2 months ago
23
Human error was behind a Sunshine Coast Council being defrauded of more than $2 million, a report has shown.
A criminal organisation used sophisticated and targeted social engineering and artificial intelligence to defeat Noosa Council’s anti-fraud measures in December 2024, stealing $2.3 million.
The fraudsters impersonated council suppliers and convinced staff to change bank and contact details.
Noosa council was defrauded more than $2 million last December. Credit: Peter Reynolds
Despite the council initially stating workers were not at fault, it would now appear council staff did not follow simple anti-fraud measures.
In delivering an overview of the report – which will remain confidential – acting director of corporate services Margaret Gatt said the incident highlighted non-compliance with the standard processes.
“We have identified that there were some instances of human error that contributed to some failures in our internal controls,” she told Thursday’s Noosa Shire Council meeting.
If council processes were followed, all changes to details would have been independently verified, she said.
“Verification of the sender’s email to the supplier’s email address from an independent source such as the supplier’s website may have indicated the different syntax used in the email address,” she said.
The council said no systems or services were affected by the fraud and workers’ and ratepayers’ details were secure.
The council has since tightened its procedures around how suppliers’ banking details are changed.
Noosa Council CEO Larry Sengstock.Credit: Noosa Council
CEO Larry Sengstock made the fraud public in October, once he had permission from the police.
At the time, he said the alleged perpetrators were already under investigation by the Australian Federal Police and Interpol.
“Despite having processes and procedures to mitigate this type of event, unfortunately, in this instance they were not effective enough, as this crime was committed by highly organised, professional criminals who found a way through our processes,” he said.
Among the suggested measures were that workers adhere to council practices when changing suppliers’ contact and bank details by contacting them through their original number.
Sengstock said the council had since implemented third-party protection software to validate bank details, and was providing further cyber-security training to staff.
During the meeting, one councillor took issue with inconsistencies between statements made by the chief executive in October and what was now shown in the report.
“It wasn’t lost because of clever criminals or a sophisticated AI scam, it was lost because internal processes, the safeguards that we rely upon, were not followed,” councillor Amelia Lorentson said.
Lorentson said the community wanted someone to take responsibility and face consequences, and called for a publicly available report.
Earlier this week, ahead of the report being mentioned in council, Sengstock said the fraud was his responsibility, not that of staff.
The council said about $640,000 had been recovered, bringing the outstanding sum to $1.7 million.
Get alerts on significant breaking news as happens. Sign up for our Breaking News Alert.
Most Viewed in National
Loading
