Month: May 2025

Scam Alert! Job Hunting After Graduation
By in

Scam Alert! Job Hunting After Graduation

Graduation season marks an exciting new chapter—one filled with opportunities, ambition, and the pursuit of that first big career step. But as new grads eagerly enter the job market, scammers are ready to exploit that enthusiasm.

According to the Better Business Bureau (BBB), job scams have surged in recent years, especially among people aged 18 to 34. The BBB’s latest Risk Report ranks job scams as the most dangerous type of scam for this age group, fueled in part by the rise of remote work and job hunting via online platforms.

How These Scams Work

Melanie McGovern of the BBB warns that scammers often pose as recruiters on trusted job sites like LinkedIn and Indeed. Others reach out through emails, texts, or even social media messages offering jobs that sound too good to be true—and they usually are.

“We have seen scam activity on social media sites asking people to apply for jobs or offering them jobs on the spot,” says McGovern.

Fake job listings are often vague, missing key details like job responsibilities or company information. The recruiter profiles may look suspiciously incomplete, or include profile photos that can be traced back to someone else with a quick reverse image search.

And if the “recruiter” quickly moves the conversation to a personal email (like Gmail or Yahoo) or a messaging app, that’s a red flag. “Knowing that you are dealing with a legitimate company is really, really important,” McGovern emphasizes.

Red Flags to Watch

  • Vague job descriptions or listings that are too good to be true
  • Pressure to act fast or get hired on the spot
  • Requests to pay for equipment upfront, or cash a check, and send money back
  • Use of personal email addresses instead of a corporate domain
  • Lack of a formal interview process

Legitimate employers don’t ask for money, and they don’t hire solely via text or chat apps. “Getting a professional job is a professional process,” says McGovern. “There’ll be resumes, reference checks, interviews—either in-person or virtual. That process matters.”

What You Can Do

  • Research the company and recruiter before responding
  • Don’t share personal information until you’ve verified the offer
  • Trust your instincts. If something feels off, pause and investigate
  • Report any scams to BBB Scam Tracker and the FTC at ReportFraud.ftc.gov

Graduates have worked hard to earn their degrees. Don’t let a scam be the first step in your professional journey. Stay informed, stay cautious, and you’ll be on the path to success with confidence.

Ditch the Passwords: Why Passkeys Are the Future of Online Security
By in

Ditch the Passwords: Why Passkeys Are the Future of Online Security

Tired of juggling dozens of passwords—or worse, reusing the same one across multiple sites? You’re not alone. But the good news is that passwords may soon be a thing of the past. Enter passkeys, a new, more secure way to log in that’s easier for you and harder for hackers.

What Is a Passkey?

A passkey is a digital credential that lets you sign in to websites and apps without needing a traditional password. Instead of relying on something you know (like a password), passkeys use a combination of something you have (like your phone or computer) and something you are (like a fingerprint or facial recognition).

Passkeys are based on public key cryptography, a tried-and-true method used to protect sensitive data online.

How Are Passkeys Generated?

When you create a passkey for a website or app:

  • Your device generates a key pair: a public key and a private key.
  • The public key is stored with the website or app.
  • The private key stays safely on your device and is never shared.

When you try to log in again, the website sends a challenge to your device. If your device can solve the challenge using the private key (confirmed with Face ID, Touch ID, or your device PIN), you’re in.

No password. No phishing. No problem.

The Benefits of Passkeys

  • Stronger security: Passkeys are resistant to phishing, credential stuffing, and brute-force attacks.
  • Convenience: No need to remember or manage passwords.
  • Fast sign-in: Face ID, fingerprint, or device unlock is all it takes.
  • Cross-device sync: Passkeys can sync securely across devices via services like iCloud Keychain or Google Password Manager.

The Risks of Passwords

Passwords have been the weak link in digital security for years:

  • Reused passwords make it easy for hackers to break into multiple accounts.
  • Weak passwords can be cracked by brute-force attacks.
  • Phishing scams can trick users into handing over login credentials.
  • Password databases can be stolen in data breaches, exposing millions of users.

Even with tools like password managers, the risks persist.

