Forwardsunusualemails to thesecurityteamReports asuspicioustextmessage“You’reonmute.”Knowshow toreport anincidentRecognizesa fake loginpageIdentifiesa spoofedsendernameUpdatessoftwarewhenpromptedStoressensitivefilessecurelyKnows theorganization’ssecuritypolicies existNoticesspelling/grammarerrors in asuspicious emailUsesmulti‑factorauthenticationAvoidssharingcredentialswith anyoneData notclassifiedcorrectlyDeclines toshareinformationover thephoneSuspiciouslogin alertLockscomputerwhensteppingawayUsing securefile transferinstead ofemailUSB stickplugged intoa corporatelaptopFree!VerifiessenderemailaddressAvoidsdownloadingunknownapplicationsKnows not toplugunknownUSBs intodevicesCreates astrongpassphrase(not just apassword)Someonementions“AI” or“Copilot.”Reportinga lost orstolendevice“Thislooks likea phishingattempt”Employeeuses the“ReportPhish”button“Sorry, Iwas onanothercall.”“Can yousee myscreen?”“ShadowIT” appfoundFirewallrule allows“ANY/ANY”trafficDeletesunexpectedattachmentsSharedcredentialsdiscoveredUses onlyapprovedtools forworkMissingevidencefor anaudit testAvoids takingphotos/screenshotsof client dataHoveringover linksbeforeclickingNodocumentedincidentresponseplanAttending asecurityawarenesstrainingsessionRecognizeswhensomeone asksfor too muchinformationComputerscreenlockedwhen awayAvoidspublicWi‑Fi forwork tasksUsesapprovedsystems forwork filesSomeonesays, “That’sa greatquestion.”Validatespayment orchangerequeststhrough asecond channelPetappearsoncameraMissing BAAfor aPHI‑handlingvendor“We’ll acceptthe risk”(withoutdocumentation😉)Public linksharingdisabledon a fileRecognizesasuspiciousQR code“If it seemstoo good tobe true, itprobably is”Strongpassphraseused (notjust complexpassword)Multi-factorauthentication(MFA)enabledSlide witha lot oftiny textUsescompany‑approvedcloud storageMentions“Thinkbeforeyou click”Avoidssendingsensitive infounencryptedUses securefile transferinstead ofemailattachmentQuarterlyaccessreviewcompletedDouble-checking anexternalemailrecipientShredsdocumentswithpersonal orclient infoSomeone’sconnectionfreezesmid‑sentenceRecognizesan “urgent”or “act now”red flagIdentifiessuspiciousactivity ontheir accountSensitivedata sent viaunencryptedemailUnpatchedsystemidentifiedVerifying apayment/changerequest viaphoneSomeonementions“Zerotrust.”Reports asuspiciousemailRecognizesa scam orfake offerDefaultpasswordstill in usePhishingemailreportedVendorwithoutrecent SOC2 reportDeletes datathey’re nolongerauthorized toretainCompletesannualsecuritytrainingSaying “If itseems toogood to betrue, itprobably is”Excessivepermissions(over‑privilegedaccess)UpdatingsoftwarewhenpromptedSomeonesays “Let’stake thatoffline.”Double-checksexternalrecipientsbefore sendingHigh-riskvendorflaggedForwardsunusualemails to thesecurityteamReports asuspicioustextmessage“You’reonmute.”Knowshow toreport anincidentRecognizesa fake loginpageIdentifiesa spoofedsendernameUpdatessoftwarewhenpromptedStoressensitivefilessecurelyKnows theorganization’ssecuritypolicies existNoticesspelling/grammarerrors in asuspicious emailUsesmulti‑factorauthenticationAvoidssharingcredentialswith anyoneData notclassifiedcorrectlyDeclines toshareinformationover thephoneSuspiciouslogin alertLockscomputerwhensteppingawayUsing securefile transferinstead ofemailUSB stickplugged intoa corporatelaptopFree!VerifiessenderemailaddressAvoidsdownloadingunknownapplicationsKnows not toplugunknownUSBs intodevicesCreates astrongpassphrase(not just apassword)Someonementions“AI” or“Copilot.”Reportinga lost orstolendevice“Thislooks likea phishingattempt”Employeeuses the“ReportPhish”button“Sorry, Iwas onanothercall.”“Can yousee myscreen?”“ShadowIT” appfoundFirewallrule allows“ANY/ANY”trafficDeletesunexpectedattachmentsSharedcredentialsdiscoveredUses onlyapprovedtools forworkMissingevidencefor anaudit testAvoids takingphotos/screenshotsof client dataHoveringover linksbeforeclickingNodocumentedincidentresponseplanAttending asecurityawarenesstrainingsessionRecognizeswhensomeone asksfor too muchinformationComputerscreenlockedwhen awayAvoidspublicWi‑Fi forwork tasksUsesapprovedsystems forwork filesSomeonesays, “That’sa greatquestion.”Validatespayment orchangerequeststhrough asecond channelPetappearsoncameraMissing BAAfor aPHI‑handlingvendor“We’ll acceptthe risk”(withoutdocumentation😉)Public linksharingdisabledon a fileRecognizesasuspiciousQR code“If it seemstoo good tobe true, itprobably is”Strongpassphraseused (notjust complexpassword)Multi-factorauthentication(MFA)enabledSlide witha lot oftiny textUsescompany‑approvedcloud