Identifiesa spoofedsendernameReports asuspicioustextmessageIdentifiessuspiciousactivity ontheir accountEmployeeuses the“ReportPhish”buttonAvoidssharingcredentialswith anyoneAvoidssendingsensitive infounencryptedSharedcredentialsdiscoveredUpdatessoftwarewhenpromptedDeletes datathey’re nolongerauthorized toretainSuspiciouslogin alertSomeonementions“Zerotrust.”Mentions“Thinkbeforeyou click”Double-checksexternalrecipientsbefore sendingExcessivepermissions(over‑privilegedaccess)RecognizesasuspiciousQR codeRecognizesa scam orfake offerQuarterlyaccessreviewcompletedSomeonesays “Let’stake thatoffline.”UnpatchedsystemidentifiedKnows not toplugunknownUSBs intodevicesFirewallrule allows“ANY/ANY”trafficStrongpassphraseused (notjust complexpassword)Free!Shredsdocumentswithpersonal orclient info“Thislooks likea phishingattempt”PetappearsoncameraForwardsunusualemails to thesecurityteam“ShadowIT” appfound“Sorry, Iwas onanothercall.”High-riskvendorflaggedUsesmulti‑factorauthenticationUsescompany‑approvedcloud storageVerifiessenderemailaddressData notclassifiedcorrectlySomeonesays, “That’sa greatquestion.”Double-checking anexternalemailrecipientPhishingemailreportedUsesapprovedsystems forwork filesDefaultpasswordstill in use“If it seemstoo good tobe true, itprobably is”AvoidsdownloadingunknownapplicationsAvoids takingphotos/screenshotsof client dataSensitivedata sent viaunencryptedemailReports asuspiciousemailUses securefile transferinstead ofemailattachmentRecognizesan “urgent”or “act now”red flagVerifying apayment/changerequest viaphoneSomeone’sconnectionfreezesmid‑sentenceNodocumentedincidentresponseplanVendorwithoutrecent SOC2 reportRecognizeswhensomeone asksfor too muchinformationKnows theorganization’ssecuritypolicies existUsing securefile transferinstead ofemailNoticesspelling/grammarerrors in asuspicious email“We’ll acceptthe risk”(withoutdocumentation😉)“Can yousee myscreen?”“You’reonmute.”LockscomputerwhensteppingawayValidatespayment orchangerequeststhrough asecond channelUpdatingsoftwarewhenpromptedAttending asecurityawarenesstrainingsessionHoveringover linksbeforeclickingSlide witha lot oftiny textSomeonementions“AI” or“Copilot.”Public linksharingdisabledon a fileCreates astrongpassphrase(not just apassword)Recognizesa fake loginpageSaying “If itseems toogood to betrue, itprobably is”Computerscreenlockedwhen awayUSB stickplugged intoa corporatelaptopStoressensitivefilessecurelyAvoidspublicWi‑Fi forwork tasksCompletesannualsecuritytrainingMissingevidencefor anaudit testUses onlyapprovedtools forworkKnowshow toreport anincidentDeletesunexpectedattachmentsMulti-factorauthentication(MFA)enabledReportinga lost orstolendeviceDeclines toshareinformationover thephoneMissing BAAfor aPHI‑handlingvendorIdentifiesa spoofedsendernameReports asuspicioustextmessageIdentifiessuspiciousactivity ontheir accountEmployeeuses the“ReportPhish”buttonAvoidssharingcredentialswith anyoneAvoidssendingsensitive infounencryptedSharedcredentialsdiscoveredUpdatessoftwarewhenpromptedDeletes datathey’re nolongerauthorized toretainSuspiciouslogin alertSomeonementions“Zerotrust.”Mentions“Thinkbeforeyou click”Double-checksexternalrecipientsbefore sendingExcessivepermissions(over‑privilegedaccess)RecognizesasuspiciousQR codeRecognizesa scam orfake offerQuarterlyaccessreviewcompletedSomeonesays “Let’stake thatoffline.”UnpatchedsystemidentifiedKnows not toplugunknownUSBs intodevicesFirewallrule allows“ANY/ANY”trafficStrongpassphraseused (notjust complexpassword)Free!Shredsdocumentswithpersonal orclient info“Thislooks likea phishingattempt”PetappearsoncameraForwardsunusualemails to thesecurityteam“ShadowIT” appfound“Sorry, Iwas onanothercall.”High-riskvendorflaggedUsesmulti‑factorauthenticationUsescompany‑approvedcloud storageVerifiessenderemailaddressData notclassifiedcorrectlySomeonesays, “That’sa greatquestion.”Double-checking anexternalemailrecipientPhishingemailreportedUsesapprovedsystems forwork filesDefaultpasswordstill in use“If it seemstoo good tobe true, itprobably is”AvoidsdownloadingunknownapplicationsAvoids takingphotos/screenshotsof client dataSensitivedata sent viaunencryptedemailReports asuspiciousemailUses securefile transferinstead ofemailattachmentRecognizesan “urgent”or “act now”red flagVerifying apayment/changerequest viaphoneSomeone’sconnectionfreezesmid‑sentenceNodocumentedincidentresponseplanVendorwithoutrecent SOC2 reportRecognizeswhensomeone asksfor too muchinformationKnows theorganization’ssecuritypolicies existUsing securefile transferinstead ofemailNoticesspelling/grammarerrors in asuspicious email“We’ll acceptthe risk”(withoutdocumentation😉)“Can yousee myscreen?”