Used car buyers on Cazoo face sophisticated fraud attacks involving hijacked email communications and fake discount offers, according to reports emerging in January 2026. Fraudsters have compromised email accounts associated with legitimate vehicle listings, intercepting correspondence between buyers and the online car retailer to redirect deposits into criminal accounts before vanishing with the money.
The scam operates by gaining access to email accounts belonging to either Cazoo customers or the company's systems, though the exact entry point remains unclear. Once inside email chains discussing specific vehicle purchases, criminals insert themselves into ongoing conversations, sending messages that appear to come from legitimate Cazoo addresses offering unexpected discounts or alternative payment arrangements.
"I was in the final stages of purchasing a BMW 3 Series listed on Cazoo when I received an email offering a £2,000 discount if I paid a deposit directly to a specified account rather than through Cazoo's normal payment portal," explained Mark Thompson, a victim from Manchester who contacted consumer protection groups after losing £5,000. "The email looked completely legitimate, came from what appeared to be a Cazoo address, and referenced specific details about my purchase that only someone with access to our correspondence would know."
Thompson transferred £5,000 as requested, expecting to complete the remaining payment and collection formalities through Cazoo's standard process. When he contacted Cazoo to arrange vehicle delivery, the company had no record of receiving his deposit and confirmed the bank account details were not theirs. Attempts to recover the funds through his bank proved unsuccessful as the criminal account had been emptied within hours of receiving the transfer.
The fraud technique, known as business email compromise or BEC, has affected various industries but appears to be targeting online car sales platforms with increasing frequency. According to Action Fraud, the UK's national fraud reporting centre, vehicle purchase scams cost British consumers over £43 million in 2025, with email compromise representing a growing proportion of total losses.
Cazoo, the online used car retailer that expanded rapidly during the COVID-19 pandemic before restructuring operations in 2022 and 2023, confirmed it is investigating multiple reports of fraudulent email activity targeting its customers. The company issued a statement in January 2026 acknowledging the problem and advising customers to verify all payment communications through official channels.
"We are aware of fraudulent emails purporting to be from Cazoo that request payment to accounts not controlled by our company," the statement read. "Cazoo will never ask customers to make payments to personal bank accounts or offer last-minute discounts through email. All legitimate payments should be made through our secure online portal. We strongly advise customers to contact us directly through verified phone numbers on our official website if they receive any unexpected payment requests."
The scale of the fraud remains unclear, with Cazoo declining to specify how many customers have been affected or the total losses involved. However, consumer protection forums and automotive complaint websites contain multiple reports from buyers describing similar experiences dating back to late 2025, suggesting the problem has been ongoing for several months.
Security experts suggest the criminals may have gained access through phishing attacks targeting Cazoo employees or customers, malware infections allowing email monitoring, or exploitation of vulnerabilities in email servers. Once inside email systems, fraudsters can monitor communications in real time, identifying high-value transactions and inserting themselves at crucial payment moments when buyers are primed to transfer substantial sums.
"Email compromise frauds succeed because they exploit existing trust relationships and use information gleaned from legitimate correspondence," explained Dr. Sarah Mitchell, a cybersecurity researcher at the University of Surrey. "When you receive an email that references specific details about your transaction, uses familiar terminology, and appears to come from the expected sender, your guard drops. The criminals understand this psychology and craft their messages accordingly."
The fake discount offers serve dual purposes. They create urgency encouraging immediate action without careful verification, and they provide plausible explanations for payment instructions differing from standard procedures. Buyers assume they're receiving special treatment or taking advantage of end-of-month targets, making the unusual payment arrangements seem like fortunate opportunities rather than warning signs.
Cazoo operates differently from traditional dealerships, handling transactions primarily online with vehicle delivery rather than showroom visits. This digital-first approach creates fewer opportunities for face-to-face verification and increases reliance on email and phone communications. While convenient for legitimate buyers, it also provides criminals with opportunities to insert themselves into purely digital transaction chains.
Banks can sometimes recover funds transferred to fraudulent accounts if victims report quickly enough, before criminals move or withdraw money. However, sophisticated fraud operations establish networks of mule accounts specifically to receive and rapidly disperse stolen funds, making recovery extremely difficult. Thompson's experience, where the account emptied within hours, suggests organised operations rather than opportunistic individuals.
