Brisbane’s Lord Mayor says the scammers used a “sophisticated system” but officials fell for the same social engineering techniques that federal agencies warn consumers about.
There are already reports of widespread attempts to scam government agencies across Queensland, although it is not confirmed if the attempts are connected.
The scams revolve around convincing public officials to change the banking details in the paying organisation’s financial systems and issuing convincing invoice. This is according to advice from the Queensland Cyber Security Unit setup earlier this year and led by the government’s chief information officer Andrew Mills.
The advice warns that the scammers could be obtaining their target information though open source intelligence gathering:
“The attacks are based on researching suppliers who are likely to invoice for significant sums of money on current work.
“The scam involves getting alternative bank details into the paying organisation’s financial systems and issuing a convincing invoice related to current work and/or recently supplied services.
“These attacks have had a sophisticated social engineering element with multiple convincing phone calls based on prior research about active work.
“The attackers appear to have reasonably detailed knowledge of both current work/projects and suppliers associated with the work/projects.”
Brisbane City Council to foot the bill for lost payments
After council employees came clean late last week, Graham Quirk yesterday admitted nine payments had been made to scammers since July. The funds, just over $450,000, were intended to go to a legitimate service provider.
Officials became aware of the scam when the service provider contacted the council to advise their payment had not been received.
Crime and Corruption Commission Queensland, along with Queensland Audit Office and the Queensland Policy Service have been “engaged”, he confirmed to local media yesterday.
At this stage, it seems unlikely the council will recoup the lost funds, just over $450,000. The unnamed service provider will still be paid. Quirk says he’s “pretty angry” that taxpayers have been robbed in this way.
“I’m hoping obviously that we get money back for ratepayers but just knowing the way these scammers work, I’m not holding out a lot of hope.”
The scammers created fake invoices and email addresses, a fraud tactic not unfamiliar to anyone with an email address of their own. Quirk, however, echoed the CSU’s description of the scam as a sophisticated setup:
“Through what appears to be a sophisticated and targeted scam … They were payments that should’ve gone to a professional services provider but have gone to a scam account which was set up through a process which the scammers used.”
An investigation has been ordered and the results of will be made public in approximately a month.
Understanding scam risks
Small businesses warned about Facebook scam – fake alert from FB advertising department https://t.co/LzrjoNdAp6
— Scamwatch_gov_au (@Scamwatch_gov) August 16, 2016
SCAMWatch is one Commonwealth anti-scamming education program aimed at consumers. The Australian Competition and Consumer Commission also publishes the popular Little Black Book of Scams with the top 10 scams to avoid, and helpful tips like:
“Watch out: scammers are especially likely to strike during busy times of the year — for example, the end of financial year.”
Top 10 scams, according to the ACCC:
- Advance fee fraud
- Lottery, sweepstakes and competition scams
- Dating and romance scams
- Computer hacking
- Online shopping, classifieds and auction scams
- Banking, credit card and online account scams
- Small business scams
- Job and employment scams
- Golden opportunity and gambling scams
- Charity and medical scams