A beachside council has kept ratepayers in the dark for months after losing millions to an international crime gang using “social engineering AI techniques”.
Noosa Council has revealed it was defrauded $2.3 million in December 2024, sparking a major police investigation.
However the council did not tell ratepayers for more than 10 months and has been tight-lipped about the nature of the “well-organised cyber fraud”.
“The criminals used sophisticated social engineering AI techniques but we won’t disclose specific details of how the fraud occurred to protect staff and from also highlighting the criminals’ actions,” council CEO and basketball great Larry Sengstock said.
The four-time Olympian and former Basketball Australia boss said about $400,000 had been recovered, bringing the total loss to $1.9 million.
“Police say that these types of incidents are on the rise and should act as a warning for organisations to continually review their procedures,” he said.
Mr Sengstock emphasised that it was not a cyber security attack and no council staff were at fault or involved in the “sophisticated, strategic and targeted” fraud.
“Council systems were not breached or affected, no data was stolen and there was no impact to the public or our services,” he said in a statement.
The Australian Federal Police had instructed the council not to disclose the scam due to the risk of compromising an investigation, he said.
The council had reported the incident to the Queensland Audit Office and relevant ministers, with the fraud being investigated by the federal police and Interpol.
The AFP has been contacted for comment.
“Council takes its financial responsibility very seriously and on behalf of management I am sorry that this has happened,” Mr Sengstock said.
“Unfortunately, as we are seeing every day in the media, scams and frauds are on the rise, and many companies and organisations are being targeted.”
The Noosa Council fraud coincides with the release of the Australian Signals Directorate’s annual cyber threat report.
It reveals that while reports of cybercrime are down overall, businesses were exposed to heavier financial impacts.
The average cost of cybercrime to large businesses was $202,700 in the past financial year – up 219 per cent on the previous year.
