‘It happens every day’: Cyber expert explains how Noosa Council was scammed

Rob Neely.

A Noosa cybersecurity expert believes Noosa Council may have fallen victim to a Business Email Compromise scam, after CEO Larry Sengstock’s public comments suggested an invoice intercept could be to blame.

Securely Group founder Rob Neely said, “It happens all over the world. It happens to businesses every day.”

“Essentially, not saying this is absolutely correct, what happens in these scams the criminal organisation will infiltrate the email system of an organisation. They will generally go to the accounts area and look for large invoices. They will then pick their target and the invoices they would probably pick in Noosa would be like the roadworks where there’s many millions of dollars involved, they’re large invoices.

They would then create a new invoice, change the bank details, send the new invoice in or they may send a note that’s imperceptible, that’s the same as council staff would expect to see and they’ll say, we’ve changed our bank accounts. Would you please ring us to confirm, blah, blah. From what I’ve been reading, what’s been said it would appear they’ve used a genTKi (generative AI chatbots). Agents are used, they can use videos of a person and their voice.

It’s not to blame anyone. These things are so real now. You cannot tell. If Frank Wilkie rang you as a spoof, on a video call, you could not tell the difference. That’s how good they are. They intercept the email, they change the bank accounts and redirect the payment to a bank account associated with a criminal organisation. That would have to be an Australian bank account.

They said they were able to claw back $400,000, so the total appears to be $2.3m.

Now how that would have occurred, at some point the proper company that was doing the works probably reached out and said where are our payments and they may very well have just paid another $400,000 to the criminals into an Australian bank account. They realise there’s a problem. They contact their bank. They contact the other bank and they hold the money and claw the $400,000 back. That’s what appears to have occurred.

They say it’s not cyber fraud. It sort of is, it’s sort of not. It’s certainly digital fraud at the highest level and it’s happening all over the world. In fact it’s a tsunami.

I wrote a LinkedIn post a couple of weeks ago about what’s going to happen with the gen TKi. If they’re using AI agents. They can have a whole office full of humans, say 20 humans making one phone call every 10 minutes or every half hour. With AI agents you can have 10 AI agents making hundreds of phone calls every hour, hundreds of reach outs, reaching out by email, breaking into other people’s systems.

The BEC scams or phishing is not new but is now so difficult to detect. If you’re not hyper security aware it’s very difficult, so you can’t blame a staff member for making this mistake. I think that’s what he’s trying to say.”

Mr Neely said company was working on a pattern right at the moment to stop exactly this sort of scam.

“Where an email went between you and I it can only opened by you, no one else, even if someone else is on your computer, they can’t open it up. That’s what the pattern is being built around,” he said.

Australian Cyber Security Centre (ASD’s ACSC) Annual Cyber Threat Report (ACTR) 2024–25 which was released this week reveals the top three reported cyber incidents that affected Australian critical infrastructure included compromised asset/network/infrastructure (55per cent), DoS/DDoS (23 per cent), and compromised account/credentials (19 per cent).

(A denial of service (DoS) attack is an attempt to overload a website or network, with the aim of degrading its performance or even making it completely inaccessible. A distributed denial of service (DDoS) attack is a form of DoS attack that originates from more than one source.)

The report recommends organisations take action to protect their networks and digital infrastructure now and into the future.

“There are four key actions that ASD considers critical for organisations to take to improve their cyber security.

– Ensure you have best-practice event logging in place.

– Replace legacy technology or put appropriate mitigations in place.

– Choose products and services that are secure by design.

– Adopt post-quantum cryptography to safeguard your digital infrastructure.”