"Meanwhile, we're seeing the actual instances of fraud going down, and that's because banks and credit unions are taking this layered approach to security, particularly those that went live with some sort of strong authentication per the FFIEC guidance," Young says.

Meanwhile, the end-of-the-year guidelines themselves set off a cottage industry for crooks, who launched a new type of phishing attack that tries to trick recipients into clicking on a link in an e-mail and give their user names and passwords to register for their financial institution's new security enhancements.

The percentage of phishing attacks directed against financial institutions doubled in November to 18% from October's 9%, according to RSA (www.rsasecurity.com). Regional banks remain the most targeted FIs, at 48%, while credit unions were the focus of 34% of the attacks, down from 50% in October, the company says.

"A layered approach will not stop phishing and other attacks from coming your way, but you can stop members from being affected by them," Young says. "If you think about it this way, phishing is simply social engineering. You see the same thing in the offline word, in the physical world.

"Say I go to a cocktail party and have a chat with somebody. I might be willing to give them all kinds of information that I would not necessarily give if I thought it would be compromised.

"It's the same thing with phishing. They try to create a context in which you feel comfortable and get you to give information you wouldn't if you felt like you were being made a victim of fraud."

Now, growing consumer awareness and shared network successes in thwarting phishing attacks simply mean cyber-criminals will find new ways to target online accounts, Young says.

Increasingly sophisticated phishing attacks, some of which re-direct respondents from site to site, are one way fraudsters are trying to stay ahead, Young says. Others are constantly unfolding before the very eyes of those who would stop them.

"At RSA, we see a lot of their tests. It's like legitimate marketing campaigns. Fraudsters test their various approaches with test messages, re-directors, Trojans, you name it," he says.

In addition to taking down fraudulent sites as quickly as possible, Young says his company is working with credit unions and banks to beef up log-in authentication and other risk-based prevention capabilities "to protect users at the account level so that even if they become a victim of phishing, we can stop criminals from getting into their accounts."

Young compares the battle against phishing to the earlier effort to thwart virus attacks that captured so much attention and effort in the online world.

"We had things like CERT and other organizations that had monitors and feeds coming in from all over the world. They'd detect a new strain of virus and hopefully get the signature pushed out to people in time to prevent widespread attacks," the RSA Security executive says.

"Really, it's the same kind of approach here, right? You make sure you spot trends early, you stay vigilant and you work on behalf of thousands of financial institutions at once."

"It's a challenge but it's what security is all about," he says. –[email protected]