Financial Services Solutions

User Risk in Financial Services Is the New Attack Surface

Financial institutions manage high-value transactions, sensitive customer data, and privileged account access at scale. Dune helps financial services teams prevent social engineering and insider threat across every channel.

Book a Demo
Threat Landscape

The Biggest User-Driven Threats Facing Financial Institutions

Financial institutions face unique threats that exploit transaction authorization, trust between financial counterparties, and insider access across high-value accounts and systems.

Critical
Financial Authorization Fraud
Attackers impersonate executives, vendors, and trusted contacts to manipulate employees into authorizing fraudulent transactions and redirecting payments.
Unauthorized wire transfers, payment diversion, direct financial loss
Critical
Identity & Credential Attacks
Privileged employees are exploited through trust and fatigue to surrender credentials, bypass authentication, and expose trading platforms and payment systems.
Account takeover, unauthorized system access, privilege escalation
Critical
Insider Threat & Staff Recruitment
Threat actors recruit, compromise, and exploit employees from within, often leveraging platforms like Telegram to turn trusted staff into active threats.
Data exfiltration, unauthorized transactions, privileged access abuse, regulatory exposure
Product Capabilities

How Dune Helps Financial Institutions

Purpose-built capabilities to expose, score, and reduce user risk in financial services environments.

Dashboard showing a high risk score of 93 with factors including adequate simulated attacks and poor training activity.
Custom Risk Score Weighting
Measure User Risk
Quantify breach risk with a dynamic User Risk Score, continuously updated from behavioral, contextual, and role-based signals across your security stack.
Custom Risk Score Weighting
Unlimited Input Source Data
Executive Reporting
Screen showing an active call with Sarah Chen and chat messages from Bank of America, Adobe, and Microsoft Security.
GenAI and Conversational Attacks
Simulate Attacks
Launch omni-channel simulations tailored to each user that impersonate trusted roles and adapt in real-time to expose attack susceptibility and insider risk.
GenAI & Conversational Attacks
Trusted Role & Identity Impersonation
Insider Threat Exposure
Dashboard showing 41 total users with categorized risk levels and top risk users by name and scores.
Exposure Prioritization
Reduce Threat Exposure
Adapt training, alerts, and controls in real-time, prioritizing the ~5% driving the risk and minimizing friction for the other ~95%.
Exposure Prioritization
Risk-Based Training & Step-Up Controls
Automated Remediation Workflows
Dashboard showing a high risk score of 93 with factors including adequate simulated attacks and poor training activity.Screen showing an active call with Sarah Chen and chat messages from Bank of America, Adobe, and Microsoft Security.Dashboard showing 41 total users with categorized risk levels and top risk users by name and scores.
Attack Scenarios

Example Attack Scenarios in Financial Services

See how modern social engineering attacks target financial institutions and how Dune simulates them.

EMAIL / PORTAL
Vendor Invoice Change Request
A fraudulent email from a compromised or spoofed vendor account requests that banking details be updated ahead of an upcoming payment, mimicking routine AP communication.
User Decision Point
AP teams must validate legitimacy without stalling payment cycles or damaging vendor relationships.
Potential Impact
Fraudulent invoice and wire redirect attacks average $185,000 per diverted transaction with full enterprise remediation reaching nearly $5M per incident.
FBI IC3 2024 / IBM Cost of a Data Breach 2024
Dune Simulation
Dune creates vendor impersonation scenarios with spoofed sender domains, realistic context, and urgency framing that mirrors real attacker behavior.
EMAIL / VOICE CALL
CFO Wire Transfer Impersonation
An attacker sends an urgent email appearing to come from the CFO, requesting an immediate wire transfer to a new vendor account, then follows up with a phone call to override hesitation.
User Decision Point
Finance or treasury teams must verify requests through trusted channels before initiating transfers.
Potential Impact
BEC surpassed $3B in losses in 2025, and in 2024, engineering firm Arup lost $25M in a single CFO impersonation attack conducted over a deepfake video call.
FBI IC3 2025 Annual Report / The Guardian
Dune Simulation
Dune simulates executive impersonation across email and voice with realistic deal context, urgency cues, and payment instructions.
PUSH NOTIFICATION
MFA Fatigue Attack
A finance admin receives repeated MFA push notifications until they approve one out of frustration or confusion.
User Decision Point
User must resist approving unexpected authentication requests.
Potential Impact
The average cost of a breach initiated through stolen credentials is $4.81M and credential and authentication attacks now appear in over 60% of all confirmed breaches.
IBM Cost of a Data Breach 2024 / Verizon DBIR 2025
Dune Simulation
Dune tests user resilience to MFA fatigue through controlled, high-frequency push notification simulations that mirror real attacker cadence and timing.
VOICE CALL
Client Account Takeover (Wealth / Banking Clients)
An AI-generated voice call poses as a client or internal support contact, requesting urgent account access, a credential reset, or transaction approval.
User Decision Point
Employee must validate caller identity before granting access or making account changes.
Potential Impact
Deepfake-enabled financial losses exceeded $200M in Q1 2025 alone, with AI voice attacks targeting banks rising 149% year-over-year.
Resemble AI Q1 2025 / Pindrop 2025 Voice Intelligence & Security Report
Dune Simulation
Dune simulates AI voice calls replicating realistic client and internal support personas across live conversational scenarios.
Dune Security is the only platform I've found that's disrupting what needs to be disrupted in the security awareness space. They're customizing trainings, not just in frequency but also in the actual content, based on individual risk profiles. That's exactly what we needed.
Anthony Granada
Cyber GRC Analyst at H.I.G. Capital
Compliance