Consumer protection advocates argue that online retailers bear responsibility for securing their communications infrastructure and protecting customers from fraud occurring through compromised company systems. If Cazoo's email servers or employee accounts were breached, allowing criminals access to customer correspondence, the company potentially faces liability for resulting losses.
"When you entrust a company with your personal information and purchase intentions, you reasonably expect them to maintain security preventing that information falling into criminal hands," said James Walker, founder of consumer rights organisation Resolver. "If Cazoo's systems were compromised and that compromise enabled fraud against their customers, they should compensate victims and demonstrate what measures they're implementing to prevent recurrence."
Cazoo has not confirmed whether its systems were directly breached or if criminals gained access through compromising individual customer email accounts. The company stated it is working with law enforcement and cybersecurity specialists to investigate the fraud and strengthen security measures, though specific details of enhanced protections were not provided.
The incidents highlight broader vulnerabilities in online vehicle sales, an industry that grew explosively during pandemic lockdowns when traditional showroom visits became impossible or unappealing. Cazoo, Cinch, and Motorway all expanded operations to meet demand for contactless car buying, but the digital transactions create fraud opportunities that physical dealerships largely avoid.
Buyers can protect themselves through several practices. Verifying payment instructions by calling companies directly using phone numbers from official websites rather than contact details provided in emails prevents criminals redirecting communications. Being suspicious of unexpected discounts or changes to payment procedures, particularly when offered via email, helps identify potential fraud. Using credit cards rather than bank transfers for deposits provides additional protection through chargeback rights if transactions prove fraudulent.
Banks have implemented Confirmation of Payee systems requiring account name verification before completing transfers, designed to catch fraud where account names don't match expected recipients. However, these systems only work if buyers know the correct recipient name. When criminals claim to represent legitimate companies and provide plausible explanations for different account names, verification systems provide limited protection.
The Cazoo fraud follows other high-profile vehicle scams including cloned advertisements on classified sites, phantom vehicles that don't exist, and deposit scams where criminals collect payments but never deliver cars. According to the Finance and Leasing Association, vehicle fraud cost the motor finance industry £174 million in 2024, with online fraud representing the fastest-growing category.
Recovery prospects for victims depend on multiple factors including speed of reporting, whether funds remain in recipient accounts, and cooperation from banks operating those accounts. Financial Ombudsman Service data suggests that fewer than 30 percent of authorised push payment fraud victims, where individuals voluntarily transfer money to criminals, receive full reimbursement from their banks.
New regulations introduced in October 2024 require banks to reimburse most authorised push payment fraud victims up to £85,000, sharing costs between sending and receiving banks. However, exceptions apply when victims ignored warnings or failed to take reasonable precautions. Banks may argue that transferring money based on email instructions without independent verification fails the reasonable precaution standard.
Cazoo's business has faced challenges beyond fraud issues. The company listed on the New York Stock Exchange in 2021 at a $7 billion valuation but subsequently struggled with profitability. Restructuring in 2022 and 2023 involved closing facilities, reducing headcount, and refocusing on core markets. The fraud allegations add reputational damage to operational difficulties, potentially deterring customers already wary of online vehicle purchases.
Whether Cazoo survives long-term depends partly on rebuilding trust damaged by fraud incidents and demonstrating robust security protecting customer data and transactions. The used car market remains large and online sales channels continue growing, but companies must prove they can operate safely in an environment where criminals constantly probe for vulnerabilities.
For buyers like Thompson, the immediate concern involves recovering lost deposits and determining whether Cazoo, banks, or law enforcement can help. His £5,000 represents substantial money for most households, and the emotional impact of falling victim to sophisticated fraud extends beyond financial losses.
"I consider myself reasonably tech-savvy and cautious about online transactions," Thompson reflected. "But these criminals were convincing because they had access to real information about my purchase. I assumed the discount was legitimate because how else would they know those details? Learning that my trust was exploited through compromised emails feels violating in ways beyond just losing the money."
The fraud serves as a stark reminder that digital convenience carries risks requiring constant vigilance. Email remains fundamentally insecure for sensitive transactions, yet businesses and consumers rely on it daily for everything from banking to vehicle purchases. Until more secure communication methods become standard, criminals will continue exploiting the gap between email's ubiquity and its vulnerability. Cazoo's customers are learning this lesson expensively, and unfortunately, they probably won't be the last.