PhishingemailreportedUnpatchedsystemidentifiedUsesmulti‑factorauthenticationMissing BAAfor aPHI‑handlingvendorNodocumentedincidentresponseplanPetappearsoncameraUpdatingsoftwarewhenpromptedMentions“Thinkbeforeyou click”High-riskvendorflaggedRecognizesa fake loginpageUsescompany‑approvedcloud storageAvoidsdownloadingunknownapplicationsUpdatessoftwarewhenpromptedIdentifiesa spoofedsendernameRecognizesasuspiciousQR codeSlide witha lot oftiny text“You’reonmute.”Uses onlyapprovedtools forworkForwardsunusualemails to thesecurityteamRecognizesa scam orfake offerData notclassifiedcorrectlyReportinga lost orstolendeviceVerifiessenderemailaddressSomeonementions“Zerotrust.”Validatespayment orchangerequeststhrough asecond channelDouble-checking anexternalemailrecipientSomeonementions“AI” or“Copilot.”USB stickplugged intoa corporatelaptopKnowshow toreport anincidentUsing securefile transferinstead ofemailShredsdocumentswithpersonal orclient infoRecognizeswhensomeone asksfor too muchinformationAttending asecurityawarenesstrainingsession“Thislooks likea phishingattempt”Saying “If itseems toogood to betrue, itprobably is”Someonesays “Let’stake thatoffline.”Avoids takingphotos/screenshotsof client dataSharedcredentialsdiscoveredHoveringover linksbeforeclickingUses securefile transferinstead ofemailattachmentUsesapprovedsystems forwork filesFree!Defaultpasswordstill in useStrongpassphraseused (notjust complexpassword)Someonesays, “That’sa greatquestion.”Double-checksexternalrecipientsbefore sendingMissingevidencefor anaudit testStoressensitivefilessecurelyNoticesspelling/grammarerrors in asuspicious emailDeclines toshareinformationover thephoneLockscomputerwhensteppingaway“ShadowIT” appfoundDeletesunexpectedattachmentsSomeone’sconnectionfreezesmid‑sentenceKnows theorganization’ssecuritypolicies existReports asuspicioustextmessageMulti-factorauthentication(MFA)enabledVendorwithoutrecent SOC2 reportRecognizesan “urgent”or “act now”red flag“We’ll acceptthe risk”(withoutdocumentation😉)Sensitivedata sent viaunencryptedemailDeletes datathey’re nolongerauthorized toretainAvoidspublicWi‑Fi forwork tasks“If it seemstoo good tobe true, itprobably is”Employeeuses the“ReportPhish”button“Can yousee myscreen?”“Sorry, Iwas onanothercall.”Computerscreenlockedwhen awayKnows not toplugunknownUSBs intodevicesFirewallrule allows“ANY/ANY”trafficCompletesannualsecuritytrainingSuspiciouslogin alertReports asuspiciousemailQuarterlyaccessreviewcompletedPublic linksharingdisabledon a fileCreates astrongpassphrase(not just apassword)Avoidssharingcredentialswith anyoneVerifying apayment/changerequest viaphoneAvoidssendingsensitive infounencryptedExcessivepermissions(over‑privilegedaccess)Identifiessuspiciousactivity ontheir accountPhishingemailreportedUnpatchedsystemidentifiedUsesmulti‑factorauthenticationMissing BAAfor aPHI‑handlingvendorNodocumentedincidentresponseplanPetappearsoncameraUpdatingsoftwarewhenpromptedMentions“Thinkbeforeyou click”High-riskvendorflaggedRecognizesa fake loginpageUsescompany‑approvedcloud storageAvoidsdownloadingunknownapplicationsUpdatessoftwarewhenpromptedIdentifiesa spoofedsendernameRecognizesasuspiciousQR codeSlide witha lot oftiny text“You’reonmute.”Uses onlyapprovedtools forworkForwardsunusualemails to thesecurityteamRecognizesa scam orfake offerData notclassifiedcorrectlyReportinga lost orstolendeviceVerifiessenderemailaddressSomeonementions“Zerotrust.”Validatespayment orchangerequeststhrough asecond channelDouble-checking anexternalemailrecipientSomeonementions“AI” or“Copilot.”USB stickplugged intoa corporatelaptopKnowshow toreport anincidentUsing securefile transferinstead ofemailShredsdocumentswithpersonal orclient infoRecognizeswhensomeone asksfor too muchinformationAttending asecurityawarenesstrainingsession“Thislooks likea phishingattempt”Saying “If itseems toogood to betrue, itprobably is”Someonesays “Let’stake thatoffline.”Avoids takingphotos/screenshotsof client dataSharedcredentialsdiscoveredHoveringover linksbeforeclickingUses securefile transferinstead ofemailattachmentUsesapprovedsystems forwork filesFree!Defaultpasswordstill in useStrongpassphraseused (notjust complexpassword)Someonesays, “That’sa greatquestion.”Double-checksexternalrecipientsbefore sendingMissingevidencefor anaudit testStoressensitivefilessecurelyNoticesspelling/grammarerrors in asuspicious emailDeclines toshareinformationover thephoneLockscomputerwhensteppingaway“ShadowIT” appfoundDeletesunexpectedattachmentsSomeone’sconnectionfreezesmid‑sentenceKnows theorganization’ssecuritypolicies existReports asuspicioustextmessageMulti-factorauthentication(MFA)enabledVendorwithoutrecent SOC2 reportRecognizesan “urgent”or “act now”red flag“We’ll acceptthe risk”(withoutdocumentation😉)Sensitivedata sent viaunencryptedemailDeletes datathey’re nolongerauthorized toretainAvoidspublicWi‑Fi forwork tasks“If it seemstoo good tobe true, itprobably is”Employeeuses the“ReportPhish”button“Can yousee myscreen?”