Nov. 6--Dear Action Line: I got an e-mail, apparently from my bank, about "suspicious activity" on my account. Before giving the information it requested I called my bank and was told the e-mail was a "phishing attack." What the heck is this? -- Mrs. S.O., Tulsa.

Phishing: This work is abbreviated Internet jargon for "password fishing" -- an attempt by criminals to obtain credit card, bank account, routing and ID numbers so they can steal from you. Most often they appear to originate at banks or credit unions.

APWG: The Anti-Phishing Working Group Web site -- tulsaworld.com/APWG -- says the "number and sophistication of phishing scams reaching consumers continues increasing dramatically." While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet.

Digital signatures: The group compiled a list of recommendations for avoiding such scams, warning us to be suspicious of e-mails bearing urgent requests for our personal financial information. Unless the e-mail is digitally signed -- see S/MIME digital signatures at tulsaworld.com/DigitalSignatures -- you can't be sure it wasn't forged or "spoofed" -- constructed to mimic.

Getting personal: Phishers typically include upsetting or exciting (but false) statements in e-mails to elicit immediate,

impulsive reactions. They ask for user names, passwords, credit card numbers, Social Security numbers, dates of birth, etc. Phishing attacks are not usually personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized (addressed to you, using your full name or the name you sign your accounts with). Always call to check if you are unsure -- don't just assume the communication is real and type in what it asks for.

No links: Don't use the e-mail links or information from an instant message or chat room to get to any Web page. If you suspect the message is not authentic or you don't know the sender or user's handle, call the company or log onto its Web site directly by typing the URL into your browser address box. Never fill out forms attached to e-mails with personal financial information. Give credit card or account numbers only over secure Web sites or telephone numbers.

Spoofing: Ensure you are using a secure Web site when submitting credit card or other sensitive information over your Web browser -- phishers are "spoofing" (forging the "https://" URLs present on secure Web servers. Make it a habit to enter the address of the bank, shopping site, auction house or financial transaction Web site using the address you have for the site -- not the displayed links in unsolicited e-mails. Phishers also forge the "yellow lock" symbol normally at the bottom of the screen of secure sites. The lock has usually been considered an indicator that you are on a "safe site." No more.

Take care: See the APWG's treatise on this at tulsaworld.com/APWGphishing and the US-CERT offering at tulsaworld.com/USCERTphishing. Let's be careful out there.

Submit Action Line questions by calling 699-8888 or by e-mailing phil.mulkins@TulsaWorld.com or by mailing it to Tulsa World Action Line, PO Box 1770, Tulsa OK 74102-1770.

-----

To see more of the Tulsa World, or to subscribe to the newspaper, go to http://www.tulsaworld.com.

Copyright (c) 2009, Tulsa World, Okla.

Distributed by McClatchy-Tribune Information Services.

For reprints, email tmsreprints@permissionsgroup.com, call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.

A service of YellowBrix, Inc.