SAN FRANCISCO--No one is immune from cyberthreats, not even the head of the FBI.
FBI Director Robert Mueller was banned by his wife from doing online banking after he nearly fell for a phishing scam, he said on Wednesday during a talk at the Commonwealth Club of California.
He received an e-mail purporting to be from his bank that looked "perfectly legitimate" and which prompted him to verify some information. He started to follow the instructions but then realized that that "might not be such a good idea," he said.
"Just a few clicks away from falling into a classic Internet phishing scam," Mueller "barely caught himself in time" and admitted he "definitely should have known better."
He said he changed his passwords and tried to pass the incident off to his wife as a "teachable moment," but she was having none of it and told him, "It is our money. No more Internet banking for you!"
(He would have benefited from reading Larry Magid's tips for avoiding phishing scams.)
Earlier on Wednesday, the FBI in Los Angeles announced indictments of 100 people in the U.S. and Egypt, and the arrest of 33 people in California, Nevada, and North Carolina as part of "Operation Phish Phry"--the largest cybercrime investigation to date in the U.S.
Egyptian hackers are accused of targeting two U.S. financial institutions in phishing attacks and using the stolen bank account information to get unauthorized access to the accounts, coordinating with associates in the U.S. to transfer the money out of the accounts, the FBI alleges.
The U.S. defendants allegedly recruited "runners" to set up bank accounts where the funds from the compromised accounts could be transferred and withdrawn. There were hundreds or thousands of bank customer victims, the FBI estimated.
"It's the largest international phishing case ever conducted," Mueller said.
Many of the scams come from people in Eastern Europe, he said. To support investigations in Romania, the FBI has agents embedded in the police agencies there and managed to arrest more than 100 people in that country and in the U.S. in the last year, he said.
During a question-and-answer session, Mueller was asked how vulnerable the U.S. is to attacks on its critical infrastructure. The U.S. is "well ahead of just about any country (in) walling off access to outsiders to our most sensitive" systems, he said. Officials have seen instances of cyberattacks by terrorists, but "they have not yet been of the magnitude that would cause us substantial concern," Mueller said.
Meanwhile, terrorists are using things like Google Earth as tools in their mission, he said.
One audience member submitted a comment card that the fear of the FBI reading citizen e-mail was greater than the fear of teenage hackers. The FBI does not intercept communications without a court order of some kind, Mueller said. "I would worry about that teenage hacker more than you should worry about us," he added.
"I'm comfortable with the stances we've taken," on balancing civil liberties and national security, he said, adding that he supports the Patriot Act because it "broke down the walls between the intelligence community and law enforcement." He warned people against revealing too much of their lives online, on sites like Facebook.
The personal moments shared with friends as a youth may later "come back to haunt you" during a job search, he said, despite the use of passwords and the supposed anonymity of screen names. "To the extent that you are going to rely on that forever, it's very, very weak security," Mueller said.
"I do not have a Facebook profile," he later added.
Young hackers also shouldn't expect to parlay their computer skills into a legitimate career if they get arrested for breaking into systems and serve time, he warned.
"You hack, you get caught," he said. "You are going to jail... You are not going to get a good job afterward. You are going to be identified as a person who has broken the law."
Asked what keeps him awake at night, Mueller responded: "The threat of a weapon of mass destruction in the hands of a terrorist... One person with access to a biological or chemical agent can cause massive harm."
Related podcast: Symantec Internet safety adviser Marian Merritt discusses how to avoid being a phishing victim.