Queensland’s Noosa Council has lost $1.9 million to international scammers who used artificial intelligence and social engineering to defraud the council of ratepayer funds.
In what Noosa Council chief executive Larry Sengstock described as a “major fraud incident” the scammers used “sophisticated social engineering AI techniques” to defraud the council of $2.3 million in ratepayer funds.
The council has been able to recoup approximately $400,000 of that by working with banks and authorities, according to the ABC, though Sengstock confirmed Monday the council was left with $1.9 million in losses.
“We won’t disclose specific details of how the fraud occurred to protect staff and from highlighting the criminals’ actions," said Sengstock.
“However, we can reveal that the fraudulent activity was sophisticated, strategic, and targeted.”
Scammers targeted the south-east Queensland council sometime during the 2024 Christmas period, while Sengstock said the council was first made aware of its losses after being contacted by authorities.
The scam was perpetrated by “international criminal gangs” which were already being tracked by the Australian Federal Police (AFP) and Interpol.
Sengstock said the council was initially directed not to make the matter public so as to not compromise the AFP, Interpol and Queensland Police’s ongoing investigation.
At the time of writing, the incident remained under investigation with the AFP Joint Policing Cybercrime Coordination Centre.
‘Not related to cybersecurity’
Despite the incident involving social engineering – a highly popular cybercriminal method – Sengstock emphasised the fraud was “not related to cybersecurity”.
“Council systems were not breached or affected, no data was stolen and there was no impact to the public or our services,” he said.
“This has been confirmed by external forensic IT experts engaged by council to ensure ratepayers were protected.”
Noosa Council was defrauded by international criminal gangs. Photo: Noosa Council
Sengstock explained the fraudsters were successful in spite of Noosa Council having dedicated “processes and procedures to mitigate this type of event”.
“Unfortunately, in this instance they were not effective enough, as this crime was committed by highly organised, professional criminals who found a way through our processes,” he said.
Sengstock maintained no council staff were at fault or involved in the criminal activities and that the council has since implemented a range of recommendations from the Queensland Audit Office to improve its processes.
AI social engineering on the rise
Social engineering is a prominent cybercriminal attack method where victims utilise social and technological techniques to manipulate a victim into taking action under false pretences.
For example, a scammer could pretend to be an executive staff member and ask an employee to authorise a large transaction – something made all-the-more achievable thanks to AI voice replication technology.
Social engineering scammers may also use email, SMS, phone calls or social media messages to trick people into handing over personal data or system access credentials.
Such was the case for Qantas, which suffered a data breach in June after a staff-member in a third-party call centre was tricked into handing over access details to another, third-party platform.
This particular attack resulted in some 5 million Qantas customer records being published to the clear and dark web earlier this week.
Nalin Arachchilage, associate professor in cybersecurity at RMIT University, told Information Age the incident was a “timely reminder that cybersecurity isn’t confined to the IT department”.
“AI has supercharged the art of deception,” said Arachchilage.
“[It] can imitate writing styles, voices, and even identities with alarming accuracy.
“Cybersecurity defences must now include our systems – and our psychology.”
Indeed, Sengstock was told by police that “these types of incidents are on the rise and should act as a warning for organisations to continually review their procedures”.
“Police tell us to ensure you are continually reviewing processes and verify the legitimacy of any contact before making any sensitive changes,” he said.
“Council takes its financial responsibility very seriously and on behalf of management I am sorry that this has happened.”
