According to IBM, the attackers have been targeting people working in companies since last year by sending spam email with unsafe attachments in order to inject a variation of the Dyre malware into as many computers as possible.

"This malware and technique is not new, but it is the first time it is being combined and utilized on such a large scale," Paul Kubler, digital forensics and cyber security examiner at LIFARS LLC, said. "It targets organizations rather than end-users, and has been particularly effective."

In a typical assault on a corporate account, according to the IBM unit, a victim logs into a corporate account on his or her bank's website. Then, they receive an error notification that invites them to call the bank about accessing the account. The victim calling this number reaches a very professional-sounding person posing as the financial institution's representative. After a brief conversation, this individual prompts the victim to give the username and password in question for the account and verifies it several times. The attacker may also ask for a token code. During this verifying stage, the attacker might ask to speak with a coworker with similar access to the account, and who may be one of the authorized persons on that account, and ask the coworker to verify information and give a token code over the phone.

To be vulnerable, a number of user actions need to take place, Mazzanti explained. To start, a user must click on a phishing email to accept the package installation on his or her computer. Next, that user needs to use that computer to access one of the hundreds of websites that Dyre is programmed to monitor. The user will then be redirected during the logon phase to a "false" web page that instructs him or her to call a phone number and interact with a live operator. Once engaged, the operator will collect details from the victim, authenticate the user login information, and later empty the victim's bank account with a bank wire.

Dr. Tim Lynch, president and founder of PsychSoft Consulting, said the program recognizes when the computer's user travels to a bank website and submits an on-screen prompt that the site is down, asking the user to call the bank directly.

"At the phone number given, an English-speaking member of the group takes the credit card information of the person deceived," Lynch said.

The scheme involves a combination of computer malware, Trojan horses, social engineering and live operators, he said.

"The real innovation is the use of 800 numbers, call centers and actual people to divert funds from victims' bank accounts," Lynch said.

Once the fraudsters complete the transfer, funds are moved quickly to evade detection. The gang used a denial-of-service attack to bring down a victim's web capabilities and delay the theft's discovery in one instance, IBM said.

Reportedly, more than an estimated 3,500 organizations are malware victims, but for Lynch, it's not the number of victims that's significant, it's the amount of money.

"It's like the kid who opened a lemonade stand and charged $5,000 a glass," he said. "Yes it was expensive, but he only had to sell one."

The costs can be extremely high. The Ponemon Institute, a Michigan-based independent research firm, found that the estimated cost of a data breach is about $194 per compromised record.

"Now, our credit union community is largely sheltered from this strain, as the writers of the threat focused on the larger banking targets," Mazzanti said. But, he warned credit unions not to lower their shields yet.

"As the perpetrators earn money, we can be sure that the investments to increase the scope of target to banks and credit unions will increase rapidly," he added.

The IBM report recommends that companies configure their email servers to strip them of any executable files, including files within archives that are not password-protected and have an EXE, COM or SCR extension.

"The Dyre malware is constantly evolving and changing in an effort to avoid detection," the unit said. "New versions are appearing each day and often go undetected by popular corporate antivirus products for several days."

"Many people are vulnerable to the Dyre Wolf campaign, as it targets human weakness as opposed to exploiting a computer," Kubler warned. He recommends taking advantage of email filtering, especially with good malware protection, along with incorporating signature and behavior-based end-point protection, to prevent infection.

"Both are necessary to combat the quickly evolving malware that has a rapidly changing signature," he added.

Mazzanti pointed out that some credit unions have set up phone systems with announcements to educate customers that dial into their systems.

"Most likely, the writers of Dyre Wolf will not copy complete phone systems and navigation trees of auto attendants in the phone system to trick inbound callers," he said.

Banks and credit unions could also educate their customer bases to use a validation method that is exclusive to the financial institution, he said. Another idea involves mobile banking – when a patron calls in, the institution must verify a PIN number sent to a mobile phone registered on the account to confirm the caller before proceeding. In this scenario, the financial institution would also be the individual who sends the PIN number to the mobile phone.

The scariest part of Dyre Wolf for financial institutions, BestIDTheftCompanys.com Security Expert Robert Siciliano said, is that the social engineering aspect of the scheme reels the victim in deeply.

"The man-in-the-middle type attack insures a smooth transaction without any of the banks' red flags being triggered," he said. "The victims' participation is what allows the bypassing of two-factor authentication and numerous anomaly detection system overrides."

So how do organizations, such as credit unions, protect themselves?

"By educating employees to not trust everything they see on the Internet, and to not give out information to the very 'helpful' folks at the other end of the phone," Lynch advised.

"Remember your Shakespeare: One may smile and smile, and be a villain'