What a difference a year makes.

The top five ways to rob a credit union outlined here a year ago remain worrisome. But, ask the experts, andonly one method of theft identified last year remains top of mindin 2014.

Zeus, ATM skimming and identity theft, which made last year'slist, certainly are concerns inside credit union security groups.However, more current attacks are winning notice today.

Old fashioned bank robberies did not make the cut again thisyear. In 2011, the most recent year for which FBI statistics areavailable, there were 398 robberies of credit unions, and 5,014robberies of all kinds of financial institutions. The total amounttaken, from all financial institutions, was $38,343,501.96. Monies recovered amounted to $8,070,886.97.

That puts the net loss at around $30 million.

So called “clearance rates”, also known as arrests, for bank andcredit union robberies remain high, mainly because there almostalways is extensive video of the event.

Takeovers and holdups, unquestionably, are terrifying. But theyare no threat to the financial stability of most creditunions. It's the new kinds of theft that can pose bigthreats.

Read on for the 2014 roundup of the five best ways to rob acredit union.

Read more: Targeting the corner office…

1.Robbing the Candy Store

“The candy store – that's what cybercriminals call CEOs,” saidNeal O'Farrell, CEO of San Francisco based Privide, a company thatis specifically focused on what O'Farrell said is sharply risinginterest in CEOs on the part of savvy criminals.

The reason? A typical credit union CEO may have far more accessto network data than other employees. He or she may also have beentoo busy to attend mandatory all-staff cybersecurity awarenesstrainings.

By nature, a CEO also is curious, extroverted and anetworker.

O'Farrell said cybercriminals send the CEO a personalized,targeted phish. It may appear to come from a trade group executive,a regulator or possibly a journalist. It will be well written,without misspellings, and may include intimacies (For example: “Ihaven't seen you since GAC, hope all is well.”).

It will set off no alarm bells and, almost certainly and unlikeother credit union employees, the CEO has no prohibitions thatlimit his or her ability to click on links.

“Nine out of 10 times, this will succeed,” O'Farrell said.

In the bargain, the crook will also get the CEO's network logincredentials.

“It is very hard to protect the CEO against these phishes,” saidO'Farrell, who stressed that it is rare traditional antivirusprotection will successfully block such an attack.

He insisted CEOs are penetrated by cybercriminals more thanpeople realize and certainly more than CEOs acknowledge.

“Why would they tell you,” O'Farrell asked. “And how would theyknow they had been penetrated?”

That's the scariest part.

Slick attacks aimed at CEOs do not loudly announce theirpresence. The strategy is to stay quiet and keep the CEO unawarethat anything happened at all. That gives the criminal more time toharvest the rewards.

Read more: Undercover intruder…

2. TheBent Repairman

“We are successful gaining entry 95% of the time,” said TomDeSot, chief information officer at San Antonio security companyDigital Defense.

DeSot referred to unauthorized entry into credit unions andbanks on assignments where Digital Defense was contracted toattempt to get in.

The hiring organization usually thinks its defenses areunassailable, but DeSot said they almost always are wrong,

Here is how DeSot's team did it. First, they found out whomanufactured the credit union's multifunction machines, whichusually only takes a quick call or two.

Then, the security firm purchased a logo shirt from themanufacturer on eBay.

Employees wore khaki chinos, carried a tool kit and presentedthemselves at a credit union entry point.

“We never attempt to go through the front door,” DeSot said.“We'll go through an employee entrance or a backdoor.”

Why?

Front door employees usually have better training. At theback door, a smile and a dose of bonhomie was good enough to getin.

At first, workers approached the multifunction machine, but thenveered off, looking for vulnerable computers. After they plantedmalware on them, the mission was accomplished. A crooks could haveslave computers inside the credit union for months before theintrusion was detected.

“We have done this in organizations with 25 employees and wehave done it in organizations with 2,500,” DeSot said.

In most organizations, outside repairmen were simply invisible;they weren't watched.

