit traditional software vulnerabilities in payment systems. Instead, they can leverage compromised email inboxes and accounting systems to alter bank account and routing numbers—an approach known as business email compromise.
How the attack occurred
According to Zephyr’s filing, the theft involved redirecting a contractor payment into a hacker-controlled account. The company did not specify the exact mechanism used or provide details on the timing of the fraud beyond stating that the incident is contained and that operations are running normally.
Zephyr noted that it used “industry standard practices” for its tech and payment platforms. Following the incident, the company implemented “additional layers of security.” A spokesperson for Zephyr did not respond to a request for comment.
Why business email compromise remains a significant threat
Business email compromise attacks work by exploiting access to email inboxes or accounting systems to alter banking details during payment processes. This approach targets the human and process layer between invoice generation and payment execution, making it particularly effective.
The FBI identified business email compromise as one of the top sources of financial losses in its most recent annual report on internet cybercrime, published in April. According to the FBI, these attacks resulted in more than $3 billion in victim losses during 2025.
For security teams, the implication is clear: the attack surface extends beyond software vulnerabilities to include authorization and verification workflows. This includes how organizations confirm banking details before executing payments and how systems handle changes to payment instructions from potentially compromised accounts.
Security controls and recovery efforts
Zephyr’s use of industry standard practices reflects a common reality in enterprise security: baseline controls may not prevent attacks if trust pathways can be manipulated. The company did not specify which controls were in place beyond this general characterization.
Following the theft, Zephyr implemented additional layers of security, consistent with a defense-in-depth approach to payment security. The company is working with banks and consultants on fund recovery, underscoring that once money is diverted, recovery depends on banking processes and coordination beyond internal controls.
Implications for payment security
The Zephyr incident reflects a persistent threat model where attackers leverage compromised communication and accounting systems to alter payment instructions. The reported scale of business email compromise losses—over $3 billion annually according to FBI data—indicates that payment workflow attacks represent a significant financial risk category.
Organizations may consider prioritizing investments in payment security controls, particularly around verification of payment destinations and safeguarding access to systems that can modify routing and account information.
Source: TechCrunch