Fraudsters are aggressively attacking smaller financial institutions, casting a wider and deeper net as they expand their target list beyond the largest banks and online retailers. Within a 24-hour period early this week, the Netcraft Toolbar community reported attacks on six different regional US banks or credit unions, none of which had previously been targeted by phishing scams. This flurry was followed by attacks on several more fresh targets, including banks whose operations are limited to a single U.S. state.

The message to the financial community is clear: there is no security by obscurity when it comes to phishing. Institutions that have fancied themselves too small or too local to be a useful target for phishers may soon find themselves attacked. In recent weeks convincing spoofs have emerged mimicking the web sites of financial institutions with modest assets and customer counts. Many of these spoof sites operate from servers in Korea, Taiwan, China and the Far East, as well as U.S. hosts.

By spreading their attacks to a larger number of targets, fraudsters are increasing their chances of success. In some cases, smaller targets offer distinct advantages when it comes to launching phishing attacks. Credit unions are usually affiliated with a particular company, university or government agency, which allows fraudsters to target a defined set of e-mail addresses that are likely shared by all members. This can offer the fraudster the opportunity of achieving near blanket coverage amongst the institutions' customers, while decreasing the time required to send the mails, and thereby increasing the effectiveness of the attack.

Smaller financial institutions who have not yet implemented a plan for dealing with phishing attacks will need to act with some urgency, as they can reasonably expect to be targetted.