Fraudsters are launch phishing campaigns which come in the shape of fake emails pretending to be from someone within the same organisation as the victim – and the crooks are increasingly targeting data over money.

Email fraud, particularly business email compromise, hit the headlines when the FBI said this particular form of cyber criminal activity cost victims billion dollars over the course of a year.

New research from security company Proofpoint suggests the number of email fraud attacks is on the rise.

According to the report, three quarters of organisations believe they’ve been targeted once, while two in five firms believe they’ve been the target of multiple attempts of attack.

While the attacks involve some care and effort by the attackers – they need to look like someone the victim can trust – they’re widening their reach, targeting larger numbers of people within organisations.

“A change we’ve experienced in Q4 over previous quarters is the number of people within an organisation that are targeted with these attacks doubled,” Robert Holmes, vice president of Email Security Products for Proofpoint told ZDNet.

Traditionally, the attackers would attempt to go direct to the source with the greatest access to the money – the CFO – often sending emails claiming to be from the CEO requesting a transfer of funds.

However, while some of these attacks have proved successful, for the most part, chief financial officers haven’t got to where they are by just handing out funds to anyone who asks.

So now attackers are moving down the company hierarchy, targeting the likes of human resources, accounts, finance and even technology teams in an effort to conduct successful attacks. Afterall, if a worker gets a message that claims to be someone from the board level, the thinking for the attackers is that they’re going to follow the orders.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

But while being a victim of email fraud and losing money as a result of transferring funds to criminals brings a huge financial hit to organisations, attackers are also increasing their interest in using this type of campaign to covertly gain access to data.

“More companies that were hit with email fraud coughed up sensitive or confidential data than actually lost money,” said Holmes.

“Business email compromise may have been something more concerned via wire transfer fraud, but there’s also the issue around losing data which with GDPR just around the corner is going to be concerning,” he added, referring to upcoming legislation which could result in organisations being fined for data breaches.

Not only that, but if sensitive information is leaked, it could lead to the organisation being at risk from further attacks, be they from those who carried out the initial campaign – or anyone else they sell access to the information to on the dark web.

“If you’re stealing payroll data, that could be valuable in of itself. But also there’s the whole reconnaissance phase of the kill chain and if I know who is in what role in which companies and dealing with what vendor, that becomes extremely valuable information on the dark web,” said Holmes.

According to the report, more than three quarters of organisations believe that they could fall victim to business email compromise over the next twelve months.

In order to combat the threat of these attacks, it’s useful for organisations to invest in technology which can identify these messages, while organisations should also train employees to be suspicious of any unexpected emails demanding money, especially if it is from someone within the company they haven’t directly dealt with before.

If in doubt, they should directly ask the person themselves – in person, if necessary – about the purported enquiry.

While business email fraud attacks aren’t as prolific as some other forms of cyber attack, they still pose a risk to organisations, and that risk will only become more significant if more attackers belive they can get a piece of the pie.

“If the bad guys can systematise this, if they can turn aspects of it into ‘as-a-service’, then this starts getting a lot more serious as they’re able to scale. I still think it’s going to be highly targeted, but if you do highly targeted at scale, it becomes a very big concern,” said Holmes.