Bulletins //

NormCyber Threat Bulletin: April 2026

4 Min Read

£700K Diverted in Suspected BEC Attack on UK Energy Firm

A recent cyber incident impacting UK-based Zephyr Energy highlights the continued financial risk posed by business email compromise (BEC) and payment redirection fraud.

According to reports, approximately £700,000 was diverted after a legitimate contractor payment was redirected to an account controlled by attackers. The organisation identified the issue after the funds had already been transferred, underscoring the speed and effectiveness of this attack type.

While the exact intrusion vector has not been publicly confirmed, the characteristics of the incident strongly align with business email compromise (BEC) tactics.

Attack Overview

In this case, threat actors appear to have manipulated payment details within an otherwise legitimate business transaction. Unlike traditional cyber attacks, there is no indication of malware deployment or operational disruption.

Instead, the attackers likely exploited one of the following:

  • Compromised or spoofed email accounts
  • Interception of ongoing financial communications
  • Social engineering to alter supplier payment details

This approach reflects a broader trend: attackers targetingbusiness processes rather than IT infrastructure., allowing attackers to maintain persistent access while organisations remain unaware of the compromise.

Why This Matters

BEC attacks remain one of the most financially damaging forms of cyber crime globally, responsible for billions in losses each year.

What makes this incident particularly significant:

  • Low visibility: No obvious system outage or technical failure
  • High impact: Immediate and substantial financial loss
  • Process exploitation: Attackers targeted trust and routine workflows

This reinforces a critical reality: organisations do not need to suffer a technical breach to experience severe cyber-related financial damage.

Threat Intelligence Insight

From a threat intelligence perspective, this incident aligns with a sustained increase in:

  • Payment redirection fraud targeting finance teams
  • Credential compromise of email accounts
  • Use of legitimate communication threads to avoid detection

These attacks are often carefully timed to coincide with:

  • Supplier onboarding or invoice cycles
  • Contract renewals
  • Periods of high transaction volume

The lack of malware or indicators of compromise (IoCs) also makes detection significantly more challenging using traditional security tooling. exposure indicator, significantly increasing breach probability compared to other exposure types.

Recommended Mitigations

To reduce exposure to BEC and payment fraud, organisations should prioritise controls around financial processes, not just IT systems:

1. Strengthen Payment Verification Controls

  • Independently verify all changes to supplier bank details
  • Use out-of-band confirmation (e.g. phone calls to known contacts)

2. Enforce Strong Identity Security

  • Implement multi-factor authentication (MFA) across email and finance systems
  • Monitor for suspicious login activity and mailbox rule changes

3. Increase Finance Team Awareness

  • Train staff to identify red flags in payment change requests
  • Simulate BEC scenarios as part of security awareness programmes

4. Introduce Transaction Safeguards

  • Flag unusual payment patterns or last-minute changes
  • Apply dual authorisation for high-value payments

Key Takeaway

This incident is a clear reminder that cyber risk is business risk.

Attackers are increasingly focusing on the point where money moves, exploiting trust, timing, and human behaviour rather than technical vulnerabilities.

Organisations must treat financial workflows as critical security boundaries – not just operational processes.

How NormCyber Can Help

NormCyber helps organisations reduce exposure to financially motivated cyber threats through a combination of managed detection and response and human risk management.

Our services are designed to:

  • Detect and respond to account compromise and suspicious email activity
  • Deliver targeted security awareness training for finance and operational teams
  • Provide continuous monitoring and threat intelligence to identify emerging risks

If you would like to understand how exposed your organisation may be to BEC and payment fraud, get in touch with our team for a tailored risk assessment.

Get Norm’s threat bulletin direct to your inbox

Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below:


Resources:

https://www.theregister.com/2026/04/09/zephyr_energy_cyberattack/
https://www.itpro.com/security/cyber-attacks/zephyr-energy-hackers-swiped-gbp700-000-after-redirecting-a-contractor-payment

Insights //

More of the latest insights & articles.

NormCyber Threat Bulletin: April 2026

lady putting cream on her face

Major UK Skincare Brand

Customer Success

The Missing Metric: Quantifying Cyber Resilience in UK Utilities

Events

The Missing Metric: Quantifying Cyber Resilience in the Legal Sector

Events

The Missing Metric: Quantifying Cyber Resilience in Financial Services

Events

The Missing Metric: Quantifying Cyber Resilience in Manufacturing

Events
See All Insights