Noosa Council has disclosed a major social engineering incident that cost the local government millions of dollars last year. According to Larry Sengstock, CEO of Noosa Council, the council lost $2.3 million in what he described as a “social engineering AI” scam carried out by international criminal gangs. While some of the stolen money was recovered, the total financial loss still stands at $1.9 million.
Sophisticated Social Engineering Attack Hits Noosa Council
Sengstock explained that the attack occurred during the 2024 Christmas period. In an update posted to the Noosa Council website on October 13, he stated, “During the 2024 Christmas period Noosa Council was the victim of a major fraud incident, perpetrated by international criminal gangs currently under investigation by Australian Federal Police and Interpol.”
The Noosa Council confirmed that the attack did not involve a breach of its computer systems. “This fraud was not related to cyber security. Council systems were not breached or affected, no data was stolen and there was no impact to the public or our services,” Sengstock said. Independent forensic IT experts hired by Noosa Council confirmed these findings, ensuring that ratepayers and community data remained safe.
Massive cyber heist paralyzes Las Vegas casinos as MGM loses $100 million in shocking hack
Once alerted to the fraud, Noosa Council immediately activated its incident crisis response team. This team reviewed internal procedures and implemented improvements to prevent similar attacks in the future. Sengstock emphasized that despite existing safety measures, the highly organized criminals were able to bypass them, highlighting the sophistication of the fraud.
Criminal Tactics Remain Confidential at Noosa Council
Noosa Council did not disclose the exact techniques used in the attack, citing both legal obligations and the need to protect staff. Sengstock explained, “The criminals used social engineering AI techniques and we will not go into specifics to avoid revealing the tactics of the criminals, and because of our legal obligation to protect Council staff.”
He stressed that no Noosa Council staff were involved or at fault in the incident. “We can confirm that no Council staff were at fault or involved in the criminal activities,” Sengstock said. The fraud, he explained, was deliberate, targeted, and strategically planned by professional criminals, showing a level of sophistication that outpaced existing council procedures.
During the investigation, Noosa Council was advised by police to withhold public disclosure. Authorities including the Queensland Audit Office and relevant Ministers were informed at the time, ensuring official oversight while the investigation continued.
Sengstock urged other local government organizations to remain vigilant. “This incident is a reminder to other local government entities to be on their guard,” he said. While disappointed by the event, Noosa Council reassured the community that no residents were directly affected and operational services were not disrupted.
Broader Context of Council Targeting
The incident is not an isolated case. Local councils across Australia have been increasingly targeted by cyber criminals and fraudsters in recent years. According to reports, Muswellbrook Shire Council was the most recent victim of a cyber attack, confirming a ransomware attack by the SafePay group in December 2024.
While no specific criminal group has claimed responsibility for this case, experts note that such crimes often remain unattributed due to the covert nature of the operations. Social engineering, in particular, relies on manipulating human behavior rather than hacking computer systems, making it harder to trace and prevent.
British teen faces U.S. charges for $115 million cybercrime spree targeting companies and courts
Sengstock reaffirmed that the council is committed to improving safeguards against these attacks. “While we are very disappointed this has happened and are doing all in our power to ensure we minimise the risk as much as possible, so this doesn’t happen again, we are thankful that in this instance no one in our community was directly affected and there was no impact on operational functions or projects,” he said.
The case highlights the growing threat of social engineering attacks targeting public institutions. By exploiting human and procedural vulnerabilities, sophisticated criminal networks can orchestrate large-scale fraud, costing millions and challenging traditional security measures.
