The mayor of a Queensland council that lost nearly $2 million in an alleged international fraud attack says the perpetrators used artificial intelligence able to “imitate personalities”.

Noosa Council Mayor Frank Wilkie said the council was the victim of a “sophisticated” scheme in December 2024, with details kept quiet as authorities investigated.

The council estimated it lost $2.3 million initially; however, about $400,000 was recovered, leaving the local government and ratepayers out of pocket $1.9 million.

Noosa Council chief executive Larry Sengstock said the alleged attack was not to blame for the 6.7 per cent rate rise earlier this year and that council services had not been affected.

Police investigating

Queensland Police and the Australian Federal Police (AFP)-led Joint Policing Cybercrime Coordination Centre are investigating the alleged scam.

Noosa council loses $2m in alleged international fraud incident

Noosa Council alleges it was targeted by “international criminal gangs” in December last year.

Mr Sengstock said the council was not aware it had lost $2.3 million in ratepayer funds until it was contacted by authorities.

“They [police] were aware of a group that was operating and unfortunately, we were the victims of the crime,” Mr Sengstock said.

“They’ve come in, perpetrated the crime and taken the money. That money was taken overseas very quickly.”

He said about $400,000 was returned with the help of banks and authorities.

Cr Wilkie said police asked the council not to publicly disclose anything related to the fraud, but admitted he had not spoken to police himself.

“We did have reporting obligations to the Queensland Audit Office and relevant state departments, which we had to abide by as well, so we did disclose to those relevant departments,” he said.

Staff not to blame

Cr Wilkie and Mr Sengstock declined to discuss the incident in detail.

They said council staff were not to blame and no-one had lost their job over the incident.

“We don’t want to broadcast what that [the scam] was, reveal the criminals’ tactics or expose any staff to unfair criticism,” Cr Wilkie said.

A man in a suit stands in a lecturn with microphones in front of a Noosa Council banner.

Frank Wilkie says international fraudsters used artificial intelligence. (ABC News: Jessica Ross)

The mayor said AI technology was used by the international fraudsters.

“It enables skilled fraudsters to imitate personalities and individuals to a very high degree,” Cr Wilkie said.

The mayor and chief executive said the council would update its software and procedures, and recruit additional staff to better protect itself against similar attacks.

“I’m advised by our team that we intercept between 500 and 1,500 attempts at cyber hacking a day, and that a fake email sent on behalf of myself and the CEO was sent out every second day,” Cr Wilkie said.

‘Human vulnerabilities’ exploited

Former FBI agent and University of the Sunshine Coast cybersecurity expert Dennis Desmond said AI technology was likely used to convince a council staff member to approve large transactions of money.

Middle aged man standing in to the side of walkway at a universiyt campus

Dennis Desmond says there is always human vulnerability. (ABC Sunshine Coast: Jessica Ross)

“No matter how good your cyber security, network security, and device security are, there’s still the human factor you have to deal with,” Dr Desmond said.

“The criminals were probably able to collect a lot of open-source information on the council, its members and its organisational chart, and all sorts of data from public sources, as well as passports and breach data.”

Dr Desmond said the scam may have involved exploiting human vulnerabilities in the council’s security system — assuming the council at least had an approval process or multi-factor authentication to transfer or release funds.

“And they [the scammers] were then able either to craft a phishing email, which is probable, or they may have been able to craft voice mimicry using deepfake technology … using AI in order to convince someone to release the funds or transfer the funds,” Dr Desmond said.

“This relies on exploiting human weaknesses rather than software or hardware vulnerabilities and is fairly common with international organised crime as well as nation-state actors.”

UNSW AI Institute chief scientist Toby Walsh warned data leaks may make it easier for these new types of AI attacks to occur.

“AI is also being used to personalise the attacks as well,” Professor Walsh said.

“For example, the Qantas data that was leaked recently, that might be weaponised by people using AI to to send personalised phishing emails, or SMSs to those people.

“Now, it’s very easy for someone to be on the phone that sounds like your boss, [but] it turns out to actually be AI.

“We have to realise that we can’t trust our ears or our eyes.”

Ratepayers reportedly not affected

Mr Sengstock said ratepayers were not affected.

Cr Wilkie said insurance would cover the losses.

“We’re hoping to claw back a bit more,” Cr Wilkie said regarding the council’s finances.

“Noosa Council is a financially sustainable council, and it has not affected the delivery of services or operations.

“We had an external forensic IT expert look at what occurred, and there’s absolutely been no breach of residents’ or ratepayers’ data.”

Middle aged lady standing on a quiet footpath in noosa

Jan Saunders says the scam had been widely discussed by concerned locals. (ABC Sunshine Coast: Jessica Ross)

Noosa resident Jan Saunders said it was alarming to see the council targeted by scammers.

“It’s rife, it happens everywhere and I think it’s a timely reminder that anyone can get scammed, including council,” she said.

“If you’re not concerned about it, I think you’re asleep at the wheel.”

Elderly man standing next to his dog on a footpath.

Ian Hunt also has concerns about the scam. (ABC Sunshine Coast: Jessica Ross)

Ian Hunt, also from Noosa, was worried about how creative scammers were becoming.

“The scams are pretty sophisticated these days — I guess it shows no-one is immune,” he said.

“I don’t really understand it, so I’m fairly careful with it, but I’m sure I could easily be caught.”

Councils on high alert

The AI scam has served as a warning for other local governments.

Sunshine Coast Council has reassured its residents it has a proactive cybersecurity program in place.

“Our systems block millions of threats each year, and we maintain constant monitoring and conduct regular audits to ensure [their] integrity,” a spokesperson said.

“Importantly, there have been no data breaches affecting our council.

“We have multiple layers of protection and robust processes to safeguard the personal information of our residents, staff, and stakeholders.”

In an Ipswich City Council meeting this morning, general manager Matt Smith said his team was working to “understand what they can” about the Noosa attack to boost their own security measures.

“Councils should not be complacent; they are targets,” he said.

“This doesn’t appear to be a hack. It’s a very well-crafted AI-based social influencing attack, where they may have breached a vendor and then used those details.

“We are putting a number of protocols in place, and we are constantly reviewing [them] and will continue to work through, and if there are opportunities to strengthen and prevent that we will.”