Cyber scams are evolving. And increasingly, they’re targeting something harder to protect than systems or infrastructure – your people.
Across Australia, councils are facing a rise in ‘social engineering’ attacks. Scams that are specifically designed to slip past traditional controls.
And with the growing use of AI, they’re becoming much harder to detect.
The result? Real financial losses, operational disruption and reputational damage.
What is social engineering – and why is it so effective?
Social engineering is when a scammer manipulates someone into taking an action they shouldn’t – such as transferring funds or sharing sensitive information.
Instead of hacking systems, they exploit trust.
This might look like:
- An email that appears to come from a supplier requesting updated bank details
- A phone call from someone posing as a senior executive
- A message that creates urgency, prompting quick action without verification
AI is accelerating these tactics. Scammers can now:
- Mimic voices and create realistic ‘deepfake’ videos
- Generate highly personalised phishing emails at scale
- Replicate writing styles and communication patterns
This kind of attack is no longer easy to spot. And that’s what makes it so dangerous.
The impact of social engineering on councils
For councils, the consequences can be significant.
A recent example is the cyber fraud incident at Noosa Council in December 2024, which resulted in a loss of almost $2 million, despite a partial recovery of funds.
Importantly, this was not a cyber breach. Council systems were not compromised, and there was no impact on services or the community. External forensic IT experts confirmed that Council’s infrastructure remained secure.
Instead, the incident relied on deception. It was a targeted and highly organised attack, linked to international criminal networks currently under investigation by the Australian Federal Police and Interpol.
Noosa Council responded quickly by activating its incident response processes, reviewing internal procedures and strengthening controls.
And yet, it still serves as a clear reminder: even with controls in place, determined and sophisticated (bad) actors can find ways to exploit human decision-making.
For councils, this can lead to:
- Unauthorised payments
- Data breaches
- Disruption to essential services
- Loss of community trust
Traditional controls are no longer enough. Councils need to take a broader, more proactive approach.
How your council can stay protected
While the threat is evolving, there are six practical steps you can take right now to reduce your exposure.
- Train your team
Your people are your first line of defence.
Regular training helps staff recognise red flags and respond accordingly. Simulated phishing exercises can also reinforce good habits in a safe environment.
- Tighten verification controls
Introduce clear checks for financial and sensitive requests.
This includes verifying changes to payment details through a secondary channel, using multi-factor authentication (MFA) and requiring approvals for high-risk transactions.
- Use technology to your advantage
Just as scammers are using software & AI, so can you.
Advanced tools can help detect unusual activity, flag suspicious emails and identify potential deepfake content. These tools add another layer of protection alongside your internal processes.
- Have a clear response plan
If something doesn’t feel right, your team needs to know what to do next.
Establish a clear process for:
- Reporting suspected scams
- Escalating incidents quickly
- Containing and responding to potential breaches
Clear guidelines enable fast action, which can significantly limit the impact of a breach.
- Work together and share insights
Cyber threats don’t impact just one council.
By collaborating with peers at risk group meetings, and learning from industry experts and trusted partners, you can stay informed about emerging risks and strengthen your collective response.
- Keep your risk approach up to date
Scams will continue to evolve – and so should your controls.
Regularly review your risk management framework to ensure it reflects current threats, technologies and vulnerabilities.
How Statewide Mutual can support you
We’re here to help you stay ahead of social engineering risks.
Members have access to our Fraud & Corruption Awareness Training through the Tier 1 Risk Initiative program. This provides practical guidance on prevention, detection and response.
For a deeper assessment, we also offer a partially funded Fraud Control Framework Review. This includes a gap analysis of your current controls and fraud risk profile through a desktop review.
We also encourage you to explore the below resources provided by our partner Eftsure, who are experts in cybercrime prevention:
- Types of AI threats
- 13 different AI tools used in scams (including the Business Invoice Swapper)
- AI statistics
- Deepfake vulnerability assessment
- 2025 Cybersecurity Guide
Stay vigilant. Stay prepared.
Social engineering scams rely on one thing – trust.
By combining awareness, strong processes and the right technology, you can reduce your risk and protect your council from financial loss and disruption.
Most importantly, you can maintain the trust your community places in you every day.
Want to learn more about the tools and support available to you? Reach out to your Regional Risk Manager today.