Built for Regulated Financial Environments

Designed to help financial institutions safely test real-world user risk while meeting regulatory, audit, and compliance expectations.

Enterprise-Grade Capabilities
Designed for highly regulated financial institutions

Built with enterprise security teams in mind, supporting the unique requirements of banks, asset managers, and insurance providers.

Safe-by-design simulations that never execute real transactions

Every attack simulation is sandboxed and controlled. No financial data is exposed, no systems are compromised, and no data leaves your environment.

Supports audit, risk, and internal control validation workflows

Generate detailed reports that map directly to audit requirements, demonstrating continuous security testing and user risk assessment.

Demonstrates proactive security posture to regulators and auditors

Show evidence of ongoing user risk testing and remediation, strengthening your position during examinations and assessments.

Safety Guarantee

All simulations are designed to test human behavior. They do not move funds, access real systems, or disrupt operations.

Supports common financial & enterprise security frameworks

SOC 2 Type II
 Certified – Jan 2024 & Jan 2025
ISO 27001
 Certified – Aug 2024
GDPR
 Compliance Verified – Jan 2025
CCPA
 Compliance Verified – Jan 2025
HIPAA
 Third-Party Attested – Apr 2025
NIST CSF v2.0
 Third-Party Attested – May 2025
Resources

Featured Resources for Financial Services

Explore our latest research, customer case studies, and security insights for securing financial institutions.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

No Resources found.

Blog
Person filing IRS 1040 tax return at office desk with financial paperwork and cash, representing tax season refund processing and tax scam risk.Person filing IRS 1040 tax return at office desk with financial paperwork and cash, representing tax season refund processing and tax scam risk.

Tax Season Scams: How Refund Fraud Escalates Into Enterprise Risk

Each filing season, threat actors execute coordinated, identity-driven campaigns that begin with refund fraud and rapidly escalate into credential harvesting and enterprise exposure.

This is some text inside of a div block.
March 23–25, 2026
March 23–25, 2026
April 12, 2026
7 minute read
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
Webinars

Securing Financial Services

Hear CISOs from First Citizens Bank, H.I.G. Capital, and City Bank discuss today’s most dangerous threats to financial institutions, analyze evolving attack vectors, and share their strategies for protecting systems, data, and customers in real time.

This is some text inside of a div block.
March 23–25, 2026
March 23–25, 2026
April 20, 2026
40 minute watch
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
Case Study

Hitachi Digital future-proofs security training for a global workforce with Dune Security

Hitachi Digital future-proofs security training for a global workforce with Dune Security

This is some text inside of a div block.
March 23–25, 2026
March 23–25, 2026
April 29, 2026
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Frequently Asked
Questions

Common questions about Dune Security for financial services organizations.
How is Dune different from traditional phishing simulations?
Is Dune safe and compliant for financial institutions?
Can Dune simulate executive and vendor impersonation?
Does Dune support voice and messaging attacks?
How quickly can we deploy Dune?

Ready to See Dune in Action?

Schedule a time with one of our experts to see how Dune protects financial institutions from social engineering and insider threat across every channel.
Book a Demo