IRCTC warns of fake app and website scamming users out of their sensitive information—here’s how to stay safe

• IRCTC has warned users about a fake Android app and website that tries to steal sensitive information from users looking to book tickets for their next journey.
  
• The fake app and website look eerily like the original, which makes it difficult for end users to distinguish between the two.
  
• The fake IRCTC app for Android smartphones goes by the name ‘irctcconnect.apk’ and is being circulated via WhatsApp and Telegram.
  

IRCTC has warned users about a fake Android app and website that tries to steal sensitive information from users looking to book tickets for their next journey. The fake app and website look eerily like the original, which makes it difficult for end users to distinguish between the two.

Indian Railway Catering and Tourism Corporation (IRCTC) is a state-owned service that allows users to book rail, air, bus and hotel tickets.

The fake IRCTC app for Android smartphones goes by the name ‘irctcconnect.apk’ and is being circulated via WhatsApp and Telegram. Given that it’s very trivial for Android users to manually install an app using an apk file, IRCTC had to issue an advisory to warn users about the fake app.

The fake IRCTC app used by hackers to target passengers also has an accompanying website – https://irctc.creditmobile.site – which looks to have been blocked now.

“Fraudsters’ aim is to get sensitive net banking credentials, including UPI details and credit/debit card information, from victims who fall prey to the smishing attack,” the IRCTC warning said.

Android safety 101

One of the easiest ways of staying safe while using an Android device is by not clicking on unknown links or installing apps from unknown sources.

• Newer versions of Android require users to allow app installation from unknown sources to be enabled on a per-app basis. Users are recommended to always install apps from official sources like the Google Play store.
  
• While clicking on links, ensure that you can determine their authenticity. If you cannot directly verify this, it is recommended that you search for the company’s website. Popular search engines like Google or Bing usually surface the official website as the top search results, so that is another way to make sure to verify the authenticity.
  
• One of the most common vectors of stealing information and phishing attacks is via one-time passwords – if you receive an OTP without having requested it, simply ignore it and never share it with anyone.
  
• Users are also recommended to always keep their apps and software up to date.
  
• Android smartphones also come with app verification via a service called ‘Play Protect’. It is enabled by default, but it is worth ensuring that it is on and running.
  
• Lastly, always be cautious with app permissions – only grant necessary permissions and avoid giving access to sensitive information or features unless absolutely required.
  

SEE ALSO:

Companies with $465 billion in combined market cap to see a CEO change in the next 12 months: Here’s what investors should do

HDFC-HDFC Bank merger to bring foreign inflows of up to $3 billion

Infosys shares tank over 9% post a disappointing Q4, analysts caution demand moderation ahead