(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Uses only approved tools for work
Double-checks external recipients before sending
Recognizes a suspicious QR code
Someone mentions “Zero trust.”
Uses secure file transfer instead of email attachment
Reporting a lost or stolen device
Missing BAA for a PHI‑handling vendor
Multi-factor authentication (MFA) enabled
Notices spelling/grammar errors in a suspicious email
Recognizes a scam or fake offer
Avoids downloading unknown applications
Creates a strong passphrase (not just a password)
“Shadow IT” app found
Locks computer when stepping away
Avoids sending sensitive info unencrypted
Vendor without recent SOC 2 report
Free!
Using secure file transfer instead of email
Updates software when prompted
Someone says, “That’s a great question.”
Avoids taking photos/screenshots of client data
Suspicious login alert
Uses approved systems for work files
Employee uses the “Report Phish” button
“If it seems too good to be true, it probably is”
Hovering over links before clicking
Uses multi‑factor authentication
Phishing email reported
Identifies suspicious activity on their account
Verifies sender email address
Verifying a payment/change request via phone
“This looks like a phishing attempt”
Default password still in use
Missing evidence for an audit test
Recognizes a fake login page
“You’re on mute.”
No documented incident response plan
Quarterly access review completed
Unpatched system identified
Avoids sharing credentials with anyone
Attending a security awareness training session
Deletes unexpected attachments
Declines to share information over the phone
Stores sensitive files securely
Shared credentials discovered
Recognizes an “urgent” or “act now” red flag
Reports a suspicious email
Shreds documents with personal or client info
USB stick plugged into a corporate laptop
“We’ll accept the risk” (without documentation 😉)
Uses company‑approved cloud storage
Identifies a spoofed sender name
Someone says “Let’s take that offline.”
Completes annual security training
Knows the organization’s security policies exist
Someone’s connection freezes mid‑sentence
Sensitive data sent via unencrypted email
“Can you see my screen?”
Forwards unusual emails to the security team
Computer screen locked when away
Someone mentions “AI” or “Copilot.”
Firewall rule allows “ANY/ANY” traffic
Strong passphrase used (not just complex password)
“Sorry, I was on another call.”
Validates payment or change requests through a second channel
Public link sharing disabled on a file
Excessive permissions (over‑privileged access)
Data not classified correctly
Mentions “Think before you click”
High-risk vendor flagged
Recognizes when someone asks for too much information
Double-checking an external email recipient
Knows how to report an incident
Pet appears on camera
Avoids public Wi‑Fi for work tasks
Reports a suspicious text message
Updating software when prompted
Deletes data they’re no longer authorized to retain
Saying “If it seems too good to be true, it probably is”