storageMentions“Thinkbeforeyou click”Avoidssendingsensitive infounencryptedUses securefile transferinstead ofemailattachmentQuarterlyaccessreviewcompletedDouble-checking anexternalemailrecipientShredsdocumentswithpersonal orclient infoSomeone’sconnectionfreezesmid‑sentenceRecognizesan “urgent”or “act now”red flagIdentifiessuspiciousactivity ontheir accountSensitivedata sent viaunencryptedemailUnpatchedsystemidentifiedVerifying apayment/changerequest viaphoneSomeonementions“Zerotrust.”Reports asuspiciousemailRecognizesa scam orfake offerDefaultpasswordstill in usePhishingemailreportedVendorwithoutrecent SOC2 reportDeletes datathey’re nolongerauthorized toretainCompletesannualsecuritytrainingSaying “If itseems toogood to betrue, itprobably is”Excessivepermissions(over‑privilegedaccess)UpdatingsoftwarewhenpromptedSomeonesays “Let’stake thatoffline.”Double-checksexternalrecipientsbefore sendingHigh-riskvendorflagged

General Security Awareness - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
  1. Forwards unusual emails to the security team
  2. Reports a suspicious text message
  3. “You’re on mute.”
  4. Knows how to report an incident
  5. Recognizes a fake login page
  6. Identifies a spoofed sender name
  7. Updates software when prompted
  8. Stores sensitive files securely
  9. Knows the organization’s security policies exist
  10. Notices spelling/grammar errors in a suspicious email
  11. Uses multi‑factor authentication
  12. Avoids sharing credentials with anyone
  13. Data not classified correctly
  14. Declines to share information over the phone
  15. Suspicious login alert
  16. Locks computer when stepping away
  17. Using secure file transfer instead of email
  18. USB stick plugged into a corporate laptop
  19. Free!
  20. Verifies sender email address
  21. Avoids downloading unknown applications
  22. Knows not to plug unknown USBs into devices
  23. Creates a strong passphrase (not just a password)
  24. Someone mentions “AI” or “Copilot.”
  25. Reporting a lost or stolen device
  26. “This looks like a phishing attempt”
  27. Employee uses the “Report Phish” button
  28. “Sorry, I was on another call.”
  29. “Can you see my screen?”
  30. “Shadow IT” app found
  31. Firewall rule allows “ANY/ANY” traffic
  32. Deletes unexpected attachments
  33. Shared credentials discovered
  34. Uses only approved tools for work
  35. Missing evidence for an audit test
  36. Avoids taking photos/screenshots of client data
  37. Hovering over links before clicking
  38. No documented incident response plan
  39. Attending a security awareness training session
  40. Recognizes when someone asks for too much information
  41. Computer screen locked when away
  42. Avoids public Wi‑Fi for work tasks
  43. Uses approved systems for work files
  44. Someone says, “That’s a great question.”
  45. Validates payment or change requests through a second channel
  46. Pet appears on camera
  47. Missing BAA for a PHI‑handling vendor
  48. “We’ll accept the risk” (without documentation 😉)
  49. Public link sharing disabled on a file
  50. Recognizes a suspicious QR code
  51. “If it seems too good to be true, it probably is”
  52. Strong passphrase used (not just complex password)
  53. Multi-factor authentication (MFA) enabled
  54. Slide with a lot of tiny text
  55. Uses company‑approved cloud storage
  56. Mentions “Think before you click”
  57. Avoids sending sensitive info unencrypted
  58. Uses secure file transfer instead of email attachment
  59. Quarterly access review completed
  60. Double-checking an external email recipient
  61. Shreds documents with personal or client info
  62. Someone’s connection freezes mid‑sentence
  63. Recognizes an “urgent” or “act now” red flag
  64. Identifies suspicious activity on their account
  65. Sensitive data sent via unencrypted email
  66. Unpatched system identified
  67. Verifying a payment/change request via phone
  68. Someone mentions “Zero trust.”
  69. Reports a suspicious email
  70. Recognizes a scam or fake offer
  71. Default password still in use
  72. Phishing email reported
  73. Vendor without recent SOC 2 report
  74. Deletes data they’re no longer authorized to retain
  75. Completes annual security training
  76. Saying “If it seems too good to be true, it probably is”
  77. Excessive permissions (over‑privileged access)
  78. Updating software when prompted
  79. Someone says “Let’s take that offline.”
  80. Double-checks external recipients before sending
  81. High-risk vendor flagged