The goal is to instill a security-conscious mindset among our employees, both during and outside of work. By expanding our security program’s focus to include personal environments, we equip our employees with the knowledge and skills necessary to protect themselves and the company from cyber threats. By encouraging employees to screenshot and submit ridiculous or funny phishing attempts, we create a platform for shared learning and awareness. The more examples employees encounter, the better prepared they become to spot and report phishing attempts effectively. This approach also fosters a sense of camaraderie and fun while reinforcing the importance of remaining vigilant against phishing attacks and scams.

---

The game is open to all centrexIT employees, and everyone is encouraged to participate. This program is used to help strengthen our collective defense against phishing attacks, heightened security awareness, reinforce vigilance, and have a little fun.

---

Each quarter, the top four (4) submissions, receiving the most votes, will be selected as recipients.

The selected receivers will receive a pay out of $50, grossed up for taxes. The payout schedule is as follows:

• Q1 - April

• Q2 - July

• Q3 - October

• Q4 - January

---

1. Each employee should submit a public or private phishing attempt
2. The form is located at the top of the CIT Phishing Game channel in MS Teams.
3. The form includes all of the instructions on how to fill out and submit the form. (image below)
4. Information Security Lead or designee will select 5 of the most noteworthy submissions and provide the list to the team to vote for the most ridiculous scam/phish attempt and provide that name to Accounting to process the payout.
5. Accounting is responsible for preparing the reward payout for each recipient.

---

1. Submitter - the person who observed the demonstrated behavior and wants to acknowledge the employee
2. Receiver - the person who demonstrated one or more cultural beliefs and is being recognized for it
3. Public - a recognition that is delivered in the CIT Focused Recognition channel for all employees to see
4. Private - a recognition that is quietly delivered to the receiver that is not shared publically with the team
5. Payout - the rewards payment received for either submitting or receiving recognition

---

1. Spot the Fish

• Do not click on any emails/links/attempts, but rather take a picture or screenshot of the scam/phishing attempt, even on personal devices

• Using a game submission form, submit the image

• There is no limit to the number of submissions, and it should happen on a regular basis as it is not limited to one per quarter.

2. Voting Process

• The Information Security Lead or designee will select 5 of the best submissions from the quarter

• Using Polly in Teams, the employees will vote on their favorite submission.

3. Submit names to Accounting and annouce to Team

• The Information Security Lead or designee will provide the list of reward recipients to Accounting no later than the 20th of the month following the end of the quarter. (see the payout schedule above)

• If the 20th should land on a weekend or holiday, the names need to be submitted to Accountng on the business day prior to the weekend or holiday.

• The Information Security Lead will announce the reward recipients during a company meeting; i.e., huddle or Lunch & Learn, as well as posted in the Teams channel.

4. Prepare the payout

• The Accounting department will prepare a separate payment, grossed up for taxes, to be deposited in the recipients account along with the regular pay received at the end of the month.

---

• Rewards channel in Teams: