Missingevidencefor anaudit test“Thislooks likea phishingattempt”High-riskvendorflaggedRecognizesa scam orfake offerStrongpassphraseused (notjust complexpassword)Avoidssharingcredentialswith anyoneComputerscreenlockedwhen away“Can yousee myscreen?”Forwardsunusualemails to thesecurityteamDeletes datathey’re nolongerauthorized toretainAvoidssendingsensitive infounencryptedReports asuspiciousemailAvoidspublicWi‑Fi forwork tasksNoticesspelling/grammarerrors in asuspicious emailRecognizesasuspiciousQR codeSomeone’sconnectionfreezesmid‑sentenceMissing BAAfor aPHI‑handlingvendorKnows not toplugunknownUSBs intodevicesIdentifiessuspiciousactivity ontheir accountUses onlyapprovedtools forworkUsesmulti‑factorauthenticationDeclines toshareinformationover thephoneRecognizeswhensomeone asksfor too muchinformationShredsdocumentswithpersonal orclient infoData notclassifiedcorrectlySharedcredentialsdiscoveredCreates astrongpassphrase(not just apassword)Someonementions“AI” or“Copilot.”LockscomputerwhensteppingawayUsing securefile transferinstead ofemailReportinga lost orstolendeviceFree!DeletesunexpectedattachmentsVerifiessenderemailaddressMentions“Thinkbeforeyou click”StoressensitivefilessecurelyUSB stickplugged intoa corporatelaptopSomeonesays “Let’stake thatoffline.”Reports asuspicioustextmessageAttending asecurityawarenesstrainingsessionDefaultpasswordstill in useCompletesannualsecuritytrainingSaying “If itseems toogood to betrue, itprobably is”Updatessoftwarewhenprompted“Sorry, Iwas onanothercall.”“ShadowIT” appfoundUnpatchedsystemidentifiedDouble-checksexternalrecipientsbefore sendingUsescompany‑approvedcloud storageHoveringover linksbeforeclickingIdentifiesa spoofedsendernameUpdatingsoftwarewhenprompted“You’reonmute.”Firewallrule allows“ANY/ANY”trafficDouble-checking anexternalemailrecipientSensitivedata sent viaunencryptedemailAvoidsdownloadingunknownapplicationsEmployeeuses the“ReportPhish”button“If it seemstoo good tobe true, itprobably is”QuarterlyaccessreviewcompletedKnowshow toreport anincidentValidatespayment orchangerequeststhrough asecond channelRecognizesan “urgent”or “act now”red flagNodocumentedincidentresponseplanPetappearsoncamera“We’ll acceptthe risk”(withoutdocumentation😉)Knows theorganization’ssecuritypolicies existUses securefile transferinstead ofemailattachmentSuspiciouslogin alertAvoids takingphotos/screenshotsof client dataSomeonesays, “That’sa greatquestion.”Public linksharingdisabledon a fileExcessivepermissions(over‑privilegedaccess)Someonementions“Zerotrust.”Slide witha lot oftiny textVerifying apayment/changerequest viaphoneUsesapprovedsystems forwork filesRecognizesa fake loginpagePhishingemailreportedMulti-factorauthentication(MFA)enabledVendorwithoutrecent SOC2 reportMissingevidencefor anaudit test“Thislooks likea phishingattempt”High-riskvendorflaggedRecognizesa scam orfake offerStrongpassphraseused (notjust complexpassword)Avoidssharingcredentialswith anyoneComputerscreenlockedwhen away“Can yousee myscreen?”Forwardsunusualemails to thesecurityteamDeletes datathey’re nolongerauthorized toretainAvoidssendingsensitive infounencryptedReports asuspiciousemailAvoidspublicWi‑Fi forwork tasksNoticesspelling/grammarerrors in asuspicious emailRecognizesasuspiciousQR codeSomeone’sconnectionfreezesmid‑sentenceMissing BAAfor aPHI‑handlingvendorKnows not toplugunknownUSBs intodevicesIdentifiessuspiciousactivity ontheir accountUses onlyapprovedtools forworkUsesmulti‑factorauthenticationDeclines toshareinformationover thephoneRecognizeswhensomeone asksfor too muchinformationShredsdocumentswithpersonal orclient infoData notclassifiedcorrectlySharedcredentialsdiscoveredCreates astrongpassphrase(not just apassword)Someonementions“AI” or“Copilot.”LockscomputerwhensteppingawayUsing securefile transferinstead ofemailReportinga lost orstolendeviceFree!DeletesunexpectedattachmentsVerifiessenderemailaddressMentions“Thinkbeforeyou click”StoressensitivefilessecurelyUSB stickplugged intoa corporatelaptopSomeonesays “Let’stake thatoffline.”Reports asuspicioustextmessageAttending asecurityawarenesstrainingsessionDefaultpasswordstill in useCompletesannualsecuritytrainingSaying “If itseems toogood to betrue, itprobably is”Updatessoftwarewhenprompted“Sorry, Iwas onanothercall.”