The e-mail claimed in convincing detail that there was a problem with the migration to a new Visa credit card that the board member was promoting to the credit union’s customers. The fraudulent message urged customers to click on a link—to a phony website set up by criminals—and enter their account information to fix the problem.

But what happened later that Friday afternoon—after Dougherty, who is senior vice president of IT and marketing, had wiped the credit card migration information off the website and put up an alert warning customers of the scam—really scared him. Around 2 p.m., the site suddenly went dark, like someone had hit it with a baseball bat.

That’s when Dougherty realized that he was dealing with something he hadn’t seen before. And he couldn’t describe it with conventional terms like phishing or spamming. This was an organized criminal conspiracy targeting his bank. “This wasn’t random,” he says. “They saw what we were doing with the credit card and came at us hard.”

Dougherty’s website lay in a coma from a devastating distributed denial-of-service (DDoS) attack that, at its peak, shot more than 600,000 packets per second of bogus service requests at his servers from a coordinated firing squad of compromised computers around the globe. That the criminals had the skill and foresight to launch a two-pronged attack against Dougherty and his customers was a clear indication of how far online crime, which is now a $2.8 billion business according to research company Gartner, has come in the past few years.

Though this dark business largely targets financial services companies, there are signs that criminals are beginning to covet new victims. Since January, phishers have been documented going after “many types of websites not typically targeted,” such as social networking and gambling sites, according to the Anti-Phishing Working Group, a research group.

As cybercrime enters this second wave, criminals with no programming experience can buy illegal packaged software to carry out sophisticated attacks, and information security can no longer be addressed merely with a firewall. It has become not just an IT risk, but a business risk. The threat extends beyond systems, affecting everything from marketing and the customer relationship to government compliance, insurance costs and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security spending based on the overall threat cybercrime poses.