Security Champion Cheat Sheet

Print & keep

The Security Champion Cheat Sheet

14 Rules to Stop Phishing. Print this page and keep it at your desk. Teach one rule per week to your team.

Reading Links (Rules 1-3)

  1. The real destination is the last two parts before the first slash.
  2. If the brand name isn't the domain itself, it's decoration.
  3. Never use a suspicious message to verify itself. Go outside of it.

Understanding Attackers (Rules 4-6)

  1. Everything the attacker knows about you is probably public. Act accordingly.
  2. The more urgent it feels, the more important it is to slow down.
  3. Verify the person, not the account. Call them.

Beyond Email (Rules 7-9)

  1. Hang up and call back. You can't trust incoming calls or texts.
  2. Inside the company network doesn't mean inside the company.
  3. If you can't see where it goes before you scan it, verify before you trust it.

Business Email Compromise (Rules 10-12)

  1. BEC has no links, no malware, no typos. It's just a convincing request.
  2. If there's nothing malicious to scan, no scanner can save you. Only process can.
  3. Any change to where money goes requires a phone call to confirm. No exceptions.

Being a Security Champion (Rules 13-14)

  1. WHO, WHAT, WHY, DOES IT MAKE SENSE. If any answer feels wrong, verify.
  2. Not everything is a threat. Accurate judgment beats blanket suspicion.

Three Core Habits

Pause Before Acting

Every attack depends on you acting before thinking. A five-second pause defeats most of them.

Verify Through a Separate Channel

Call, walk over, or message through a different app. Use a contact method you already trust, not one from the message.

Report Without Shame

Your report protects others. Security teams would rather investigate 100 false alarms than miss one real attack.

The Four-Question Checklist

For any message that asks you to take action:

Question Ask yourself
WHO sent this? Do I know them? Normal channel? Anything different from usual?
WHAT are they asking? Password? Money? File? Data? Channel change?
WHY now? Unusual urgency? Manufactured timing? Threats?
DOES IT MAKE SENSE? Normal request? Normal channel? Matches our processes?

If any answer feels wrong → VERIFY. Through a separate channel. Using contact information you already have.