Uses onlyapprovedtools forworkDouble-checksexternalrecipientsbefore sendingRecognizesasuspiciousQR codeSomeonementions“Zerotrust.”Uses securefile transferinstead ofemailattachmentReportinga lost orstolendeviceMissing BAAfor aPHI‑handlingvendorMulti-factorauthentication(MFA)enabledNoticesspelling/grammarerrors in asuspicious emailRecognizesa scam orfake offerAvoidsdownloadingunknownapplicationsCreates astrongpassphrase(not just apassword)“ShadowIT” appfoundLockscomputerwhensteppingawayAvoidssendingsensitive infounencryptedVendorwithoutrecent SOC2 reportFree!Using securefile transferinstead ofemailUpdatessoftwarewhenpromptedSomeonesays, “That’sa greatquestion.”Avoids takingphotos/screenshotsof client dataSuspiciouslogin alertUsesapprovedsystems forwork filesEmployeeuses the“ReportPhish”button“If it seemstoo good tobe true, itprobably is”Hoveringover linksbeforeclickingUsesmulti‑factorauthenticationPhishingemailreportedIdentifiessuspiciousactivity ontheir accountVerifiessenderemailaddressVerifying apayment/changerequest viaphone“Thislooks likea phishingattempt”Defaultpasswordstill in useMissingevidencefor anaudit testRecognizesa fake loginpage“You’reonmute.”NodocumentedincidentresponseplanQuarterlyaccessreviewcompletedUnpatchedsystemidentifiedAvoidssharingcredentialswith anyoneAttending asecurityawarenesstrainingsessionDeletesunexpectedattachmentsDeclines toshareinformationover thephoneStoressensitivefilessecurelySharedcredentialsdiscoveredRecognizesan “urgent”or “act now”red flagReports asuspiciousemailShredsdocumentswithpersonal orclient infoUSB stickplugged intoa corporatelaptop“We’ll acceptthe risk”(withoutdocumentation😉)Usescompany‑approvedcloud storageIdentifiesa spoofedsendernameSomeonesays “Let’stake thatoffline.”CompletesannualsecuritytrainingKnows theorganization’ssecuritypolicies existSomeone’sconnectionfreezesmid‑sentenceSensitivedata sent viaunencryptedemail“Can yousee myscreen?”Forwardsunusualemails to thesecurityteamComputerscreenlockedwhen awaySomeonementions“AI” or“Copilot.”Firewallrule allows“ANY/ANY”trafficStrongpassphraseused (notjust complexpassword)“Sorry, Iwas onanothercall.”Validatespayment orchangerequeststhrough asecond channelPublic linksharingdisabledon a fileExcessivepermissions(over‑privilegedaccess)Data notclassifiedcorrectlyMentions“Thinkbeforeyou click”High-riskvendorflaggedRecognizeswhensomeone asksfor too muchinformationDouble-checking anexternalemailrecipientKnowshow toreport anincidentPetappearsoncameraAvoidspublicWi‑Fi forwork tasksReports asuspicioustextmessageUpdatingsoftwarewhenpromptedDeletes datathey’re nolongerauthorized toretainSaying “If itseems toogood to betrue, itprobably is”Knows not toplugunknownUSBs intodevicesSlide witha lot oftiny textUses onlyapprovedtools forworkDouble-checksexternalrecipientsbefore sendingRecognizesasuspiciousQR codeSomeonementions“Zerotrust.”Uses securefile transferinstead ofemailattachmentReportinga lost orstolendeviceMissing BAAfor aPHI‑handlingvendorMulti-factorauthentication(MFA)enabledNoticesspelling/grammarerrors in asuspicious emailRecognizesa scam orfake offerAvoidsdownloadingunknownapplicationsCreates astrongpassphrase(not just apassword)“ShadowIT” appfoundLockscomputerwhensteppingawayAvoidssendingsensitive infounencryptedVendorwithoutrecent SOC2 reportFree!Using securefile transferinstead ofemailUpdatessoftwarewhenpromptedSomeonesays, “That’sa greatquestion.”Avoids takingphotos/screenshotsof client dataSuspiciouslogin alertUsesapprovedsystems forwork filesEmployeeuses the“ReportPhish”button“If it seemstoo good tobe true, itprobably is”Hoveringover linksbeforeclickingUsesmulti‑factorauthenticationPhishingemailreportedIdentifiessuspiciousactivity ontheir accountVerifiessenderemailaddressVerifying apayment/changerequest viaphone“Thislooks likea phishingattempt”Defaultpasswordstill in useMissingevidencefor anaudit testRecognizesa fake loginpage“You’reonmute.”NodocumentedincidentresponseplanQuarterlyaccessreviewcompletedUnpatchedsystemidentifiedAvoidssharingcredentialswith anyoneAttending asecurityawarenesstrainingsessionDeletesunexpectedattachmentsDeclines toshareinformationover thephoneStoressensitivefilessecurelySharedcredentialsdiscoveredRecognizesan “urgent”or “act now”red flagReports asuspiciousemailShredsdocumentswithpersonal orclient infoUSB stickplugged intoa corporatelaptop“We’ll acceptthe risk”(withoutdocumentation😉)Usescompany‑approvedcloud storageIdentifiesa spoofedsendernameSomeonesays “Let’stake thatoffline.”CompletesannualsecuritytrainingKnows theorganization’ssecuritypolicies