New figures obtained by the BBC reveal that more than 5,000 people were conned into sending planned payments to fraudsters' bank accounts last year.
The scam fooled customers by sending emails asking them to divert payments into criminals' accounts, leaving the genuine recipient unpaid.
The number of cases of the scam - also known as "mandate" or "invoice" fraud - is up 71% on the previous year with total losses in the UK reported to be around £126m.
James Maude, senior security engineer at endpoint security software firm Avecto said:
“These attacks, despite often being technically very simple, can consistently evade detection by traditional anti-virus software. From the attackers perspective the barrier to entry is low and the rewards high as there is little cost or risk involved in sending out emails.
“As we have seen from the You and Yours report, criminals are now also turning to small businesses who often have fairly weak security to gain access to customers details via compromised email accounts. This can then be used to distribute malware and scams to loyal customers who won’t hesitate to open an email from someone they think they know and trust.
“We are now seeing multi-stage attacks, where if the attackers are not successful in tricking the victim into handing over money for a fake invoice or fine, they move on to the second stage of encrypting all the users data and holding it to ransom.
“Businesses and the general public need to be aware that you cannot always trust emails and, when it comes to money or unsolicited contact, it is best to use a second communication method such as phone or text to verify the email is genuine. It is important to remember that it is no longer just obvious Nigerian Royalty scams, cyber-attacks can happen via social media, email and mobile apps.”