Queensland councils are on high alert after two recent “sophisticated” frauds drained more than $5 million in public funds. An ABC News investigation found that “two of Queensland’s largest local councils have been fleeced out of more than $5 million by scams involving artificial intelligence” over the past year. In November 2023, the Gold Coast City Council fell victim to supplier fraud totalling $2.78 million. Then, in December 2024, the Noosa Council lost about $2.3 million in a similar attack. Working with banks and police, Noosa has recovered roughly $400,000, leaving nearly $1.9 million unrecovered. The scams were linked to “international criminal gangs” using AI-powered social engineering to trick council staff.
How Was It Done?
Noosa Council CEO Larry Sengstock described the incident as a “major fraud” that was “sophisticated, strategic and targeted”, but emphatically emphasised it was not a cybersecurity breach. “Council systems were not breached or affected, no data was stolen, and there was no impact to the public or our services,” Sengstock said in a statement. In other words, malicious actors did not hack into computers; they manipulated internal processes. Preliminary findings suggest scammers used deepfake voice and email techniques to impersonate executives and vendors. As Sengstock put it, “the criminals used sophisticated social engineering AI techniques,” but the council “won’t disclose specific details of how the fraud occurred to protect staff and … avoid highlighting the criminals’ actions”. In short, it was a con built on exploiting human trust and procedure gaps, rather than a traditional data breach.
The Gold Coast fraud likewise involved tricking accounts staff. A Queensland Audit Office (QAO) review of that case found fraudsters had changed a legitimate supplier’s bank account details by submitting falsified paperwork and phone calls to the council’s finance department. Investigators faulted the Gold Coast for “lack of documentation” and “failure in the process and controls” around vendor updates. The council responded by tightening record-keeping and adopting all of the audit’s recommendations. (Mayor Tom Tate later said his council’s internal controls “met industry standards,” even as they adopted the QAO advice.) Noosa’s case appears to have been even more elaborate, but the result was similar: millions wired offshore under false pretences.
In response to these scams, state authorities say all councils must review procedures immediately. The QAO had already warned in early 2024 that controls around vendor data changes needed strengthening. The findings from the Gold Coast case were circulated to every local government entity in March–April 2024, urging councils to bolster approval checks for any request to alter payment details. Experts stress that this is no time for complacency. “Councils should not be complacent; they are targets,” Ipswich City Council’s general manager Matt Smith warned after the Noosa news broke. He noted the attack “doesn’t appear to be a hack” but rather a “well-crafted AI-based social influencing attack”, implying that even robust IT defences can be bypassed by human deception.
The Warning
Local government technology specialists echo this warning. Sunshine Coast cybersecurity expert Dennis Desmond noted that no matter how strong computer security is, scammers exploit the “human factor”. AI tools make it easy to clone voices or create hyper-realistic emails, as Noosa’s Mayor Frank Wilkie explained: “AI technology … enables skilled fraudsters to imitate personalities and individuals to a very high degree,” he said. In fact, Wilkie revealed Noosa intercepted fake emails supposedly from the mayor and CEO every second day, illustrating how aggressive the campaign was. Former FBI agent Dr Toby Walsh similarly cautioned that “AI is also being used to personalise the attacks,” making it “very easy for someone to be on the phone that sounds like your boss” even though “it turns out to actually be AI”.
For regional councils like Bundaberg’s, these incidents are a wake-up call. Bundaberg Regional Council has not reported any loss on this scale, but locals say vigilance is key. In fact, Bundaberg itself faced a related threat in 2016 when scammers targeted several Queensland councils by posing as contractors. At that time, Bundaberg councillor Helen Blackburn noted the staff’s rigorous training had “ensured the safety of the Bundaberg Regional Council assets” by spotting and stopping the fake invoices before any money changed hands. But with today’s AI-enhanced schemes, there are concerns that even well-trained employees might be fooled. Greg Hallam of the Local Government Association of Queensland, speaking about these kinds of threats, described them as “a new sophisticated fraud risk” that requires urgent action.
Businesses in Bundaberg are paying attention, too. Every dollar lost to international scammers is a dollar taken away from funding important local infrastructure and supporting local jobs. For the Bundaberg community, supporting trusted local enterprises is key to keeping the regional economy strong. Whether it’s choosing a local builder or finding a specialist for a crucial service like a quality clutch replacement in Bundaberg, local spending underpins the stability that major councils seem to have lost.
With more than a million dollars still at stake in Sunshine Coast scams, Bundaberg’s leaders say they are reviewing their controls. Council CEO Steve Johnston has previously warned locals about gift-card phishing scams, advising residents to verify any unusual requests (e.g. by phoning Council’s switchboard). Now, under growing scrutiny, the council has vowed to audit its own payment procedures and train staff in the latest AI-fraud indicators. Residents and ratepayers will be watching closely. As one local cybersecurity consultant points out, “In this new landscape, it’s not enough to trust your eyes and ears; every transaction needs a second look.”
