Spot the Phish
You get an email that says your password is about to expire, but the sender’s address looks off. What should you do?
Don’t click anything. Forward it to IT or report it as phishing.
Phishing often uses urgency and sketchy sender addresses. Always verify first using an alternate method.
True or False - You can reuse passwords across multiple sites if they’re complex.
False. Every account should have a unique password.
Reusing passwords makes all your accounts vulnerable if one gets breached.
What does “least privilege” mean in the context of digital access?
People should only have the access they need for their work - no more.
This reduces the risk if an account is compromised.
You’re working from a café. What’s one thing you should always do before logging into M4BL accounts?
Turn on your VPN.
A partner org asks if they can share login credentials with multiple people for convenience. What's the secure alternative?
Recommend a password manager like Bitwarden(Free) or 1Password.
What’s one red flag that an email or DM might be a phishing attempt?
Misspellings, unfamiliar senders, urgent demands, or weird links.
Trust your gut. If it feels off, it probably is.
What’s the safest way to store passwords you need to share across the team?
Use our password manager, 1Password.
Never share passwords in Slack, email, or on paper.
True or False - everyone on staff should have admin access “just in case.”
False. Only those who need admin access should have it.
Admins can make big changes - we limit it for safety.
A staff member DMs you from a conference: “I can't access the team doc, so I’m emailing it to my personal Gmail instead.” What do you say?
Let them know that’s not secure — offer to troubleshoot access or send via a secure channel.
Moving org data to personal accounts increases risk and loses oversight.
An organizer wants to livestream a direct action. What digital risks should you help them consider?
Location tracking, facial recognition, retaliation, or platform takedowns.
A message says, “URGENT: W9 form needed now!” from the People Ops team. What's your first move?
Pause. Contact a real person directly via known methods (like Slack or phone) to verify.
What’s multi-factor authentication, and why do we require it?
A system that uses something you know and something you have (like a code or app).
MFA adds a layer of protection in case your password is stolen.
You’re asked to grant someone admin access to a system. What should you check first?
Check their role, confirm it’s approved, and use group/role-based access if possible.
Always match access to responsibilities, not assumptions.
A team member is working from a borrowed device and needs to access Every Action fast. What’s the safest way to support them?
Guide them to use Incognito Mode on their browser, log in with MFA, and log out fully when done.
You’re creating a shared folder with organizers across orgs. What’s a safer way to manage access than sending open links?
Use email-based invites, limit to “view only,” and set expiration dates or permissions.
What is the safest way to verify if an unexpected message is real before clicking any links?
Use a second method of communication (Slack, text) to confirm the sender is legit.
Your device gets stolen. What’s one reason a strong passcode matters, even if you're logged out of all accounts?
It prevents someone from unlocking your device and accessing your data.
A strong device password is your first line of defense.
Why is it important to immediately offboard access when someone leaves the org?
Because they could still access sensitive data - and we may be liable.
Immediate deactivation is a must when someone exits.
You get an alert: someone tried to log into a shared admin account from an unusual location. They say it was them, but from a hotspot. What do you do?
Confirm it was intentional using a secure channel
A volunteer sends a screenshot of sensitive internal messages in a group sms/text chat. What’s the risk, and how do you address it?
Screenshots can be reshared or weaponized. Ask them to delete it and offer a safer way to reference the info, like a Signal chat
You already clicked a suspicious link. What steps do you take now?
Report it to another member of the admin team immediately. Change the affected password(s). Scan your computer for malware.
A fast response can stop the damage before it spreads. Don't get stuck in shame, it happens to everyone at some point.
What’s a passphrase, and why is it better than a short, complex password?
A passphrase is a string of random but memorable words (like “sun mango river dance”).
They’re easier to remember and harder to crack.
You accidentally gave someone admin access instead of viewer access. What should you do?
Report the mistake right away and correct the access level.
Transparency helps fix it fast. No shame in mistakes.
A staff member traveling overseas says their internet is unstable and they want to disable MFA just for today. What’s the response?
Explain that MFA must stay on, and help them find an alternate method (like backup codes or app-based access).
An activist abroad says their device was confiscated. They had movement docs saved locally. What’s the lesson here?
Avoid local storage for sensitive info. Encourage cloud storage with MFA and remote wipe tools.