Local councils in Queensland have become targets of sophisticated cybercrime operations leveraging artificial intelligence, resulting in financial losses exceeding $5 million over 12 months and raising questions about the adequacy of institutional controls and insurance protections across the sector.
According to ABC, Gold Coast City Council reported a loss of $2.78 million in November 2023, while Noosa Council sustained a $2.3 million loss in December 2024, with approximately $400,000 recovered from the latter incident. The gap between these two breaches, combined with evidence that security recommendations went unimplemented, underscores vulnerabilities that extend beyond individual councils to the broader local government ecosystem.
The mechanisms employed in both incidents reveal the effectiveness of social engineering tactics amplified by technology. Gold Coast City Council’s scam involved a fraudster who successfully altered the contact and banking details of a legitimate supplier through falsified written communications and telephone conversations with accounting department staff.
The Queensland Audit Office (QAO) identified multiple control failures at Gold Coast City Council, including a lack of documentation supporting supplier detail changes, insufficient verification protocols when bank account information was modified, and non-compliance with established vendor management policies. The council acknowledged the findings and stated that all recommendations from the audit review had been adopted, noting that existing procedures were consistent with industry standards.
Noosa Council’s December 2024 incident employed deepfake technology to impersonate council representatives. The sophistication of this approach suggests an evolution in attack methodology that targets the trust relationships between organisations and their established contact networks.
The QOA issued guidance in March 2024 to all Queensland public sector entities regarding enhanced vendor data management controls. According to QAO communications, “In April 2024, QAO’s management letter to the affected local government entity included recommendations to improve their internal controls to mitigate the risk of future attacks.”
The state government’s Department of Local Government has indicated it is providing cybersecurity support to councils. Minister Anne Leahy said: “We are working closely with the local government sector to provide cybersecurity and support.”
However, questions remain about implementation rates. Noosa Council chief executive Larry Sengstock indicated that additional measures had been put in place post-incident, including “additional internal controls, a review of all relevant operating procedures, and we are in the process of implementing a third-party software system to provide an extra layer of security in fraud prevention.” The council committed to providing a follow-up report by December 2025.
Dennis Desmond, a cybersecurity specialist and former FBI agent from the University of the Sunshine Coast, characterised these attacks as difficult to prevent through technical measures alone. He explained that perpetrators exploit human trust through various means. “The employees often are convinced – either because of spoofed emails with corrected headers or through voice conversations – that they’re actually speaking to a contractor or a financial representative, and they’re convinced to change bank details or contact details,” he said, as reported by ABC.
Desmond noted that artificial intelligence has substantially reduced the barriers to executing such schemes. The technical aspect, he clarified, does not involve server intrusion or device compromise, but rather “using the human factor, which is exploiting trust, exploiting knowledge, exploiting an individual victim.”
Recovery prospects for the funds remain limited. Desmond indicated that while technological capabilities exist to trace fraudulent transactions, “the majority of funds are not recovered.” The outcome depends significantly on geopolitical factors and bilateral law enforcement cooperation.
The incidents involving Queensland councils reflect a wider trend of artificial intelligence integration within criminal operations. Verizon Business’s 2025 Data Breach Investigations Report documents that malicious application of AI technologies has doubled in the preceding two years. The report notes that “AI is now a factor in both external attacks and internal vulnerabilities, requiring organisations to address risks on multiple fronts.”
State-backed threat actors are increasingly utilising AI to automate influence operations, develop sophisticated phishing campaigns, and generate novel malware variants. Concurrently, the report identifies an internal vulnerability: significant employee adoption of generative AI platforms through personal or inadequately secured corporate accounts. This behaviour, often conducted outside formal security frameworks, has resulted in sensitive organisational data being transmitted to third-party AI services.
