The news seemed too good to be true. After months of collecting data about a California-based Web hosting service, the company vanished and along with it, as much as 75% of spam throughout the U.S. Unfortunately, spam isn't the only cyber assault on credit union members and employees.Case in point-a credit union whose e-mail addresses were used to launch 12 separate phishing attacks in just five days. The attacking e-mails invited recipients to participate in a survey. Clicking on the link brought the recipient to an online form that asked for a credit card, account number, PIN and social security number so the credit union could supposedly pay $150 for each completed survey.Fortunately, the e-mail recipients reported the attacks and the phishing sites were shut down in less than a day; that was an easy case of cyber crime. But, criminals have developed new Internet theft techniques that no longer require e-mail invitations.Sinowal is a virus embedded inside the files used for Web graphics, animations and sounds. You can be infected by visiting the page-you don't have to click a thing. If the victim's computer doesn't have the latest security patches, the virus gets installed.Hundreds of thousands of Web pages have been found to initiate "drive-by infections" such as Sinowal. In 2008, Sophos researchers claimed that 6,000 new Web pages were infected daily.The virus latches onto the computer's master boot record where it waits until the user visits one of 2,700 financial Web sites. Then the virus injects a fake Web page or several fake prompts onto the victim's screen. The fake page and prompts ask for the user's date of birth, social security number and more, then send the information to the thieves.The RSA FraudAction Research Lab says the Sinowal exploit has stolen the log-in credentials for at least 300,000 checking and credit card accounts since it appeared on RSA's radar three years ago.While most cyber criminals abandon their attacks within a few days, Sinowal's perpetrators have remained in control of the virus for years, updating it periodically to keep the detection software industry working overtime. They have also been collecting consumer information for later use.More devastating is the spike in attacks that RSA security discovered from March through September of this year. Sinowal compromised over 100,000 accounts during that period, nearly tripling its previous rate.Believe it or not, protecting against Sinowal isn't difficult. Users simply need to patch their systems and be careful about entering more or different information on a credit union's Web site than had been requested.By now, consumers should know how to spot fishy questions as well as phishing e-mails. They should also know how to patch their systems. But you might be surprised by your members' responses to a 10 question quiz on their phish finding skills (found at http://www.sonicwall.com/phishing). You might be just as surprised by your employees' responses to the same quiz.Why are we still susceptible to cyber attacks? The answer could be in the forms that credit unions use on their Web sites. Ambiguous language and industry turmoil open the door for phishers to twist a credit union's words into an attractive yet deadly e-mail.Merger announcements and other crisis communications typically lack precision due to the tight timeframes that they are written. Our procedures for recovering forgotten passwords or opening new accounts can confuse members if not carefully written and tested. Criminals take maximum advantage of unclear phrasing and exceptions to credit union privacy rules.For example, credit unions loudly proclaim that only phishers request personal information such as usernames, passwords, credit card numbers, social security numbers and date of birth via the Web. Unfortunately, when I recently clicked on a "forgot my password" link at my institution's Web site, I found myself on a page that requested everything that a cyber thief could ever want.The same thing happened two weeks later when I clicked on my institution's "open a new account" link. No matter that I had already logged into my checking account and reviewed my balances and paid a few bills. I was sent to a page that required all of my personal information all over again.If financial institutions are going to protect consumers from cyber crime, then e-mails and Web pages need to be cleansed of the very questions that thieves ask time and again. Only when credit unions have eliminated their own inconsistencies can they confidently tell their members that "any e-mail or web page that urgently requests your personal financial information should arouse your suspicion."So far, financial institutions remain their own worst enemies in the fight against cyber crime. You can break the cyber crime cycle asking your members to review the following tips:oNever enter confidential information into an e-mail form.oDo not click on links provided via e-mail, especially if you were not expecting the e-mail. Contact the sender to verify if it was his or her intention to send this e-mail. Be sure to use the contact number that the company gave you, not the one in the e-mail.oDo not reply directly to an e-mail from a company. Instead, check with the real company using their contact number, not the one in the e-mail.Credit unions should consider offering Internet security classes or even a short test prior to awarding a license for Web based banking. Credit unions should also continue to carefully review how they communicate with their members via e-mail and the Web.Finally, advise your members to check their accounts and statements regularly and to report abuse immediately. More often than not, these warnings will make the difference between a minor crime and a catastrophe.

John Jaser is Internet security manager at Avon, Conn.-based COCC Inc. He can be reached at 860-678-0444 or [email protected]