“Sorry, Iwas onanothercall.”Computerscreenlockedwhen awayKnows not toplugunknownUSBs intodevicesFirewallrule allows“ANY/ANY”trafficCompletesannualsecuritytrainingSuspiciouslogin alertReports asuspiciousemailQuarterlyaccessreviewcompletedPublic linksharingdisabledon a fileCreates astrongpassphrase(not just apassword)Avoidssharingcredentialswith anyoneVerifying apayment/changerequest viaphoneAvoidssendingsensitive infounencryptedExcessivepermissions(over‑privilegedaccess)Identifiessuspiciousactivity ontheir account

General Security Awareness - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
  1. Phishing email reported
  2. Unpatched system identified
  3. Uses multi‑factor authentication
  4. Missing BAA for a PHI‑handling vendor
  5. No documented incident response plan
  6. Pet appears on camera
  7. Updating software when prompted
  8. Mentions “Think before you click”
  9. High-risk vendor flagged
  10. Recognizes a fake login page
  11. Uses company‑approved cloud storage
  12. Avoids downloading unknown applications
  13. Updates software when prompted
  14. Identifies a spoofed sender name
  15. Recognizes a suspicious QR code
  16. Slide with a lot of tiny text
  17. “You’re on mute.”
  18. Uses only approved tools for work
  19. Forwards unusual emails to the security team
  20. Recognizes a scam or fake offer
  21. Data not classified correctly
  22. Reporting a lost or stolen device
  23. Verifies sender email address
  24. Someone mentions “Zero trust.”
  25. Validates payment or change requests through a second channel
  26. Double-checking an external email recipient
  27. Someone mentions “AI” or “Copilot.”
  28. USB stick plugged into a corporate laptop
  29. Knows how to report an incident
  30. Using secure file transfer instead of email
  31. Shreds documents with personal or client info
  32. Recognizes when someone asks for too much information
  33. Attending a security awareness training session
  34. “This looks like a phishing attempt”
  35. Saying “If it seems too good to be true, it probably is”
  36. Someone says “Let’s take that offline.”
  37. Avoids taking photos/screenshots of client data
  38. Shared credentials discovered
  39. Hovering over links before clicking
  40. Uses secure file transfer instead of email attachment
  41. Uses approved systems for work files
  42. Free!
  43. Default password still in use
  44. Strong passphrase used (not just complex password)
  45. Someone says, “That’s a great question.”
  46. Double-checks external recipients before sending
  47. Missing evidence for an audit test
  48. Stores sensitive files securely
  49. Notices spelling/grammar errors in a suspicious email
  50. Declines to share information over the phone
  51. Locks computer when stepping away
  52. “Shadow IT” app found
  53. Deletes unexpected attachments
  54. Someone’s connection freezes mid‑sentence
  55. Knows the organization’s security policies exist
  56. Reports a suspicious text message
  57. Multi-factor authentication (MFA) enabled
  58. Vendor without recent SOC 2 report
  59. Recognizes an “urgent” or “act now” red flag
  60. “We’ll accept the risk” (without documentation 😉)
  61. Sensitive data sent via unencrypted email
  62. Deletes data they’re no longer authorized to retain
  63. Avoids public Wi‑Fi for work tasks
  64. “If it seems too good to be true, it probably is”
  65. Employee uses the “Report Phish” button
  66. “Can you see my screen?”
  67. “Sorry, I was on another call.”
  68. Computer screen locked when away
  69. Knows not to plug unknown USBs into devices
  70. Firewall rule allows “ANY/ANY” traffic
  71. Completes annual security training
  72. Suspicious login alert
  73. Reports a suspicious email
  74. Quarterly access review completed
  75. Public link sharing disabled on a file
  76. Creates a strong passphrase (not just a password)
  77. Avoids sharing credentials with anyone
  78. Verifying a payment/change request via phone
  79. Avoids sending sensitive info unencrypted
  80. Excessive permissions (over‑privileged access)
  81. Identifies suspicious activity on their account