Credit unions are seeing an increase, Haber continues, because many of the big banks have used their substantial resources to protect themselves. So the hackers are going after what they see as softer targets.

He warns it's a mistake for credit unions to assume because they're smaller than the banks in town hackers won't bother with them. The second mistake is the credit union's computer network isn't secure enough. The bar isn't set high enough to keep out most hackers. Reviews of efforts to keep out hackers should take place weekly or monthly, not just yearly.

One approach hackers use involves SQL. It's pronounced "sequel" and stands for Structured Query Language. Like a thief seeking the easy way into a house, such as an unlocked door or an open window, hackers work their way into databases through web forms. For example, your Web site may allow members to call up a list of branches or no-fee ATMs.

Hackers can use that to enter the database behind it. Once there, they access account information, passwords, e-mail addresses, phone numbers, credit card information and other data.

The problem, the folks at SecureWorks warn, is web developers construct handy applications such as a branch locator, but don't put in the safeguards needed to block those applications as points of entry to the credit union database.

"It's good to have an emergency plan," Haber says. "You have to do it in advance. Hackers are in and out quickly and the IT folks aren't there. Planning in advance is very important."

The good news is there is so much on the Web, available 24/7. Members enjoy that convenience. So do hackers.

How are hacker attacks usually detected? It depends on the type of attack, Haber answers. If the credit union has effective security technology in place, that technology may detect and block the hacker. "It's also common for member service staff to get an e-mail or phone call from a concerned citizen, perhaps a member who has received an e-mail phishing for information. Sometimes the call may come from someone who isn't even a member. It's important employees in the phone center and elsewhere know how to respond to these alerts," he says. Elizabeth Clarke, SecureWorks vice president of corporate communications, warns credit unions need many different forms of defense. If a hacker breaks into the network, you need defense on the server itself.

"If the hacker gets past the front door, you've got a lock on your safe," she says. "I think there are some auditors out there still only recommending detection. You need to not only detect an attack, you need to stop it."

As more servers become secure, attacks on desktop computers themselves are up 35%. There's a lot of information sitting on those desktops. Clarke and Haber suggest not only credit unions, but members themselves use free spyware blocking programs such as Spybot and Adaware.

Data indicates phishing attacks specifically are increasing. MarkMonitor in San Francisco reports phishing attacks aimed at financial institutions with less than $500 million in assets jumped 753% in the last six months of 2005, accounting for 6% of all phishing attacks. Six months earlier this segment accounted for just 1% of all attacks.

Credit unions, in particular, experienced an 845% increase in phishing attacks. That's 12% of all phishing attacks in January this year, compared with only 2% in mid-2005. Overall, phishing attacks for all financial institutions were up 50% in the six months ending January 2006.

Chuck Drake, senior vice president of MarkMonitor's Fraud Solutions, offers some thoughts on how fraudsters think.

"They look at phishing like direct marketing," he says. "They're trying to get the highest response rate for their effort. Larger banks over the years have gotten more sophisticated and adopted defense-in-depth strategies to combat these attacks.

"So the fraudsters' response rates dropped. You want to move to a new segment where you're going to enjoy the benefits of a less sophisticated or not as knowledgeable financial institution."

Drake cites some other trends putting smaller to mid-size financial institutions at greater risk than ever: The level of fraudster sophistication is increasing by the day. It used to be consumers would be alerted by the fact a fake e-mail simply didn't have the look and feel of the real thing. Today fraudsters can go out and buy kits, as it were, that let them construct very realistic Web sites. Fraudsters have learned consumers look at the domain name identifying the senders. Crooks register legitimate-sounding domain names then create phish on that site. Consumers can't tell the difference. Fraudsters have also learned to launch multiple simultaneous attacks. A credit union may go months with no attacks, then get hit with 10. It's called phish rashing, and it takes much longer for the credit union to spot and respond to the attacks.

What to do? MarkMonitor advises credit unions to proactively register domain names and variations. For example, the credit union's legitimate Web site is www.myfavoritecreditunion.org. Register not only that name, but variations fraudsters may use-myfavoritecu.org, myfavcreditunion.org, favoritecreditunion.org, myfavoritecreditunion.com and so on.

Registering the names blocks the bad guys from using them. In addition, if a fake name pops up, "We can find out who owns those names and help the credit union take action," Drake says.

He stresses an aggressive, proactive response is vital. Credit unions care about their members. They want to protect members and eliminate each phish site as quickly as possible.

One technique MarkMonitor uses is to flood a fake site with tons of phony information. The phishers think they've struck a gold mine of names, PINs and other data. But too late the phishers discover it's bogus.

"There needs to be a realization at the leadership level that the [phishing] threat exists, it's increasing and isn't going away," Drake states. "It's not a matter of it, but when.

"You need to have on the proactive side the ability to detect phish sites before they go active. That sounds as though it may be rocket science, but we have the ability to see domain names registered before they become active.

"Credit unions have a high brand identity. When attacks happen members will see it as the credit union's fault. You can't rely on members to tell you there is phishing because they may not know." [email protected]