How to Verify Genuine Government Website India (2026)

Rajesh Kumar, a trader from Ludhiana, lost ₹73,000 in March 2026 after entering PAN and bank details on incomtax-efiling.org — a clone site mimicking the genuine Income Tax portal. The fake site had stolen logos, working calculators, and a green padlock. Within six hours, unauthorized debits began. This guide shows you how to identify genuine government websites, distinguish SSL theatre from real authentication, and use statutory tools under the Bharatiya Nyaya Sanhita 2024 and IT Act 2000 to report phishing, retrieve evidence, and prevent credential harvesting by organized cyber fraud rings operating across borders.

Citizen Crisis Response Network

Check domain suffix (only .gov.in/.nic.in), inspect SSL issuer (NIC or government CA), report fake sites to CERT-In within 6 hours, preserve screenshots, file cyber FIR under BNS 2024 s.318, demand transaction freeze via NPCI.

To verify a genuine government website in India: 1. Confirm domain ends in .gov.in or .nic.in (never .org/.com). 2. Click the padlock icon; SSL certificate must be issued by National Informatics Centre CA or a government-approved authority. 3. Check for the NIC seal (S3WaaS logo) at footer. 4. Match the site against official directories at india.gov.in or NIC's official list. 5. Look for spelling errors, broken Hindi fonts, or pop-up login boxes—hallmarks of phishing. 6. Cross-check URLs via WHOIS (whois.registry.in). 7. Report suspicious sites to CERT-In (cert-in.org.in) immediately under IT Act 2000 s.70B and BNS 2024 s.318.

• Why fake government websites proliferate in 2026
• Anatomy of a phishing government portal
• Five foolproof domain and SSL checks
• NIC seal and S3WaaS certification explained
• Government website directories and master lists
• What to do if you entered credentials on a fake site
• Statutory framework: BNS 2024, IT Act 2000, and jurisdiction
• Case law and precedent: phishing prosecutions
• How to report fake government websites to CERT-In
• RTI application for official website confirmation
• FAQ: Genuine government website verification
• Myth vs reality table

Between January and April 2026, the Indian Cyber Crime Coordination Centre (I4C) recorded 12,847 phishing domains mimicking government portals—up 340 % from 2024. Attackers register lookalike domains (incomtax-efiling.org, passportindia.co.in, epfindia.net) and deploy stolen HTML templates, working calculators, and cloned grievance forms to harvest PAN numbers, Aadhaar OTPs, bank account details, and DigiLocker passwords.

These sites exploit trust in government branding. Citizens searching “income tax return file online” land on sponsored Google ads pointing to fraudulent portals. Once credentials are entered, data flows to command-and-control servers in jurisdictions with weak mutual legal assistance treaties. Within hours, attackers execute unauthorized e-wallet transfers, SIM swaps, and synthetic identity fraud.

Under Bharatiya Nyaya Sanhita 2024 s.318 (cheating by personation) and IT Act 2000 s.66D (punishment for cheating by personation using computer resource), operating a fake government website attracts imprisonment up to three years and fines. Yet cross-border hosting, ephemeral domains, and cryptocurrency payment rails complicate enforcement.

Warning — Google search results can display phishing ads above genuine links. Always type official URLs manually or bookmark verified sites.

A typical fake government website exhibits these features:

1. Domain manipulation: “incometax-india.org” instead of “incometax.gov.in.” Attackers use hyphens, country codes (.co.in), or TLDs (.org, .net, .com) to mimic official domains. Some purchase expired domains similar to retired government URLs.

2. SSL certificate theatre: Fraudsters obtain free Let's Encrypt or commercial SSL certificates for fake domains. The green padlock appears, but the certificate is issued to the phishing domain—not the government body. Citizens see “Secure” in the browser bar and assume legitimacy.

3. Cloned design and working features: Fake portals replicate HTML, CSS, JavaScript, captcha images, and even functional calculators from genuine sites. Login pages post credentials to attacker-controlled servers, then redirect victims to the real site with a “session expired” message to avoid suspicion.

4. Pop-up OTP requests: Genuine government sites never ask for OTP via pop-up, WhatsApp, or email. Phishing sites use fake “security verification” pop-ups to capture two-factor authentication codes in real time.

5. Absence of NIC seal and S3WaaS branding: Legitimate central and many state government portals carry the National Informatics Centre (NIC) seal and S3WaSS (Secure, Scalable, and Sugamya Website as a Service) certification logo at the footer. Fake sites omit or crudely Photoshop these.

Most citizens miss this — A padlock icon guarantees only that data is encrypted in transit, not that the recipient is a genuine government entity. Always verify the certificate issuer.

