“You’reonmute.”Avoids takingphotos/screenshotsof client dataQuarterlyaccessreviewcompletedDeletesunexpectedattachmentsSensitivedata sent viaunencryptedemailDefaultpasswordstill in useAvoidssendingsensitive infounencryptedHoveringover linksbeforeclickingReports asuspicioustextmessageSomeonesays, “That’sa greatquestion.”SharedcredentialsdiscoveredShredsdocumentswithpersonal orclient info“Thislooks likea phishingattempt”High-riskvendorflaggedRecognizeswhensomeone asksfor too muchinformationSomeonesays “Let’stake thatoffline.”“If it seemstoo good tobe true, itprobably is”AvoidspublicWi‑Fi forwork tasks“Can yousee myscreen?”Data notclassifiedcorrectlyMissingevidencefor anaudit testUsing securefile transferinstead ofemailKnows theorganization’ssecuritypolicies existMentions“Thinkbeforeyou click”UpdatingsoftwarewhenpromptedStrongpassphraseused (notjust complexpassword)Uses onlyapprovedtools forworkStoressensitivefilessecurelyRecognizesa fake loginpageDouble-checksexternalrecipientsbefore sendingCreates astrongpassphrase(not just apassword)AvoidsdownloadingunknownapplicationsUsescompany‑approvedcloud storageForwardsunusualemails to thesecurityteamCompletesannualsecuritytrainingVerifiessenderemailaddressValidatespayment orchangerequeststhrough asecond channelKnowshow toreport anincidentExcessivepermissions(over‑privilegedaccess)Missing BAAfor aPHI‑handlingvendorPublic linksharingdisabledon a fileDeclines toshareinformationover thephoneSomeonementions“AI” or“Copilot.”Multi-factorauthentication(MFA)enabledRecognizesasuspiciousQR codeSomeonementions“Zerotrust.”“ShadowIT” appfoundFirewallrule allows“ANY/ANY”trafficEmployeeuses the“ReportPhish”buttonReportinga lost orstolendeviceUSB stickplugged intoa corporatelaptop“Sorry, Iwas onanothercall.”UnpatchedsystemidentifiedReports asuspiciousemailKnows not toplugunknownUSBs intodevices“We’ll acceptthe risk”(withoutdocumentation😉)Saying “If itseems toogood to betrue, itprobably is”Attending asecurityawarenesstrainingsessionRecognizesa scam orfake offerVerifying apayment/changerequest viaphoneNodocumentedincidentresponseplanUsesmulti‑factorauthenticationUsesapprovedsystems forwork filesVendorwithoutrecent SOC2 reportComputerscreenlockedwhen awayDouble-checking anexternalemailrecipientAvoidssharingcredentialswith anyoneSomeone’sconnectionfreezesmid‑sentenceUpdatessoftwarewhenpromptedLockscomputerwhensteppingawayPhishingemailreportedSlide witha lot oftiny textFree!Deletes datathey’re nolongerauthorized toretainRecognizesan “urgent”or “act now”red flagUses securefile transferinstead ofemailattachmentNoticesspelling/grammarerrors in asuspicious emailIdentifiessuspiciousactivity ontheir accountPetappearsoncameraSuspiciouslogin alertIdentifiesa spoofedsendername“You’reonmute.”Avoids takingphotos/screenshotsof client dataQuarterlyaccessreviewcompletedDeletesunexpectedattachmentsSensitivedata sent viaunencryptedemailDefaultpasswordstill in useAvoidssendingsensitive infounencryptedHoveringover linksbeforeclickingReports asuspicioustextmessageSomeonesays, “That’sa greatquestion.”SharedcredentialsdiscoveredShredsdocumentswithpersonal orclient info“Thislooks likea phishingattempt”High-riskvendorflaggedRecognizeswhensomeone asksfor too muchinformationSomeonesays “Let’stake thatoffline.”“If it seemstoo good tobe true, itprobably is”AvoidspublicWi‑Fi forwork tasks“Can yousee myscreen?”Data notclassifiedcorrectlyMissingevidencefor anaudit testUsing securefile transferinstead ofemailKnows theorganization’ssecuritypolicies existMentions“Thinkbeforeyou click”UpdatingsoftwarewhenpromptedStrongpassphraseused (notjust complexpassword)Uses onlyapprovedtools forworkStoressensitivefilessecurelyRecognizesa fake loginpageDouble-checksexternalrecipientsbefore sendingCreates astrongpassphrase(not just apassword)AvoidsdownloadingunknownapplicationsUsescompany‑approvedcloud storageForwardsunusualemails to thesecurityteamCompletesannualsecuritytrainingVerifiessenderemailaddressValidatespayment orchangerequeststhrough asecond channelKnowshow toreport anincidentExcessivepermissions(over‑privilegedaccess)Missing BAAfor aPHI‑handlingvendorPublic linksharingdisabledon a fileDeclines toshareinformationover thephoneSomeonementions“AI” or“Copilot.”Multi-factorauthentication(MFA)enabledRecognizesasuspiciousQR codeSomeonementions“Zerotrust.”