The mayor of a Queensland council that lost nearly $2 million in an alleged international fraud attack says the perpetrators used artificial intelligence able to “imitate personalities”.

Noosa Council Mayor Frank Wilkie said the council was the victim of a “sophisticated” scheme in December 2024, with details kept quiet as authorities investigated.

The council estimated it lost $2.3 million initially, however about $400,000 was recovered, leaving the local government and ratepayers out of pocket $1.9 million.

Noosa Council chief executive Larry Sengstock said the alleged attack was not to blame for the 6.7 per cent rate rise earlier this year and that council services had not been affected.

Police investigating

Queensland Police and the Australian Federal Police (AFP)-led Joint Policing Cybercrime Coordination Centre are investigating the alleged scam.

Noosa council loses $2m in alleged international fraud incident

Noosa Council alleges it was targeted by “international criminal gangs” in December last year.

Mr Sengstock said the council was not aware it had lost $2.3 million in ratepayer funds until it was contacted by authorities.

“They [police] were aware of a group that was operating and unfortunately, we were the victims of the crime,” Mr Sengstock said.

“They’ve come in, perpetrated the crime and taken the money. That money was taken overseas very quickly.”

He said about $400,000 was returned with the help of banks and authorities.

Cr Wilkie said police asked the council not to publicly disclose anything related to the fraud, but admitted he had not spoken to police himself.

“We did have reporting obligations to the Queensland Audit Office and relevant state departments which we had to abide by as well, so we did disclose to those relevant departments,” he said.

Staff not to blame

Cr Wilkie and Mr Sengstock declined to discuss the incident in detail.

They said council staff were not to blame and no-one had lost their job over the incident. 

“We don’t want to broadcast what that [the scam] was, reveal the criminals’ tactics or expose any staff to unfair criticism,” Cr Wilkie said.

A man in a suit stands in a lecturn with microphones in front of a Noosa Council banner.

Frank Wilkie says international fraudsters used artificial intelligence. (ABC News: Jessica Ross)

The mayor said AI technology was used by the international fraudsters.

“It enables skilled fraudsters to imitate personalities and individuals to a very high degree,” Cr Wilkie said.

The mayor and chief executive said the council would update its software and procedures, and recruit additional staff to better protect itself against similar attacks.

“I’m advised by our team that we intercept between 500 and 1,500 attempts at cyber hacking a day, and that a fake email sent on behalf of myself and the CEO was sent out every second day,” Cr Wilkie said.

‘Human vulnerabilities’ exploited

Former FBI agent and University of the Sunshine Coast cybersecurity expert Dennis Desmond said AI technology was likely used to convince a council staff member to approve large transactions of money.

A headshot of a man in a suit.

Dennis Desmond says there is always human vulnerability. (Supplied: University of Sunshine Coast)

“No matter how good your cyber security, network security, and device security are, there’s still the human factor you have to deal with,” Dr Desmond said.

“The criminals were probably able to collect a lot of open-source information on the council, its members and its organisational chart, and all sorts of data from public sources, as well as passports and breach data.”

Dr Desmond said the scam may have involved exploiting human vulnerabilities in the council’s security system — assuming the council at least had an approval process or multi-factor authentication to transfer or release funds.

“And they [the scammers] were then able either to craft a phishing email, which is probable, or they may have been able to craft voice mimicry using deepfake technology … using AI in order to convince someone to release the funds or transfer the funds,” Dr Desmond said.

“This relies on exploiting human weaknesses rather than software or hardware vulnerabilities and is fairly common with international organised crime as well as nation-state actors.”

Ratepayers reportedly not affected

Mr Sengstock said ratepayers were not affected.

Cr Wilkie said insurance would cover the losses.

“We’re hoping to claw back a bit more,” Cr Wilkie said regarding the council’s finances.

“Noosa Council is a financially sustainable council, and it has not affected the delivery of services or operations.

“We had an external forensic IT expert look at what occurred, and there’s absolutely been no breach of residents’ or ratepayers’ data.”