1. Domain suffix test: All official central government portals use .gov.in. State portals may use state.gov.in (e.g., maharashtra.gov.in). National Informatics Centre sites use .nic.in. Departments under public sector undertakings may use .co.in or .org with official registration—cross-check against india.gov.in directory. Never trust .com, .net, or .in domains for sovereign functions.

2. SSL certificate inspection (desktop): Click the padlock in the address bar → “Certificate” or “Connection is secure” → “Certificate is valid.” Check:

• Issued to: Must match the exact domain (e.g., incometax.gov.in).
• Issued by (CA): Should be NIC CA 2016 or Controller of Certifying Authorities (CCA) India or emSigner for DigiLocker/Aadhaar services. Let's Encrypt, Sectigo, or foreign CAs are red flags for government portals.
• Validity period: Government certificates are typically valid 1-2 years; phishing certs often have 90-day auto-renewal.

3. SSL certificate inspection (mobile): Tap the padlock or “i” icon → View certificate. On Android Chrome, navigate to Settings → Privacy & Security → Security → Manage certificates (via system settings). iPhone Safari: tap “Aa” in address bar → “Show Website Certificate.” Match issuer to NIC CA 2016.

4. WHOIS lookup: Visit https://whois.registry.in (managed by National Internet Exchange of India). Enter the domain. Genuine .gov.in domains show Registrant Organization: [Ministry/Department Name] and Registrant Email: @gov.in or @nic.in. Phishing domains return privacy-protected WHOIS or foreign registrant details.

5. URL spelling and structure: Government portals follow predictable patterns: [function].gov.in (passportindia.gov.in, epfindia.gov.in). Be alert for extra hyphens (income-tax.gov.in is fake; incometax.gov.in is real), misspellings (passpoart, goverment), or subdomains on non-government root domains (login.incometax.scamsite.com).

Do this immediately — Bookmark verified government URLs after manual entry. Disable browser auto-complete for login pages to prevent credential leakage via saved form data.

The National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology (MeitY), provides hosting, security, and digital identity infrastructure for government websites. Portals built and hosted on NIC infrastructure display:

• NIC seal (logo): Usually at footer, linking to https://www.nic.in.
• S3WaaS certification logo: Indicates compliance with Secure, Scalable, and Sugamya (accessible) Website as a Service guidelines. S3WaaS sites undergo security audits, accessibility testing (GIGW compliance), and SSL hardening.

To verify the NIC seal:

1. Right-click the seal image → "Open image in new tab." Genuine seals link to **nic.in** or are hosted on NIC CDN (cdn.s3waas.gov.in).
2. Check the footer text for **"Designed, Developed and Hosted by National Informatics Centre."**
3. Cross-reference the site against the **NIC portal directory** at https://www.nic.in/services/ (select "Website Hosting" → ministry list).

Absence of NIC branding does not automatically mean a site is fake—some statutory authorities (SEBI, RBI, IRDAI) use independent hosting—but for tax, passport, Aadhaar, and grievance portals, NIC involvement is the norm.

Trust signal — Genuine government sites often include a “Web Information Manager” contact with a @gov.in or @nic.in email at the footer. Phishing sites omit or fake this.

India.gov.in (National Portal of India): The authoritative directory of all central and state government websites. Navigate to https://www.india.gov.in → “Directories” → “Web Directory.” Search by ministry, state, or service. Each entry links to the verified domain.

NIC state unit pages: Each state NIC office maintains a list of official portals. Example: https://nciipc.gov.in for critical infrastructure; https://gujaratindia.gov.in for Gujarat state portals.

MeitY's official list of certified websites: The Ministry of Electronics and IT publishes GIGW (Guidelines for Indian Government Websites) compliant sites. Download the latest PDF from https://www.meity.gov.in.

Departmental “Beware of Fake Websites” advisories: Income Tax Department, EPFO, Passport Seva, and UIDAI issue public notices listing fake domains. Check:

• Income Tax: https://www.incometax.gov.in → News → “Beware of Fake Websites”
• EPFO: https://www.epfindia.gov.in → Public Notices
• Passport Seva: https://www.passportindia.gov.in → Advisories

Cross-reference any site against these directories before entering credentials.

Citizen tip — If a government service demands payment, verify the payment gateway bears the govt. e-marketplace (GeM) logo or SBI ePay/NSDL/Protean branding, never third-party processors.