Are Passkeys Safe?

Yes – very safe. Because your private key never leaves your device, there’s nothing for hackers to steal or intercept. And since you don’t type anything in, there’s nothing to phish.

Major tech companies—including Apple, Google, Microsoft, and many others—are rapidly adopting passkeys as the new standard for authentication.

Can I Still use a Password if I have a Passkey?

Yes, you can still use a password, even if you have a passkey. Password managers like LastPass support both passwords and passkeys, so you have flexibility in how you access your vault.

What Should You Do Now?

  • Start using passkeys where they’re available. Many popular sites and services now support them.
  • Make sure your devices support biometric logins like fingerprint or facial recognition.
  • Use a reputable passkey manager like Apple’s iCloud Keychain or Google Password Manager to sync across your devices.

Not Ready for Passkeys? Use a Password Manager

If you’re not using passkeys yet, the next best step you can take is to use a reputable password manager, such as LastPass.

LastPass helps you:

  • Generate strong, unique passwords for every account.
  • Store them securely in an encrypted vault.
  • Automatically fill them in across devices for easy access.

Even better, LastPass now supports passkeys, allowing you to:

  • Create passkeys for compatible websites and apps.
  • Store them securely alongside your traditional passwords.
  • Use biometric authentication (like Face ID or fingerprint) to log in with ease.

It’s a seamless way to start transitioning to a more secure, password-free future, without giving up convenience.

Device Code Phishing
By in

Device Code Phishing

Don’t Fall for Device Code Phishing!

The Latest Trick from Cybercriminals

Cybercriminals never stop innovating, and their latest scam targets something you might not expect: the login process on your smart TVs, streaming devices, and even workplace tools. It’s called device code phishing, and it’s designed to trick you into handing over your login credentials through a process that looks completely legitimate.

Here’s what you need to know to stay safe.

What Is Device Code Phishing?

You’ve likely seen it before: a screen on your device that says something like,

“Visit example.com/activate and enter this code to sign in.”

This is known as a device authorization flow, and it’s a normal part of logging into apps on devices that don’t have a keyboard. It’s used by Netflix, Microsoft 365, Google, and more.

But now, attackers are copying that process to phish for your login info. Instead of a real activation page, they set up fake websites that look like the real thing, hoping you’ll enter your code and credentials.

Once you do, they instantly use those credentials on the real service to hijack your account.

How Does the Scam Work?

  1. You’re prompted with a real-looking activation screen. It may appear on a smart TV, streaming device, or even through a pop-up in a phishing email.
  2. You visit the link and enter the code. But instead of going to a real site like hulu.com/activate, you’re sent to something like hululogin-verify.com, which is a site controlled by hackers.
  3. They capture your login info. And now they have access to your streaming account, cloud tools, or even work systems.

Why It’s So Dangerous

  • It looks totally legit. These scams mimic real services and processes you trust.
  • It bypasses traditional phishing defenses. Since the actual login happens on a separate device, you might not even realize something went wrong.
  • It can lead to serious data breaches. If they get into your work or personal accounts, they may access sensitive info, financial data, or worse.

How to Protect Yourself

  • Double-check all URLs.  Legitimate activation links should be short and familiar (e.g., netflix.com/activate, not netflix-support.tv).
  • Don’t scan QR codes or follow links from unexpected sources.  Always verify directly on the device.
  • Use multi-factor authentication (MFA) such as DUO by Cisco.  Even if attackers get your password, MFA can stop them cold.
  • Stay skeptical of pop-ups.  Especially if they appear out of context or ask you to act fast.
  • Educate your family and employees.  The more people who recognize this scam, the less damage it can do.

Citynet’s Commitment to Your Security

At Citynet, we know that awareness is your first line of defense against cyber threats. That’s why we regularly share information about the latest scams and security tips, like device code phishing, on our blog and on Facebook and LinkedIn.

For businesses, we go a step further. Our CyberSuite includes powerful tools like security awareness training from KnowBe4, helping your team spot and avoid threats before they cause harm.

If your organization is ready to get serious about cybersecurity, Citynet is ready to help.