Can't a badge be checked for authenticity?

“I wish I had to make a bogus badge. Nobody looks at them,” saidTim Gallagher, senior network security engineer at NuspireNetworks. “The logo shirt is enough, even though you can get themat thrift stores.”

What if an intruder gets caught?

That rarely happens in his simulations, DeSot said.

Read more: Exploiting the tiny screen…

3. Phishing Members GoesMobile

Members, many of them, have wised up about email phishing. Mostconsumers have developed skills to sniff out this evil spam. Theyhover their cursors over the link to see if it goes to their creditunion or a webpage hosted in Vladivostok. They note misspelledwords and tangled grammar, and then hit delete.

Bill Nelson, CEO of the Financial Services Information Sharing andAnalysis Center, suggested credit unions refrain from popping corksin celebration.

That's because he said he is seeing early signs of what coulddevelop into an avalanche of phishing email that specificallytargets users on mobile devices, especially phones.

The logic is that mobile users look at email on a phone in ahurry. Often they are multi-tasking, eating lunch at a fastfood restaurant, on a subway heading home or taking the dog for awalk. It's not so easy to use tactics like a mouse hover tosee full addresses in mobile. And the tiny screen means usersaren't seeing as much, as well.

“There is an uptick in the amount of phishing attacks. A lot ofcredit unions have been targets,” McAfee Research Scientist IrfanAsrar said. “It's hard to spot a fake on a small screen. Ifyou are not paying attention you can caught.”

Most smartphones continue to ship without apps designed todetect and shut down phishes. Member must practice DIY security,and for many, that is a tall order.

Read more: International espionage…

4. TheHacker Inside Your Network

Could it already be happening inside credit unions? Could elitehackers – perhaps working on behalf of foreign governments – bequietly observing transactions?

Transactions tell a lot about people, such as their maritalstatus, length of their work day and ability to stay within theirbudget or wildly overspend.

In past times, spies gathered that data with feet on the street.Now it can be remotely harvested by skilled hackers and, suggestedmultiple experts, it is far from certain that most credit unionsare well defended against data eavesdroppers who have no intentionof stealing even a dime.

New York Times recently reported that hundreds of thebiggest U.S. oil and gas companies have been infiltrated for sometime by hackers funded by what appears to be Russian interests. Thegoal was industrial espionage.

Experts said similar espionage may be occurring at financialinstitutions.

“This has been long in coming but it is coming. There are elitehackers whose intent is not to steal money from financialinstitutions, just information,” said Tom Kellermann, chef cybersecurity officer at Japanese firm Trend Micro.

“These hackers are good at hiding,” said Bob Foley of Indianasecurity company Matrix Global Partners.

Guarding against information exfiltration may not have been atop priority at many financial institutions, but that may soonchange, the experts said.

Read more: The path to insolvency…

5.An Inside Job

This was the one carryover from the 2013 list because employeetheft remains a big, embarrassing problem.

In Tucson, Ariz., $423 million Pima Federal Credit Union MemberServices Representative Jessica Vidal was accused of looting$23,000 from five member accounts. She got that money bytelling credit union co-workers that the members, allegedly victimsof fraud, asked her to withdraw funds from their accounts.

She is also accused of obtaining $54,000 in fraudulent loansusing member Social Security numbers.

In Lynchburg, Va., the federal government recently indictedLinda Sue Newcomb, onetime general manager of the failed LynroctenCredit Union. She is accused of stealing millions bymisappropriating member personal information and taking out loansin their names.

In Lawrence, Kan., onetime Jayhawk Federal Credit Union managerKarolyn Stattelman recently pled guilty to stealing $175,000.

Jayhawk was merged out of existence earlier this year.

Seemingly weekly a credit union employee is arrested, orconfesses to embezzlement or other misuse of member funds andpersonal information. In many cases, the embezzler is a trusted,longtime employee with significant seniority.

Many are caught. How many aren't?

Nobody really knows, and that is why this threat isreal.