Subnet Blog

AI Imitation Scams: A Wake-Up Call for Australian Local Councils

Written by Ben Luks | 20 October 2025 03:47:30 Z

In October 2025, Noosa Council suffered a significant financial loss—close to $2 million—after falling victim to a highly targeted scam involving artificial intelligence (AI) impersonation. This incident, which leveraged AI-generated imitations, has underscored the growing cyber risks faced by local councils and sparked urgent discussions about their cybersecurity posture.

What Happened in Noosa?

According to Noosa Mayor Frank Wilkie, international fraudsters leveraged advanced AI technologies to convincingly impersonate key council personnel—most likely utilising deepfake voice or email mimicry—to manipulate internal workflows and authorise significant financial transfers. This attack bypassed technical safeguards and instead exploited human vulnerabilities, underscoring the escalating threat of AI-driven social engineering.

Despite robust IT systems (and no breach of resident data), the fraud was only uncovered after notification from authorities. While some funds were recovered, this incident highlights how AI-driven attacks can circumvent traditional cybersecurity defences by targeting humans rather than infrastructure.

Key Risks of AI Imitation for Councils

  1. Deepfake Voice and Video Impersonation
    AI tools can now replicate voices and faces with alarming accuracy, making it possible to impersonate mayors, CEOs, or finance officers in video calls or phone conversations.

  2. Phishing with Personalisation
    AI can craft highly convincing emails or SMS messages using publicly available data, making traditional phishing detection methods less effective.

  3. Vendor and Supply Chain Exploits
    Attackers may breach third-party vendors and use that access to impersonate trusted contacts, as suspected in the Noosa case.

  4. Human Error and Trust Exploitation
    Even well-trained staff can be deceived when AI-generated content mimics familiar voices or writing styles.

What Councils Must Do Now

1. Strengthen Identity Verification Protocols

  • Implement multi-factor authentication (MFA) for all financial approvals.
  • Use biometric or secure identity verification for sensitive communications.

2. Conduct AI-Specific Cyber Awareness Training

  • Educate staff on AI-enabled threats, including deepfakes and voice cloning.
  • Run simulated phishing and impersonation drills to test response readiness.

3. Audit and Monitor Communication Channels

  • Monitor for spoofed emails or fake social media profiles impersonating council staff.
  • Use AI detection tools to flag suspicious voice or video content.

4. Review Vendor and Third-Party Security

  • Ensure vendors follow strict cybersecurity protocols.
  • Include AI threat mitigation clauses in contracts and SLAs.

5. Establish Incident Response Plans for AI Scams

  • Develop clear protocols for reporting and responding to impersonation attempts.
  • Engage external forensic experts to assess vulnerabilities post-incident.

A Sector-Wide Call to Action

The Noosa incident has prompted swift action. Both Sunshine Coast and Ipswich councils have initiated thorough reviews of their cybersecurity frameworks and heightened monitoring.

Councils must recognise that AI is not only a catalyst for innovation, but a vector for deception. It is essential for local governments to elevate their security posture accordingly. As stewards of public trust and resources, councils have a critical responsibility to implement proactive, AI-aware cybersecurity strategies.

Need help assessing your council’s AI readiness?

Subnet offers tailored AI-readiness assessments for local governments. Contact us to learn how we can help your team stay ahead of emerging threats. 
View full post