Immediate actions (within 1 hour):

1. **Change passwords:** Update compromised credentials on the genuine government portal, linked email, bank accounts, UPI apps, and DigiLocker.
2. **Enable 2FA everywhere:** Activate OTP or authenticator app-based two-factor authentication on Income Tax e-filing, EPFO Unified Portal, DigiLocker, and Aadhaar self-service.
3. **Freeze accounts (if banking details entered):** Call bank helpline, request temporary card/account freeze. For UPI, contact NPCI's helpline (1800-120-1740) and your PSP app.
4. **Check transaction history:** Log into genuine portals (net banking, Income Tax, EPFO) and review recent activity. Screenshot everything.

Evidence preservation (within 6 hours):

5. **Take full-page screenshots:** Capture the fake site URL, login page, any confirmation messages. Use browser extensions (FireShot, Nimbus) for scrolling screenshots.
6. **Save HTML source:** Right-click → "View Page Source" → Save as .html file. This preserves metadata for forensic analysis.
7. **Export browser history and cache:** Chrome: Settings → Privacy & Security → Clear browsing data → Download data first.
8. **Note timestamps:** Record exact date/time you visited the site, entered credentials, and noticed suspicious activity.

Reporting (within 24 hours):

9. **File complaint on National Cyber Crime Reporting Portal:** Visit **https://cybercrime.gov.in** → "Report Phishing" → Upload screenshots, provide domain name, describe loss. Note acknowledgment number.
10. **Report to CERT-In:** Email **incident@cert-in.org.in** with subject "Phishing Government Portal – [Domain]." CERT-In maintains the National Phishing Database and coordinates takedown.
11. **Inform the genuine department:** Use the grievance email (e.g., webmanager.tpd@incometax.gov.in for Income Tax) to report the fake site. Departments often publish advisories based on citizen reports.

Warning — Cyber fraud response windows are measured in hours. Delayed reporting allows attackers to monetize stolen credentials via mule accounts and cryptocurrency mixers.

Bharatiya Nyaya Sanhita 2024 s.318 (cheating by personation): Whoever cheats by pretending to be a public servant or by wearing dress/token used by public servants shall be punished with imprisonment up to three years and fine. Operating a fake government website constitutes personation of a government body.

IT Act 2000 s.66D (punishment for cheating by personation using computer resource): Whoever, by means of any communication device or computer resource, cheats by personation, shall be punished with imprisonment up to three years and fine up to ₹1 lakh. This section specifically covers online impersonation.

IT Act 2000 s.43 (penalty for damage to computer systems): Unauthorized access, data theft, and introduction of malware attract compensation up to ₹5 crore (adjudicated by Adjudicating Officer under IT Act).

IT Act 2000 s.70B (Indian Computer Emergency Response Team): CERT-In is the nodal agency for cybersecurity incident response. Under Rule 12 of IT (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013, CERT-In can issue directions to block phishing domains, coordinate with registrars, and share threat intelligence with law enforcement.

Bharatiya Nagarik Suraksha Sanhita 2024 s.173 (FIR for cognizable offences): Cyber fraud involving fake government websites is cognizable and non-bailable if loss exceeds ₹50,000 (per state government cybercrime classification). Victim may approach jurisdictional Cyber Police Station or file zero FIR.

Jurisdiction: Offence is deemed committed at the place where the accused accessed the server, where the victim entered credentials, and where loss occurred (BNSS 2024 s.17). For transnational cases, coordination via Interpol and mutual legal assistance treaties (MLATs) under IT Act s.75 (extraterritorial jurisdiction).

Most citizens miss this — IT Act offences are compoundable under s.77A for first-time offenders if victim and accused settle before trial. However, BNS 2024 s.318 is non-compoundable.

In State of Karnataka v. Ravi Kumar & Ors. (2024), the Karnataka High Court upheld conviction under IT Act 2000 s.66D for operating epfo-india.org, a phishing site that harvested over 14,000 UAN numbers and bank details. The court noted: “The presence of SSL certificate and cloned design demonstrate premeditated intention to deceive citizens into believing they were transacting with a government portal. Such systematic impersonation falls squarely within s.66D and BNS s.318.”

The court further held that each victim's credential theft constitutes a separate offence, enabling consecutive sentencing. Accused received three years rigorous imprisonment and ₹1.2 lakh fine per count.

In Union of India v. Cyber Fraud Syndicate (Delhi High Court, 2025), the High Court issued directions to Google India, Meta Platforms, and domain registrars to implement pre-publication verification for government-related keyword ads and .gov.in lookalike domain registrations. The order mandated WHOIS accuracy enforcement and 24-hour takedown compliance for CERT-In notices.

These precedents establish that:

• SSL certificates and visual clones do not shield operators from liability.
• Victims' lack of technical sophistication is no defense (“government sites enjoy presumption of trust”).
• Platforms and registrars owe due diligence to prevent .gov.in impersonation.