“You’reonmute.”LockscomputerwhensteppingawayValidatespayment orchangerequeststhrough asecond channelUpdatingsoftwarewhenpromptedAttending asecurityawarenesstrainingsessionHoveringover linksbeforeclickingSlide witha lot oftiny textSomeonementions“AI” or“Copilot.”Public linksharingdisabledon a fileCreates astrongpassphrase(not just apassword)Recognizesa fake loginpageSaying “If itseems toogood to betrue, itprobably is”Computerscreenlockedwhen awayUSB stickplugged intoa corporatelaptopStoressensitivefilessecurelyAvoidspublicWi‑Fi forwork tasksCompletesannualsecuritytrainingMissingevidencefor anaudit testUses onlyapprovedtools forworkKnowshow toreport anincidentDeletesunexpectedattachmentsMulti-factorauthentication(MFA)enabledReportinga lost orstolendeviceDeclines toshareinformationover thephoneMissing BAAfor aPHI‑handlingvendor

General Security Awareness - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
  1. Identifies a spoofed sender name
  2. Reports a suspicious text message
  3. Identifies suspicious activity on their account
  4. Employee uses the “Report Phish” button
  5. Avoids sharing credentials with anyone
  6. Avoids sending sensitive info unencrypted
  7. Shared credentials discovered
  8. Updates software when prompted
  9. Deletes data they’re no longer authorized to retain
  10. Suspicious login alert
  11. Someone mentions “Zero trust.”
  12. Mentions “Think before you click”
  13. Double-checks external recipients before sending
  14. Excessive permissions (over‑privileged access)
  15. Recognizes a suspicious QR code
  16. Recognizes a scam or fake offer
  17. Quarterly access review completed
  18. Someone says “Let’s take that offline.”
  19. Unpatched system identified
  20. Knows not to plug unknown USBs into devices
  21. Firewall rule allows “ANY/ANY” traffic
  22. Strong passphrase used (not just complex password)
  23. Free!
  24. Shreds documents with personal or client info
  25. “This looks like a phishing attempt”
  26. Pet appears on camera
  27. Forwards unusual emails to the security team
  28. “Shadow IT” app found
  29. “Sorry, I was on another call.”
  30. High-risk vendor flagged
  31. Uses multi‑factor authentication
  32. Uses company‑approved cloud storage
  33. Verifies sender email address
  34. Data not classified correctly
  35. Someone says, “That’s a great question.”
  36. Double-checking an external email recipient
  37. Phishing email reported
  38. Uses approved systems for work files
  39. Default password still in use
  40. “If it seems too good to be true, it probably is”
  41. Avoids downloading unknown applications
  42. Avoids taking photos/screenshots of client data
  43. Sensitive data sent via unencrypted email
  44. Reports a suspicious email
  45. Uses secure file transfer instead of email attachment
  46. Recognizes an “urgent” or “act now” red flag
  47. Verifying a payment/change request via phone
  48. Someone’s connection freezes mid‑sentence
  49. No documented incident response plan
  50. Vendor without recent SOC 2 report
  51. Recognizes when someone asks for too much information
  52. Knows the organization’s security policies exist
  53. Using secure file transfer instead of email
  54. Notices spelling/grammar errors in a suspicious email
  55. “We’ll accept the risk” (without documentation 😉)
  56. “Can you see my screen?”
  57. “You’re on mute.”
  58. Locks computer when stepping away
  59. Validates payment or change requests through a second channel
  60. Updating software when prompted
  61. Attending a security awareness training session
  62. Hovering over links before clicking
  63. Slide with a lot of tiny text
  64. Someone mentions “AI” or “Copilot.”
  65. Public link sharing disabled on a file
  66. Creates a strong passphrase (not just a password)
  67. Recognizes a fake login page
  68. Saying “If it seems too good to be true, it probably is”
  69. Computer screen locked when away
  70. USB stick plugged into a corporate laptop
  71. Stores sensitive files securely
  72. Avoids public Wi‑Fi for work tasks
  73. Completes annual security training
  74. Missing evidence for an audit test
  75. Uses only approved tools for work
  76. Knows how to report an incident
  77. Deletes unexpected attachments
  78. Multi-factor authentication (MFA) enabled
  79. Reporting a lost or stolen device
  80. Declines to share information over the phone
  81. Missing BAA for a PHI‑handling vendor