GSD field guide

Security Awareness

The habits that stop almost everything.

A short session · for your team

Use the arrow keys or scroll to move through.

01 · Breaches

Your info is probably already out there

Assume your email and some old passwords have turned up in a breach. That is true for almost everyone, and it isn't on you. Companies you trusted got hit. What counts now is making that old data useless.

Check your exposure haveibeenpwned.com

Put your email in, and if a leaked password is one you still reuse, change that one first. Reused passwords are where the real damage happens.

02 · Phishing

Spotting a phish

A phishing message wants you to act before you think. It shows up by email, by text (smishing), by phone call (vishing), even as a QR code. AI writes them cleanly now, so good spelling isn't proof it's real. The tells still hold:

1Urgency"Act now or else."
2Odd senderFamiliar name, address slightly off.
3Strange askA password, a payment, gift cards.
4Out of nowhereYou didn't ask for this.
5"Dear Customer"Generic greeting, not your name.

The callback rule. If your bank or your boss asks you for anything, hang up and call back on a number you look up yourself. Never the one they gave you.

03 · QR codes

Check where a code takes you

QR codes carry scams too, and it's climbing fast. A sticker placed over the real code on a parking meter or a flyer, or a code dropped into an email, can open a fake login or payment page that looks right.

After it opens, read the address before you type anything. Does the domain actually match the company?
Be suspicious if a scan jumps straight to a login or a payment.
On a printed code, check it isn't a sticker placed over the original.

Scanning is fine. The moment a code asks you to log in or pay, slow down and check the address before you trust the page.

04 · Passwords and MFA

The one that matters most

Get these right and you've closed most of the door. Honestly this counts for more than the rest put together.

Do

Use a password manager. One master password, a strong unique one everywhere else.
Turn on MFA, and switch to passkeys wherever they're offered.
Give fake answers to security questions, kept in the manager.

Don't

Reuse one password across sites.
Approve a login prompt you didn't start.
Log in from a link in a message. Open the site yourself.

MFA, better to best SMS code → Authenticator app → Passkey

MFA codes can be tricked by fake login pages now, so passkeys are the real fix. They only work on the real site, so a clone can't use them.

05 · AI impersonation

When the voice or face is faked

Cloning a voice or a face is cheap now, and a few seconds of audio is enough. A call or even a video can sound and look like your boss or a family member, pushing you to move money or hand over access fast.

Your move Verify before you act

Anything urgent that involves money or access, like a wire or a "new bank details" request, gets confirmed first on a channel you already trust. A call back to a number you already have, or a second person who signs off. Never on the request alone.

The same holds at home. If an urgent call sounds like someone you know, hang up and reach them back on a number you already have.

06 · Handling PII

Treat personal data like it's borrowed

Names, emails, phone numbers, addresses, payment details. Yours and other people's. When you hold data on customers and contacts, you're responsible for it, and that's where a small slip becomes a real problem.

Keep only what you need, and give access on a need to know basis.
Keep customer and contact PII out of AI tools and random websites. Once it's in, you can't get it back.
Send sensitive files with expiring, named, view-only links, not "anyone with the link."
If PII might be exposed, report it fast. Speed limits the damage.

When in doubt, share less and ask. Over-sharing data is the most common way a small mistake turns into a big one.

07 · Ransomware

It's about your account and your data now

If your files live in the cloud, version history usually handles the old "everything got encrypted" attack. The risk moved to attackers signing in as you and stealing data to leak it, which version history does nothing about.

The protection that matters most is your login. Use passkeys and keep MFA on.
Keep less customer data in your files than you think you need. Less to steal.
If files look renamed or encrypted, or a ransom note appears, disconnect and report right away. Don't pay, and don't try to fix it yourself.

Your IT team keeps backups and recovery. Your job is to protect your login and report fast.

08 · If something seems off

Say something, fast

Most of the damage happens in the gap between "that was weird" and someone doing something about it. Reporting early is the single most useful habit on this list.

If you clicked, entered a password, or sent something you shouldn't have, report it right away.
Speed beats embarrassment. The sooner it's flagged, the less it costs.
You won't be in trouble for reporting, even if it turns out to be nothing.

Tell your IT or security contact the moment something feels off. Asking "is this real?" is always the right call.

Take these home

The whole list, in one place

01BreachesCheck Have I Been Pwned, drop reused passwords.

02PhishingSlow down on urgency, across email, text, and calls.

03QR codesCheck where it takes you before you log in or pay.

04PasswordsManager, MFA, passkeys.

05AI fakesCall back to verify before you act on a voice or video.

06PIIShare less, least access, keep it out of AI tools.

07RansomwareProtect your login, report fast.

08Report itTell IT the moment something feels off.

Questions, or want this run for your team? [email protected] · getsitdone.ai · Get Stuff Done