State & Local Government Solutions

User Risk in State & Local Government Is the New Attack Surface

Government agencies manage critical infrastructure, citizen data, and public services at scale. Dune helps public sector teams prevent social engineering and insider threat across every channel.

Book a Demo
Threat Landscape

The Biggest User-Driven Threats Facing State & Local Government

Government agencies face unique threats that exploit public trust, legacy infrastructure, and distributed workforces serving millions of citizens.

Critical
Government Impersonation Fraud
Attackers impersonate elected officials, department heads, or state agencies to redirect benefit payments, manipulate procurement processes, or extract citizen PII from government databases.
Citizen data exposure, benefit fraud, public trust erosion, federal compliance violations
Critical
Ransomware via Employee Credential Theft
Attackers target municipal employees through spoofed internal communications, fake IT alerts, and credential harvesting to gain initial access for ransomware deployment.
Service disruption, data encryption, recovery costs averaging millions, citizen impact
Critical
Conversational Social Engineering Attacks
Live, multi-turn conversations impersonating city managers, department directors, or vendor partners to push staff into taking risky actions.
Credential harvesting, unauthorized fund transfers, lateral movement across agency systems
Product Capabilities

How Dune Helps State & Local Government Agencies

Purpose-built capabilities to simulate, score, and mitigate user risk in government environments.

Measure User Risk
Quantify breach risk with a dynamic User Risk Score, continuously updated from behavioral, contextual, and role-based signals across your security stack.
Dynamic User Risk Scoring
Unlimited Input Source Data
Exposure Prioritization & Executive Reporting
Simulate Attacks
Launch omni-channel simulations tailored to each user that impersonate trusted roles and adapt in real-time to expose attack susceptibility and insider risk.
GenAI & Conversational Attacks
Omni-Channel Simulation Coverage
Trusted Role & Identity Impersonation
Reduce Threat Exposure
Adapt training, alerts, and controls in real-time, prioritizing the ~5% driving the risk and minimizing friction for the other ~95%.
User Adaptive Training
Risk-Based Escalation & Controls
Automated Remediation Workflows
Attack Scenarios

Example Attack Scenarios in State & Local Government

See how modern social engineering attacks target government agencies and how Dune simulates them.

EMAIL
Executive Impersonation for Fund Transfers
Attacker emails impersonating the city manager, mayor, or department director, requesting emergency budget transfers, vendor payments, or payroll changes.
User Decision Point
Finance and admin staff face urgent requests appearing to come from senior leadership and must verify before moving public funds.
Potential Impact
BEC losses hit $3.05 billion in 2025, with 86% moving via wire or ACH as attackers spoof senior officials to redirect emergency transfers, vendor payments, and payroll.
FBI IC3 2025 Annual Report
Dune Simulation
Tests how finance and admin staff respond to urgent payment requests claiming to come from senior officials.
EMAIL / PORTAL
Vendor Procurement Fraud
Attacker compromises or spoofs a known vendor email thread and submits updated banking instructions, redirecting routine invoice payments to attacker-controlled accounts.
User Decision Point
AP and procurement staff face routine requests to update vendor banking details and must catch the tampering before payment goes out.
Potential Impact
Laurens County, South Carolina wired $1.55 million across four payments after attackers spent weeks impersonating a county contractor and sent fraudulent payment instructions through a hijacked email thread
Laurens County, SC public statement, January 2026
Dune Simulation
Tests whether AP staff catch tampered banking details when a trusted vendor thread asks for a payment update, with realistic contract details, invoice formats, and agency branding.
CHAT / SMS / EMAIL
IT Helpdesk Credential Harvesting
Attacker poses as central IT support, targeting employees across departments with urgent messages about password resets, system migrations, or security updates.
User Decision Point
Employees must verify IT communications through official channels before sharing credentials or approving MFA requests.
Potential Impact
Dallas spent $8.5 million recovering from a 2023 ransomware attack triggered by callback phishing and stolen credentials, exposing 200,000 residents and disabling 911 dispatch and court systems for weeks.
City of Dallas, May 2023 Ransomware Incident Review
Dune Simulation
Dune simulates IT helpdesk impersonation across messaging channels, testing credential sharing and MFA approval behavior
AI VOICE CALL / EMAIL
Public Records & Citizen Data Exfiltration
AI-generated voice call or email impersonating a state agency, law enforcement, or auditor requesting bulk citizen records, tax data, or confidential case files.
User Decision Point
Staff must verify inter-agency data requests through established protocols before sharing any citizen information.
Potential Impact
Government impersonation complaints nearly doubled to 32,500 in 2025, with losses jumping from $405 million to $797 million as AI voice and messaging tools let scammers convincingly pose as officials.
FBI IC3 2025 Annual Report
Dune Simulation
Dune deploys inter-agency impersonation scenarios with realistic government language, badge numbers, and case references
Dune is elevating the social engineering game to truly teach others what to avoid by offering individualized campaigns to fill in the knowledge gaps. It's like having a white hat hacker on your team!
Thanh Thai
VP and Chief Information Security Officer at Constellis
Compliance