“ShadowIT” appfoundFirewallrule allows“ANY/ANY”trafficEmployeeuses the“ReportPhish”buttonReportinga lost orstolendeviceUSB stickplugged intoa corporatelaptop“Sorry, Iwas onanothercall.”UnpatchedsystemidentifiedReports asuspiciousemailKnows not toplugunknownUSBs intodevices“We’ll acceptthe risk”(withoutdocumentation😉)Saying “If itseems toogood to betrue, itprobably is”Attending asecurityawarenesstrainingsessionRecognizesa scam orfake offerVerifying apayment/changerequest viaphoneNodocumentedincidentresponseplanUsesmulti‑factorauthenticationUsesapprovedsystems forwork filesVendorwithoutrecent SOC2 reportComputerscreenlockedwhen awayDouble-checking anexternalemailrecipientAvoidssharingcredentialswith anyoneSomeone’sconnectionfreezesmid‑sentenceUpdatessoftwarewhenpromptedLockscomputerwhensteppingawayPhishingemailreportedSlide witha lot oftiny textFree!Deletes datathey’re nolongerauthorized toretainRecognizesan “urgent”or “act now”red flagUses securefile transferinstead ofemailattachmentNoticesspelling/grammarerrors in asuspicious emailIdentifiessuspiciousactivity ontheir accountPetappearsoncameraSuspiciouslogin alertIdentifiesa spoofedsendername

General Security Awareness - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
  1. “You’re on mute.”
  2. Avoids taking photos/screenshots of client data
  3. Quarterly access review completed
  4. Deletes unexpected attachments
  5. Sensitive data sent via unencrypted email
  6. Default password still in use
  7. Avoids sending sensitive info unencrypted
  8. Hovering over links before clicking
  9. Reports a suspicious text message
  10. Someone says, “That’s a great question.”
  11. Shared credentials discovered
  12. Shreds documents with personal or client info
  13. “This looks like a phishing attempt”
  14. High-risk vendor flagged
  15. Recognizes when someone asks for too much information
  16. Someone says “Let’s take that offline.”
  17. “If it seems too good to be true, it probably is”
  18. Avoids public Wi‑Fi for work tasks
  19. “Can you see my screen?”
  20. Data not classified correctly
  21. Missing evidence for an audit test
  22. Using secure file transfer instead of email
  23. Knows the organization’s security policies exist
  24. Mentions “Think before you click”
  25. Updating software when prompted
  26. Strong passphrase used (not just complex password)
  27. Uses only approved tools for work
  28. Stores sensitive files securely
  29. Recognizes a fake login page
  30. Double-checks external recipients before sending
  31. Creates a strong passphrase (not just a password)
  32. Avoids downloading unknown applications
  33. Uses company‑approved cloud storage
  34. Forwards unusual emails to the security team
  35. Completes annual security training
  36. Verifies sender email address
  37. Validates payment or change requests through a second channel
  38. Knows how to report an incident
  39. Excessive permissions (over‑privileged access)
  40. Missing BAA for a PHI‑handling vendor
  41. Public link sharing disabled on a file
  42. Declines to share information over the phone
  43. Someone mentions “AI” or “Copilot.”
  44. Multi-factor authentication (MFA) enabled
  45. Recognizes a suspicious QR code
  46. Someone mentions “Zero trust.”
  47. “Shadow IT” app found
  48. Firewall rule allows “ANY/ANY” traffic
  49. Employee uses the “Report Phish” button
  50. Reporting a lost or stolen device
  51. USB stick plugged into a corporate laptop
  52. “Sorry, I was on another call.”
  53. Unpatched system identified
  54. Reports a suspicious email
  55. Knows not to plug unknown USBs into devices
  56. “We’ll accept the risk” (without documentation 😉)
  57. Saying “If it seems too good to be true, it probably is”
  58. Attending a security awareness training session
  59. Recognizes a scam or fake offer
  60. Verifying a payment/change request via phone
  61. No documented incident response plan
  62. Uses multi‑factor authentication
  63. Uses approved systems for work files
  64. Vendor without recent SOC 2 report
  65. Computer screen locked when away
  66. Double-checking an external email recipient
  67. Avoids sharing credentials with anyone
  68. Someone’s connection freezes mid‑sentence
  69. Updates software when prompted
  70. Locks computer when stepping away
  71. Phishing email reported
  72. Slide with a lot of tiny text
  73. Free!
  74. Deletes data they’re no longer authorized to retain
  75. Recognizes an “urgent” or “act now” red flag
  76. Uses secure file transfer instead of email attachment
  77. Notices spelling/grammar errors in a suspicious email
  78. Identifies suspicious activity on their account
  79. Pet appears on camera
  80. Suspicious login alert
  81. Identifies a spoofed sender name