Phishing or Fishing?
Malware Madness
Password Pitfalls
Social Engineering
Too Much Info
100

You get an email from Trev0r@heritagehl.com saying to click a link to verify payroll info.

What should you check first?

The email address — even one character off (like trev0r) can be phishing.

100

What type of malware locks your computer and demands payment?

Ransomware

100

Is “Heritage2025!” a strong password? Why or why not?

NO. It's based on the company and year making it easy to guess.

100

What is “tailgating” in cybersecurity?

When someone follows you into a secured building without a badge.

100

What’s the risk of posting your birthday or pet’s name online?

Hackers can use those as answers to security questions or to guess passwords.

200

An email says “Click here to claim your refund,” but you weren’t expecting one. What’s the red flag?

Unexpected reward or urgency — classic phishing tactic.

200

This type of malware hides inside something that looks safe, like a file or app.

Trojan Horse.

200

Why should you avoid using the same password across multiple sites?

If one site is hacked, all your accounts are at risk.

200

Someone calls pretending to be IT and asks for your login. What should you do?

Hang up and report it — IT will never ask for your password.  

200

You tag your workplace, birthday, and favorite team in your bio. What’s the risk?

It makes it easier for hackers to guess security questions or impersonate you.

300

You hover over a link and see a weird web address that doesn’t match the company. What should you do?

Don’t click it — it’s likely a phishing link.

300

This malware tracks everything you type, including logins and passwords.

Keylogger.

300

What’s a safer alternative to memorizing complex passwords for every account?

Use a password manager or vault.

300

What’s “shoulder surfing”?

Watching someone type their password or view sensitive info over their shoulder.

300

Why is it risky to share your kids’ school name or vacation location on social media?

It gives strangers info about your habits and schedule, making you a target.

400

What’s “spear phishing”?

A targeted phishing attempt aimed at one specific person or role, like a manager or CEO.

400

What’s the difference between a virus and a worm?

A worm spreads on its own; a virus needs a host program to spread.

400

What does MFA stand for and why is it important?

Multi-Factor Authentication — adds an extra layer of protection beyond just a password.

400

You get an emotional message from a “friend” asking for money via Venmo. What might this be?

A social engineering scam using a hacked or fake account.

400

You post a photo of your desk with your monitor and ID badge visible. What’s the risk?

Sensitive information could be seen and misused (badge ID, screen info, etc.).

500

How can you report a suspected phishing attempt at work?

Forward to Aubrey, use a phishing report button/mark as spam, or report to a manager.

500

What is “ransomware as a service” (RaaS)?

Cybercriminals sell or lease ransomware tools to others — like a subscription crime model.

500

What’s one reason “P@ssw0rd!” is not a good password even though it looks complex?

It’s a commonly used pattern and easily cracked by hackers.

500

A hacker finds your job title, email, and coworkers' names on LinkedIn. What kind of attack could they plan using that info?

Spear Phishing Attack - send a fake but convincing email pretending to be a coworker or manager.

500

You post a picture of your airline ticket before a trip. What could go wrong?

Scammers can use the barcode or booking number to access your travel details — or even cancel or change your reservation.

M
e
n
u