“ShadowIT” appfoundUnpatchedsystemidentifiedDouble-checksexternalrecipientsbefore sendingUsescompany‑approvedcloud storageHoveringover linksbeforeclickingIdentifiesa spoofedsendernameUpdatingsoftwarewhenprompted“You’reonmute.”Firewallrule allows“ANY/ANY”trafficDouble-checking anexternalemailrecipientSensitivedata sent viaunencryptedemailAvoidsdownloadingunknownapplicationsEmployeeuses the“ReportPhish”button“If it seemstoo good tobe true, itprobably is”QuarterlyaccessreviewcompletedKnowshow toreport anincidentValidatespayment orchangerequeststhrough asecond channelRecognizesan “urgent”or “act now”red flagNodocumentedincidentresponseplanPetappearsoncamera“We’ll acceptthe risk”(withoutdocumentation😉)Knows theorganization’ssecuritypolicies existUses securefile transferinstead ofemailattachmentSuspiciouslogin alertAvoids takingphotos/screenshotsof client dataSomeonesays, “That’sa greatquestion.”Public linksharingdisabledon a fileExcessivepermissions(over‑privilegedaccess)Someonementions“Zerotrust.”Slide witha lot oftiny textVerifying apayment/changerequest viaphoneUsesapprovedsystems forwork filesRecognizesa fake loginpagePhishingemailreportedMulti-factorauthentication(MFA)enabledVendorwithoutrecent SOC2 report

General Security Awareness - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
  1. Missing evidence for an audit test
  2. “This looks like a phishing attempt”
  3. High-risk vendor flagged
  4. Recognizes a scam or fake offer
  5. Strong passphrase used (not just complex password)
  6. Avoids sharing credentials with anyone
  7. Computer screen locked when away
  8. “Can you see my screen?”
  9. Forwards unusual emails to the security team
  10. Deletes data they’re no longer authorized to retain
  11. Avoids sending sensitive info unencrypted
  12. Reports a suspicious email
  13. Avoids public Wi‑Fi for work tasks
  14. Notices spelling/grammar errors in a suspicious email
  15. Recognizes a suspicious QR code
  16. Someone’s connection freezes mid‑sentence
  17. Missing BAA for a PHI‑handling vendor
  18. Knows not to plug unknown USBs into devices
  19. Identifies suspicious activity on their account
  20. Uses only approved tools for work
  21. Uses multi‑factor authentication
  22. Declines to share information over the phone
  23. Recognizes when someone asks for too much information
  24. Shreds documents with personal or client info
  25. Data not classified correctly
  26. Shared credentials discovered
  27. Creates a strong passphrase (not just a password)
  28. Someone mentions “AI” or “Copilot.”
  29. Locks computer when stepping away
  30. Using secure file transfer instead of email
  31. Reporting a lost or stolen device
  32. Free!
  33. Deletes unexpected attachments
  34. Verifies sender email address
  35. Mentions “Think before you click”
  36. Stores sensitive files securely
  37. USB stick plugged into a corporate laptop
  38. Someone says “Let’s take that offline.”
  39. Reports a suspicious text message
  40. Attending a security awareness training session
  41. Default password still in use
  42. Completes annual security training
  43. Saying “If it seems too good to be true, it probably is”
  44. Updates software when prompted
  45. “Sorry, I was on another call.”
  46. “Shadow IT” app found
  47. Unpatched system identified
  48. Double-checks external recipients before sending
  49. Uses company‑approved cloud storage
  50. Hovering over links before clicking
  51. Identifies a spoofed sender name
  52. Updating software when prompted
  53. “You’re on mute.”
  54. Firewall rule allows “ANY/ANY” traffic
  55. Double-checking an external email recipient
  56. Sensitive data sent via unencrypted email
  57. Avoids downloading unknown applications
  58. Employee uses the “Report Phish” button
  59. “If it seems too good to be true, it probably is”
  60. Quarterly access review completed
  61. Knows how to report an incident
  62. Validates payment or change requests through a second channel
  63. Recognizes an “urgent” or “act now” red flag
  64. No documented incident response plan
  65. Pet appears on camera
  66. “We’ll accept the risk” (without documentation 😉)
  67. Knows the organization’s security policies exist
  68. Uses secure file transfer instead of email attachment
  69. Suspicious login alert
  70. Avoids taking photos/screenshots of client data
  71. Someone says, “That’s a great question.”
  72. Public link sharing disabled on a file
  73. Excessive permissions (over‑privileged access)
  74. Someone mentions “Zero trust.”
  75. Slide with a lot of tiny text
  76. Verifying a payment/change request via phone
  77. Uses approved systems for work files
  78. Recognizes a fake login page
  79. Phishing email reported
  80. Multi-factor authentication (MFA) enabled
  81. Vendor without recent SOC 2 report