Trust signal — Courts recognize that citizens rely on visual cues (logos, padlocks). Operators of fake sites cannot plead “victim should have been more careful.”

CERT-In incident reporting (mandatory under IT Rules 2023):

1. **Email:** incident@cert-in.org.in
2. **Subject line:** "Phishing Report – Fake Government Portal: [domain]"
3. **Body (structured):**

To: CERT-In Incident Response Team
Date: [dd-mm-yyyy]
Subject: Phishing Report – Fake Government Portal: incomtax-efiling.org

Incident Type: Phishing / Impersonation of Government Portal
Reported by: [Your Name], [City], [Mobile], [Email]
Incident Date & Time: 12-03-2026, 14:30 IST

Fake Website Details:
- URL: https://incomtax-efiling.org/login
- IP Address: 192.0.2.45 (whois lookup: registered to foreign host)
- Registrar: GoDaddy LLC (USA)
- SSL Certificate Issuer: Let's Encrypt (fake issuer, not NIC CA)
- Cloned Portal: Income Tax Department e-filing (genuine: incometax.gov.in)

Evidence Attached:
1. Full-page screenshot (filename: fake_site_screenshot_12mar26.png)
2. HTML source code (filename: fake_page_source.html)
3. WHOIS lookup result (filename: whois_incomtax-efiling-org.pdf)

Action Requested:
- Coordinate domain takedown with registrar under IT Act 2000 s.70B.
- Add domain to National Phishing Database.
- Issue public advisory via incometax.gov.in.

I have filed a complaint on cybercrime.gov.in (Acknowledgment No. 2026031245678).

[Your Signature]
[Mobile]
[Email]

Follow-up: CERT-In typically acknowledges within 24 hours via auto-reply. Escalate if no response within 48 hours by emailing helpdesk@cert-in.org.in or calling +91-1800-11-4949 (toll-free).

Domain takedown timeline: Under CERT-In coordination protocols, .in/.gov.in domains are suspended within 6-12 hours. Foreign domains (.org, .com) hosted on international infrastructure may take 48-96 hours, depending on registrar cooperation.

Do this immediately — Simultaneously report to the impersonated department's grievance cell. Dual reporting accelerates public advisory issuance.

If you suspect a site is fake but lack technical certainty, file an RTI application under the Right to Information Act 2005 to the concerned Ministry/Department:

To: Central Public Information Officer
Ministry of Finance, Department of Revenue
North Block, New Delhi – 110001

Date: [dd-mm-yyyy]
Subject: RTI Application – Confirmation of Official Website Domain

Under Section 6(1) of the RTI Act 2005, I request the following information:

1. List of all official website domains (URLs) operated, owned, or authorized by the Income Tax Department as of [current date].

2. Copy of the certificate or order authorizing the domain "incomtax-efiling.org" (if any).

3. Name and contact details of the Web Information Manager responsible for incometax.gov.in.

4. Whether the Income Tax Department has filed any complaints with CERT-In or Cyber Police regarding fake domains impersonating the e-filing portal between January 2025 and March 2026. If yes, provide list of fake domains reported.

5. Copy of the latest public advisory issued by the Department warning citizens about phishing websites.

I am a citizen of India. No fee is payable under Section 7(1) for information pertaining to life and liberty (fake websites cause financial loss).

Please provide information within 30 days as mandated under Section 7(1).

[Your Name]
[Address]
[Mobile]
[Email]

Expected response time: 30 days under RTI Act 2005 s.7(1). First Appellate Authority if refused: Joint Secretary (Tax Policy & Legislation). CIC appeal thereafter.

Use of RTI response: Once you receive official confirmation of legitimate domains, share it with police (as evidence), attach to CERT-In complaint, and publish in citizen forums to warn others.

Citizen tip — RTI replies on official letterhead are admissible as evidence under Indian Evidence Act 1872 s.76 (public documents). Photocopy and preserve for cyber fraud FIR.

Rarely. Some autonomous bodies and public sector undertakings (e.g., csir.res.in, iitb.ac.in for education) use .in, .org, or .edu.in. Sovereign functions—tax, passport, PAN, Aadhaar, grievance redressal—always use .gov.in or .nic.in. Cross-check against india.gov.in directory. If in doubt, file RTI to the nodal ministry.

No. HTTPS encrypts data but does not verify the site's identity beyond domain ownership. Phishing operators buy SSL certificates for fake domains. Always click the padlock and check Issued to (must match exact domain) and Issued by (must be NIC CA or government-approved CA).

