There are dumb ways and smart ways to steal from creditunions.

The dumb way is what most credit unions spend most of their timethinking about preventing, that is, the old-fashioned Bonnie andClyde stick up, with guns a-waving, maybe a shot in the ceiling forpunctuation.

The latest FBI bank crime statistical report – covering 2011 – shows there were 5,014 bank and creditunion robberies. Loot was taken in 4,534 cases, meaning that in 11%of cases the perpetrator walked out the door empty handed.

Total amount taken was $38 million, of which $8 million wasrecovered.

Of the total cases, 398 were credit union robberies.

Clearance rates – arrests – vary by region but in New York Citythe most recently reported number is about 40%, meaning there is a four in 10chance of going to jail, typically for several years. Crosscountry, bank robbery usually has one of the highest clearancerates, in part because of all the photographic evidence of therobbery.

Now for the big question: what's the take for the criminals?About $7,500 per heist. Granted, it's for a few minutes work but, typically, itwill be split several ways – and remember the downside risk ofspending a few years in a federal prison.

U.S. News & World Report quotes researchers, saying: “Robbing banks is no longer whatyou would call a crime of choice.”

That's because there are lots smarter ways to take moneyfrom financial institutions. They don't involve guns. And rarelyresult in jail time.

Here's a look:

Smile and Dial

If you got a call from the $21 million Allegheny Ludlum-Brackenridge FCU inBrackenridge, Pa., telling you your account had been compromised,please provide your PIN, so we can re-set — curse loudly and hangup. The polite may just want to hang up.

Literally dozens of financialinstitutions – often in small towns – suffer flurries of these dial-and- rob calling scams and, always,there are some dutiful citizens who precisely follow theinstructions, “re-set” their accounts and watch their accountbalances vanish.

Criminals typically use automated robo-calling tools anda purchased telephone list. They put in no real effort, so they arenot bothered by the wrong numbers and the connections to people whoare not members of the target credit union.

Their computers just keep dialing and if only one in 100 numbersis pay dirt, it still is a rich return.

Arrest rates on these crimes are slim to none.

Next: Skim the ATM

It has been going on about aslong as there have been ATMs but skimming remains a steady sourceof easy income for crooks with enough knowhow to acquire a skimmer, attach it to an ATM, and –usually – also install a tiny pinhole camera to get PINs.

Security blogger Brian Krebs showshow small – and undetectable – skimmers have gotten.

Even giant Navy Federal, the $52billion Vienna, Va., fell victim when one of its ATMs inGermantown, Md., had a skimmer affixed, according to policereports.

Across the country, in Camas, Wash., the $193 million Lacamas CreditUnion also fell victim.

Every week, there are more skimmer cases that surface, usuallywith no arrest of the suspects.

The typical moment of vulnerability for the crook is retrievingthe skimmer, the camera, and their data. Time that right – say,late on Sunday night – and arrest is highly unlikely.

The crime can be very lucrative. One crook in Milwaukee issaid by police to have stolen around $3 million from 200 bankcustomers in a flurry of thefts.

The shift to PIN-and-chip EMV cards is supposed to put an end to skimming, but until2015, skimmer crooks will have a clear path to profits.

Next: Identity Theft

“Know Your Customer” may be a banking mantrabut identity theft, associated with fraudulent loans, money laundering andmore, is one of the nation's fastest-growing types of financialcrime. It wins a high rank in the recent FTC round-up of complaint categories.

There is no obvious or easy curefor what is becoming an epidemic of stolen identities.

In a mobile world, it is easy to become someone else and it also is easy, in some cases,to persuade financial institutions that one is who one isn't.

This crime is one that at least occasionally ends in arrest of the perpetrator, as happened with a 26 year-oldArmenian living in Southern California who recently wasarrested in a massive identity theft fraud involving millions ofdollars and at least one credit union victim, $666 million , LasVegas-based One Nevada, according to police reports.

Next: Zeus Rules

Financial institution theft does not get bigger than Zeus, a long-running cybercrime that has looted hundreds ofmillions of dollars – possibly billions – from innumerablevictims.

It works like this. A criminal buys a Zeus kit – at any of manycybercrime bazaars. Zeus is such a well-established tool that it issold in what experts call a “malware as a service” arrangement.Tech troubleshooting and customer service come with thefee.

The criminal then seeks to inject his version of Zeus – whichtypically is customized to attack a particular financialinstitution – into victims' computers. The usual way is to rent abotnet of Zombie computers to do mass mailings of emails withinfected links and/or infected attachments (bad PDF files are acurrent favorite).

When an infected computer visits a target site – say XYX CreditUnion – the malware sends back to its controller the user's log indetails (username, password) and then it is just a matter of timingthe emptying of the victim's account.

A particularly brazen Trojan assault occurred in 2010 on theTreasury Federal Credit Union, where blogger Brian Krebs reported that the institution – which primarily serves TreasuryDepartment employees in Utah – was looted of at least $100,000 due to infections of keyloggingmalware (probably Zeus or its close cousins).

Arrests are scarce. Criminals often are in distant countrieswhere U.S. law enforcement has little reach. But even whencriminals may be U.S.-based it simply is hard to persuasively linka particular cybercriminal with a particular crime.

Zeus may be the perfect banking crime, at least from theperspective of the criminal.

Last But Not Least: Get a Job in a Credit Union

ABC News had the story: the best way, tops, to loot a financial institution isto get a job in one. Bad bank examinations plus bad accounting plusbad compliance equals a golden opportunity forcrooks with sharp pencils, suggested ABC.

The stories pile up:

* The only employee of H.B.E. Credit Union in Nebraska looted the tinyplace of $635,000 over a span of at least five years. She now is injail.

* Theresa Portillo, the sole employee of Women's Southwest FCU in Texas, stole some $3.4 million over an11-year period.

* At United Catholic Credit Union in Temperance, Mich. the soleemployee was convicted of stealing $2.1 million going back at least to1985.

* At St. Paul Croatian FCU the CEO (and others) conspired, for many years, to steal many tensof millions from the institution, mainly via bad loans. He now isdoing 14 years in federal prison.

You might say: the system works, they are all in jail.

But there are many small bank and credit union experts whowonder how many more crooked CEOs are out there. The stunning factin every prosecuted case is how long the crime had gone on. Withoutgetting detected.

Working inside a financial institution has to be the best – andcertainly simplest – way to loot one.

Note: Neither Credit Union Times nor the authorencourages theft from financial institutions. The story's purposeis trigger thinking about where best to allocate defensiveresources.