Mumbai: Facing an unprecedented surge in online fraud and phishing scams, the Reserve Bank of India is mandating all banks to migrate to verified .bank.in domains by October 31, 2025 — a move that could redefine digital trust in the country’s financial system.
A Decisive Step Against a Digital Epidemic
In a decisive move to protect consumers from the rising tide of online fraud, the Reserve Bank of India (RBI) has introduced an exclusive internet domain for banks: .bank.in. Announced in February 2025 and opened for registration in April, the directive is a direct response to the escalating wave of phishing, spoofing, and impersonation attacks targeting both urban professionals and first-time digital users.
The RBI’s move comes amid sobering statistics. According to its Annual Report for FY25, the total value of bank frauds in India soared to ₹36,014 crore, nearly triple the previous year’s figure. Digital payment frauds — involving cards, UPI, and internet banking — accounted for over 56.5% of all reported cases. The Ministry of Home Affairs (MHA) estimated that ₹7,000 crore was lost to online scams in just the first five months of 2025.
The central bank’s message is clear: the internet can no longer be treated as a neutral ground. It is now a contested space — one where financial security, national credibility, and consumer confidence intersect.
The Attack Surface Is Expanding
The RBI’s domain mandate stems from a deeper anxiety within India’s digital economy: the sheer scale of its vulnerability. While digital platforms such as UPI and mobile banking have empowered over 400 million users, they have also created a vast, porous attack surface that cybercriminals exploit with increasing sophistication.
Victims of these scams are not only rural newcomers to digital banking but also the financially active middle class — professionals between 30 and 60 years of age who account for more than three-fourths of all cyber-fraud victims, according to MHA data. Spotting a fake website — say, sbi-online.co instead of sbi.co.in — can be nearly impossible, even for seasoned users.
The .bank.in system simplifies this challenge into one rule: if it doesn’t end in .bank.in, it isn’t your bank.
The .bank.in Solution
At its core, the .bank.in domain functions as a “Digital Trust Signal.” Unlike generic domains such as .com or .in, which anyone can purchase, .bank.in is a Restricted and Verified Top-Level Domain (TLD) — available only to licensed financial institutions under the RBI’s supervision.
Every domain registration is verified by the Institute for Development and Research in Banking Technology (IDRBT), the exclusive registrar that authenticates every applicant’s banking license before approval. This ensures that a website ending in .bank.in cannot be operated by scammers, brokers, or unverified intermediaries. It creates a closed digital ecosystem, where authenticity is non-negotiable and trust is instantly visible in a web address.
By October 31, 2025, banks will begin redirecting users from their old domains to the new verified URLs — from https://onlinesbi.sbi.bank.in to https://hdfc.bank.in, https://pnb.bank.in, https://unionbank.bank.in, and others. For India’s 600 million internet banking users, this shift marks the dawn of a simpler cybersecurity rulebook: six characters — .bank.in — as the line between legitimacy and fraud.
A Global and National Imperative
The RBI’s move mirrors similar high-security protocols used in developed markets, where .bank TLDs act as a segregated digital perimeter for financial institutions. It aligns Indian banking security with global standards while reinforcing the government’s Digital India mission — a commitment to make inclusivity and safety cohabit in the same financial ecosystem.
Yet the challenge ahead is not just technological. It is social. For millions of first-time digital users, particularly in rural and semi-urban India, the success of .bank.in will depend on awareness. As the RBI noted in its circular, “This mandate requires public awareness now.”
