What should a credit union do when its name is involved in a phishing expedition for personal account information that could be used in identity theft?

"The first thing that credit unions need to do, if someone sends them an e-mail that they believe to be fraudulent, is to get the word out to their members," said Dorothy Steffens, vice president of web services at the Credit Union National Association (CUNA).

That's what CUNA did Tuesday morning when it discovered someone had sent credit union members an e-mail purporting to come from CUNA's website. The fraudulent e-mail message attempted to collect members' usernames and password information.

The message contained graphics from CUNA's website, including the America's Credit Unions logo and the word "Consumer," and was addressed to credit union members. It claimed it was verifying accounts and told the member: "Your credit union account may be slightly out of date or incomplete. This irregularity can and must be fixed through the Credit Union National Association Confirmation process..." It asked for the recipient to log in and confirm identity at a link.

CUNA has no such link on its cuna.org website, and there is no confirmation process for accounts at CUNA. CUNA does not have access to credit unions' member accounts.

CUNA immediately put a fraud alert on its web site to notify members not to click on the website link. The notice says that "we would never ask for any credit union account information, PIN number, access code, and that if they are asked for this information, to immediately contact us," said Judy Cooper, CUNA senior vice president and associate general counsel. "We tried to get the word out to make sure members were protected," Cooper said.

"CUNA also contacted credit unions whose members we believe had received the e-mails," Cooper said. Each credit union was asked to alert its members. Many started with notices on their websites. Cooper says CUNA also has contacted the Federal Bureau of Investigations and is talking to regulators. However, says Steffens, "the best thing to do is educate members in advance and let them know that their credit union protects their personal privacy and would never request personal information such as usernames, account numbers, PIN or Social Security numbers in an e-mail."

"They should also tell members that if they have filled out any type of form on the web that has asked for their credit union account personal information to contact the credit union immediately," Steffens added.