existSomeone’sconnectionfreezesmid‑sentenceSensitivedata sent viaunencryptedemail“Can yousee myscreen?”Forwardsunusualemails to thesecurityteamComputerscreenlockedwhen awaySomeonementions“AI” or“Copilot.”Firewallrule allows“ANY/ANY”trafficStrongpassphraseused (notjust complexpassword)“Sorry, Iwas onanothercall.”Validatespayment orchangerequeststhrough asecond channelPublic linksharingdisabledon a fileExcessivepermissions(over‑privilegedaccess)Data notclassifiedcorrectlyMentions“Thinkbeforeyou click”High-riskvendorflaggedRecognizeswhensomeone asksfor too muchinformationDouble-checking anexternalemailrecipientKnowshow toreport anincidentPetappearsoncameraAvoidspublicWi‑Fi forwork tasksReports asuspicioustextmessageUpdatingsoftwarewhenpromptedDeletes datathey’re nolongerauthorized toretainSaying “If itseems toogood to betrue, itprobably is”Knows not toplugunknownUSBs intodevicesSlide witha lot oftiny text

General Security Awareness - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
  1. Uses only approved tools for work
  2. Double-checks external recipients before sending
  3. Recognizes a suspicious QR code
  4. Someone mentions “Zero trust.”
  5. Uses secure file transfer instead of email attachment
  6. Reporting a lost or stolen device
  7. Missing BAA for a PHI‑handling vendor
  8. Multi-factor authentication (MFA) enabled
  9. Notices spelling/grammar errors in a suspicious email
  10. Recognizes a scam or fake offer
  11. Avoids downloading unknown applications
  12. Creates a strong passphrase (not just a password)
  13. “Shadow IT” app found
  14. Locks computer when stepping away
  15. Avoids sending sensitive info unencrypted
  16. Vendor without recent SOC 2 report
  17. Free!
  18. Using secure file transfer instead of email
  19. Updates software when prompted
  20. Someone says, “That’s a great question.”
  21. Avoids taking photos/screenshots of client data
  22. Suspicious login alert
  23. Uses approved systems for work files
  24. Employee uses the “Report Phish” button
  25. “If it seems too good to be true, it probably is”
  26. Hovering over links before clicking
  27. Uses multi‑factor authentication
  28. Phishing email reported
  29. Identifies suspicious activity on their account
  30. Verifies sender email address
  31. Verifying a payment/change request via phone
  32. “This looks like a phishing attempt”
  33. Default password still in use
  34. Missing evidence for an audit test
  35. Recognizes a fake login page
  36. “You’re on mute.”
  37. No documented incident response plan
  38. Quarterly access review completed
  39. Unpatched system identified
  40. Avoids sharing credentials with anyone
  41. Attending a security awareness training session
  42. Deletes unexpected attachments
  43. Declines to share information over the phone
  44. Stores sensitive files securely
  45. Shared credentials discovered
  46. Recognizes an “urgent” or “act now” red flag
  47. Reports a suspicious email
  48. Shreds documents with personal or client info
  49. USB stick plugged into a corporate laptop
  50. “We’ll accept the risk” (without documentation 😉)
  51. Uses company‑approved cloud storage
  52. Identifies a spoofed sender name
  53. Someone says “Let’s take that offline.”
  54. Completes annual security training
  55. Knows the organization’s security policies exist
  56. Someone’s connection freezes mid‑sentence
  57. Sensitive data sent via unencrypted email
  58. “Can you see my screen?”
  59. Forwards unusual emails to the security team
  60. Computer screen locked when away
  61. Someone mentions “AI” or “Copilot.”
  62. Firewall rule allows “ANY/ANY” traffic
  63. Strong passphrase used (not just complex password)
  64. “Sorry, I was on another call.”
  65. Validates payment or change requests through a second channel
  66. Public link sharing disabled on a file
  67. Excessive permissions (over‑privileged access)
  68. Data not classified correctly
  69. Mentions “Think before you click”
  70. High-risk vendor flagged
  71. Recognizes when someone asks for too much information
  72. Double-checking an external email recipient
  73. Knows how to report an incident
  74. Pet appears on camera
  75. Avoids public Wi‑Fi for work tasks
  76. Reports a suspicious text message
  77. Updating software when prompted
  78. Deletes data they’re no longer authorized to retain
  79. Saying “If it seems too good to be true, it probably is”
  80. Knows not to plug unknown USBs into devices
  81. Slide with a lot of tiny text