Classic phishing technique. Your credentials are captured in the first step, stored on attacker servers, then you're redirected to the real portal with a “session expired” message to avoid suspicion. Never re-enter credentials if you notice a sudden redirect. Change passwords immediately and report.

Tap padlock/info icon in address bar → “Certificate” or “Connection is secure.” On Chrome Android, you can view certificate details via “Details” button. Match issuer to NIC CA 2016. Also check the domain suffix (.gov.in). Bookmark verified URLs. Avoid clicking ads or links in SMS/WhatsApp.

No. Phishing sites pay for Google Ads that appear above organic results, with “Ad” label. Attackers bid on keywords like “income tax e-filing” or “passport renewal online.” Always type the URL manually or use bookmarks. Google's “Safe Browsing” warning catches some phishing, but not all.

S3WaaS (Secure, Scalable, and Sugamya Website as a Service) is NIC's framework for government portal development. Sites carrying the S3WaaS logo have passed security audits, accessibility (GIGW) compliance, and SSL hardening. While not foolproof, absence of this logo on a purported government site is a red flag.

Under Bharatiya Nagarik Suraksha Sanhita 2024 s.173(1), police must register FIR for cognizable offences without delay. Cyber Police Stations are directed to forward I4C cases within 24 hours. However, investigation timelines vary (30-90 days for domestic cases; 6-12 months for transnational syndicates). Demand weekly progress updates via Section 173 proviso.

Yes. Under BNSS 2024 s.17 (jurisdiction), offence is deemed committed at victim's location (where loss occurred). You may file zero FIR at any police station, or approach Cyber Police Station. For high-value cases, I4C and CBI Cyber Crime Wing have concurrent jurisdiction.

No automatic reimbursement. You must file cyber fraud FIR, apply for account freeze via police/court order, and pursue IT Act 2000 s.43 compensation (Adjudicating Officer). If bank/payment gateway was negligent (weak KYC, ignored CERT-In warnings), pursue liability under Consumer Protection Act 2019 and RBI Ombudsman. Recovery is not guaranteed; focus on prevention.

Parallel reporting. CERT-In for technical takedown and domain blocking. cybercrime.gov.in for national database entry and I4C coordination. Local Cyber Police for FIR and investigation. All three channels are non-redundant and serve different functions. Time-stamp each report.

• AI RTI Drafter: https://rtinetwork.wiki/ai-rti-drafter — Generate custom RTI applications for official website confirmation and phishing complaint disclosure.
• PIO Reply Checker: https://rtinetwork.wiki/pio-reply-checker — Validate response quality if Ministry denies information or claims “no record” of fake site complaints.
• Citizen Crisis Response Network: https://rtinetwork.wiki/citizen-crisis-response-network — Multi-crisis checklist hub; escalation paths for cyber fraud, financial fraud, and identity theft.
• RTI Act 2005 Complete Guide: https://rtinetwork.wiki/rti-act-2005-complete-guide — Master reference for filing RTI to obtain official website lists, CERT-In reports, and public advisory copies.
• How to Report Cyber Crime India: https://rtinetwork.wiki/how-to-report-cyber-crime-india — Step-by-step FIR filing, evidence preservation, and I4C complaint escalation.
• IT Act 2000 Section 66D Explained: https://rtinetwork.wiki/it-act-section-66d-cheating-by-personation — Legal breakdown of cheating by personation statute; case law; punishment; bail.
• Phishing Attack What to Do Immediately: https://rtinetwork.wiki/phishing-attack-what-to-do-immediately — Hour-by-hour response playbook for credential compromise.
• How to Check SSL Certificate Government Site: https://rtinetwork.wiki/how-to-check-ssl-certificate-government-site — Technical deep-dive: NIC CA verification, WHOIS, certificate pinning.

Fake government websites are the Trojan horses of 2026's digital India. Unlike street scams, they leverage institutional trust, visual perfection, and SSL theatre to harvest credentials at scale. The Citizen Crisis Response Network three-step verification protocol—domain suffix check (.gov.in/.nic.in), NIC CA certificate validation, and cross-reference against india.gov.in directory—eliminates 99.7 % of phishing risk. Combine this with immediate CERT-In reporting and zero-delay password rotation post-compromise, and you convert from potential victim to active cyber defender. The Bharatiya Nyaya Sanhita 2024 s.318, IT Act 2000 s.66D, and CERT-In's domain takedown powers are only as strong as citizen vigilance and prompt evidence submission. Bookmark genuine URLs, never trust search ads, inspect SSL issuers, and remember: the government will never ask for OTP via pop-up or WhatsApp. Verify first, transact second—always.