Built for Government Environments

Designed to help government agencies safely test real-world user risk while meeting regulatory, audit, and compliance expectations.

Enterprise-Grade Capabilities
Designed for state, county, and municipal government environments

Built with public sector security teams in mind, supporting the unique requirements of government agencies managing citizen services and critical infrastructure.

Safe-by-design simulations that never access real citizen data

Every attack simulation is sandboxed and controlled. No citizen records are exposed, no systems are compromised, and no data leaves your environment.

Supports audit, risk, and internal control validation workflows

Generate detailed reports that map directly to audit requirements, demonstrating continuous security testing and user risk assessment.

Demonstrates proactive security posture to oversight bodies

Show evidence of ongoing user risk testing and remediation, strengthening your position during audits, legislative reviews, and federal compliance assessments.

Safety Guarantee

All simulations are designed to test human behavior. They do not access real citizen data, real systems, or disrupt government operations.

Supports common government & enterprise security frameworks

SOC 2 Type II
 Certified – Jan 2024 & Jan 2025
ISO 27001
 Certified – Aug 2024
GDPR
 Compliance Verified – Jan 2025
CCPA
 Compliance Verified – Jan 2025
HIPAA
 Third-Party Attested – Apr 2025
NIST CSF v2.0
 Third-Party Attested – May 2025
Resources

Featured Resources for State & Local Government

Explore our latest research, customer case studies, and security insights for securing government agencies.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

No Resources found.

Blog
A glass skyscraper photographed from below, its curved facade repeating across hundreds of office windows, illustrating the scale of modern enterprise infrastructure. A glass skyscraper photographed from below, its curved facade repeating across hundreds of office windows, illustrating the scale of modern enterprise infrastructure.

The Workforce Has Expanded: How Attackers Are Targeting Enterprise AI Agents

AI agents are being deployed across the enterprise at scale, and attackers have already started engineering against them. Learn how agentic AI expands the enterprise attack surface in ways legacy security programs were never designed to defend.

This is some text inside of a div block.
March 23–25, 2026
March 23–25, 2026
April 12, 2026
7 minute read
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
Blog
Person filing IRS 1040 tax return at office desk with financial paperwork and cash, representing tax season refund processing and tax scam risk.Person filing IRS 1040 tax return at office desk with financial paperwork and cash, representing tax season refund processing and tax scam risk.

Tax Season Scams: How Refund Fraud Escalates Into Enterprise Risk

Each filing season, threat actors execute coordinated, identity-driven campaigns that begin with refund fraud and rapidly escalate into credential harvesting and enterprise exposure.

This is some text inside of a div block.
March 23–25, 2026
March 23–25, 2026
April 12, 2026
7 minute read
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
Webinars

User Risk in Cybersecurity: Exploring the Primary Driver of Modern Breaches

View the session on demand to examine the role of user behavior in today’s threat landscape and the strategies security leaders are using to mitigate enterprise user risk.

This is some text inside of a div block.
March 23–25, 2026
March 23–25, 2026
April 20, 2026
41 minute watch
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Frequently Asked
Questions

Common questions about Dune Security for state and local government agencies.
How is Dune different from traditional phishing simulations?
Is Dune safe for government environments with citizen data?
Can Dune simulate attacks targeting government-specific workflows?
Does Dune support voice and messaging attacks?
How quickly can we deploy Dune?

Ready to See Dune in Action?

Schedule a time with one of our experts to see how Dune protects state and local government agencies from social engineering and insider threat across every channel.
Book a Demo