Credit unions have been targeted for phishing attacks, which turns out to be a foreshadowing of things to come. Rather than being targets because they are a different subset of the financial services sector, they are actually part of a bigger goal of hitting smaller financial institutions.
It makes a lot of sense for phishers to head this direction. Big financial institutions are on to their game, and have the resources to quickly thwart the efforts. Smaller firms, on the other hand, lack those resources. While targeted smaller, localized institutions may seem lacking in the economics department (less targets meaning less hits, and more phishing site customization necessary), look at it this way: target one money-center bank with millions of spams, and get a tiny hit rate (because many recipients won’t even have an account at the institution); or target hundreds of thousands of emails with some understanding of geo-location and financial institution proximity, and get a much higher hit rate.
Its a multi-variant equation: (Hit rate X amount taken per account) minus cost of operation = profit.
Plug some numbers in and see if it makes as much sense to you as it does to phishers.