Lord Mayor Graham Quirk has ordered an external review after Brisbane City Council was scammed of more than $450,000. Credit:Michelle Smith Cr Quirk described it as a "sophisticated and targeted scam" against the council. "It was discovered ultimately when the service provider contacted council and said 'well, you're normally a good payer – where's our payment?'," he said. "That's when it became known to council. It was then checked and it was found that the place where the cheques were going to was different to what the ridgy-didge account was." Cr Quirk said he had commissioned Deloitte to conduct an independent, external review into "the operations, practices and processes that have led to this outcome", which he expected to take about four weeks.

"We understand that there's only one entity involved, but the full investigation and review will further answer that question," he said. "We've got no knowledge or suspicion to suggest that there are more involved." The cost of that review was yet to be determined, he said, and the results would be made public. "Anything where there is an alleged fraudulent act against the ratepayers of Brisbane is absolutely concerning to me," Cr Quirk said. "That's why I'm determined to get to the bottom of what's gone on."

In the meantime, Cr Quirk said, the Queensland Police Service, the Queensland Audit Office and the Crime and Corruption Commission had all been notified of the fraud. Cr Quirk said he was advised of the alleged fraud on Friday, a day after council chief executive Colin Jensen was told. The unpaid service provider, which Cr Quirk would not identify other than to say it provided "professional services", would not be left out of pocket. "They are aware of it and they are in the process of being paid now," he said. "This only came to our attention on Friday, so we're not going to withhold payment to them.

"They're entitled to those monies and we will make that payment promptly." Cr Quirk said he had not seen such a fraud committed against the council in his 35 years in the chamber. "Not to this extent; $450,000 is a lot of money and that's why we will do what we have to do to establish what's gone on here. "If there needs to be improvement to the practices, well, we've got to do that." It appeared Brisbane City Council was not the only organisation to fall victim to such attacks.

An alert from state government cyber security unit information security officer Robert Mead, obtained by Fairfax Media, warned of "confirmed reports of multiple organisations (semi-government and utilities) receiving well-researched and targeted fraud attacks". "The attacks are based on researching suppliers who are likely to invoice for significant sums of money on current work," he said. "The scam involves getting alternative bank details into the paying organisation's financial systems and issuing a convincing invoice related to current work and/or recently supplied services. "These attacks have had a sophisticated social engineering element with multiple convincing phone calls based on prior research about active work. "The attackers appear to have reasonably detailed knowledge of both current work/projects and suppliers associated with the work/projects.

"...The current theory is that the detailed information is being obtained through open source intelligence gathering." A Queensland Police Service spokesman confirmed an investigation into the apparent fraud had been launched.