In a decisive move to protect consumers from the rising tide of online fraud, the Reserve Bank of India (RBI) mandated the adoption of a new, exclusive internet domain: .bank.in.
This announcement, first signaled in February 2025 with registrations commencing in April 2025, is a strategic and necessary escalation in India's battle against digital banking fraud, particularly phishing attacks that exploit new internet users.
The attack surface is expanding
The root cause of this domain mandate is the dramatic rise in cyber frauds and phishing incidents reported to the RBI. While the rapid adoption of digital tools like UPI and mobile banking has empowered millions, it has also inadvertently created a vast, vulnerable attack surface that criminals are quick to exploit.
The sheer scale of the threat is staggering. According to the RBI's Annual Report for FY25, the total value of bank frauds surged to a staggering ₹36,014 crore, nearly tripling the amount involved in the previous year. While large loan frauds account for the majority of the value, digital payment frauds (involving cards and the internet) remain the most frequent in number, making up 56.5% of all reported fraud cases. Separate estimates from the Ministry of Home Affairs (MHA) further underscored the crisis, reporting that Indians lost an estimated ₹7,000 crore to various online scams in the first five months of 2025 alone.
The victims are diverse, but often the most vulnerable: first-time digital users, particularly those in rural or semi-urban areas who may not be internet-literate. For this rapidly expanding demographic, spotting the difference between a genuine URL (e.g., sbi.co.in) and a malicious, lookalike site (e.g., sbi-online.co) can be nearly impossible. Furthermore, MHA data on major investment scams (a common phishing tactic) shows that the financially active working-age population (30-60 years) accounted for over 76% of victims, demonstrating that cybercriminals are exploiting both new users and seasoned professionals alike. This confusion leads to significant financial losses and severely erodes the fundamental public trust needed for a functioning digital economy.
The .bank.in solution
The core function of the .bank.in domain is to serve as a universal "Digital Trust Signal." The RBI's mandate creates a Restricted and Verified TLD (Top-Level Domain), a simple, non-negotiable standard that instantly validates a website's authenticity.
The mechanism is powerful because it establishes an exclusive digital address. Unlike generic domains (like .com or .in) that anyone can buy, the .bank.in domain is only available to entities that hold a valid banking license from the RBI.
Crucially, the verification and registration process is centralized. The IDRBT (Institute for Development and Research in Banking Technology) acts as the exclusive registrar, ensuring that only verified financial institutions can secure this digital real estate.
This mandate effectively simplifies security for the customer into one, clear rule: if the website address does not end in .bank.in, it is not the bank's official net banking portal. This singular rule is the new shield, drastically cutting the lifeline of common phishing and spoofing techniques.
A global and national imperative
The decision to adopt a restricted TLD is a reflection of global security standards. This move mirrors similar high-security, segregated domains like the global .bank TLD used in developed financial markets, ensuring Indian banks are aligning with world-class security protocols.
On a national level, this action is essential for sustaining the "Digital India" imperative.
The government's push for greater financial inclusion must be paired with an equal commitment to public safety. Security must be an inherent feature that scales with access, ensuring that every citizen can use the digital ecosystem without the constant fear of fraud.
.bank.in kicks in from October 31, 2025
To convey the central bank's seriousness and urgency, the RBI has set a firm deadline: all banks must complete the migration of their net banking services to the exclusive domain no later than October 31, 2025. It means to recheck the new website URLs for your bank's netbanking portal, and more. Here are a few examples below for now…
| Bank Name | Official .bank.in URL |
| State Bank of India | https://onlinesbi.sbi.bank.in |
| Indian Bank | https://indianbank.bank.in |
| Indian Overseas Bank | https://iob.bank.in |
| Canara Bank | https://canarabank.bank.in |
| Punjab National Bank | https://pnb.bank.in |
| HDFC Bank | https://hdfc.bank.in |
| Yes Bank | https://yesbank.bank.in |
| Bank of Baroda | https://bankofbaroda.bank.in |
| Bank of India | https://bankofindia.bank.in |
| Union Bank of India | https://unionbank.bank.in |
Of course, more banks will come online with their new .bank.in domain websites by October 31, 2025, as is required by RBI's directive. This mandate requires public awareness now.
Banks will soon begin the process of redirecting traffic from their legacy addresses, making the .bank.in URL the sole, verified, and trusted destination for all official net banking portals. For millions of customers, identifying a legitimate bank website will no longer require sophisticated internet knowledge - it will just require looking for those six simple characters: .bank.in.
source: Digit
No comments:
Post a Comment