How to Verify Genuine Government Website India (2026)

Rajesh Kumar, a trader from Ludhiana, lost money after entering PAN and bank details on incomtax-efiling.org — a clone site mimicking the genuine Income Tax portal. The fake site had stolen logos, working calculators, and a green padlock. Within hours, unauthorized debits began. This guide shows you how to identify genuine government websites, distinguish SSL theatre from real authentication, and use statutory tools under the Bharatiya Nyaya Sanhita 2023 and IT Act 2000 to report phishing, retrieve evidence, and prevent credential harvesting by organized cyber fraud rings operating across borders.

Citizen Crisis Response Network

Check domain suffix (only .gov.in/.nic.in), inspect SSL issuer (NIC or government CA), report fake sites to CERT-In promptly, preserve screenshots, file a cyber FIR, demand transaction freeze via your bank and NPCI.

To verify a genuine government website in India: 1. Confirm domain ends in .gov.in or .nic.in (never .org/.com). 2. Click the padlock icon; SSL certificate must be issued by National Informatics Centre CA or a government-approved authority. 3. Check for the NIC seal (S3WaaS logo) at footer. 4. Match the site against official directories at india.gov.in or NIC's official list. 5. Look for spelling errors, broken Hindi fonts, or pop-up login boxes—hallmarks of phishing. 6. Cross-check URLs via WHOIS (whois.registry.in). 7. Report suspicious sites to CERT-In (cert-in.org.in) immediately under IT Act 2000 s.70B and cybercrime.gov.in.

• Why fake government websites proliferate in 2026
• Anatomy of a phishing government portal
• Five foolproof domain and SSL checks
• NIC seal and S3WaaS certification explained
• Government website directories and master lists
• What to do if you entered credentials on a fake site
• Statutory framework: BNS 2023, IT Act 2000, and jurisdiction
• Case law and precedent: phishing prosecutions
• How to report fake government websites to CERT-In
• RTI application for official website confirmation
• FAQ: Genuine government website verification
• Myth vs reality table

Phishing domains mimicking government portals remain a major cyber-fraud vector reported by the Indian Cyber Crime Coordination Centre (I4C). Attackers register lookalike domains (incomtax-efiling.org, passportindia.co.in, epfindia.net) and deploy stolen HTML templates, working calculators, and cloned grievance forms to harvest PAN numbers, Aadhaar OTPs, bank account details, and DigiLocker passwords.

These sites exploit trust in government branding. Citizens searching “income tax return file online” land on sponsored Google ads pointing to fraudulent portals. Once credentials are entered, data flows to command-and-control servers in jurisdictions with weak mutual legal assistance treaties. Within hours, attackers execute unauthorized e-wallet transfers, SIM swaps, and synthetic identity fraud.

Under IT Act 2000 s.66D (punishment for cheating by personation using computer resource) and the cheating provisions of the Bharatiya Nyaya Sanhita 2023, operating a fake government website attracts imprisonment up to three years and fines. Yet cross-border hosting, ephemeral domains, and cryptocurrency payment rails complicate enforcement.

Warning — Google search results can display phishing ads above genuine links. Always type official URLs manually or bookmark verified sites.

A typical fake government website exhibits these features:

1. Domain manipulation: “incometax-india.org” instead of “incometax.gov.in.” Attackers use hyphens, country codes (.co.in), or TLDs (.org, .net, .com) to mimic official domains. Some purchase expired domains similar to retired government URLs.

2. SSL certificate theatre: Fraudsters obtain free Let's Encrypt or commercial SSL certificates for fake domains. The green padlock appears, but the certificate is issued to the phishing domain—not the government body. Citizens see “Secure” in the browser bar and assume legitimacy.

3. Cloned design and working features: Fake portals replicate HTML, CSS, JavaScript, captcha images, and even functional calculators from genuine sites. Login pages post credentials to attacker-controlled servers, then redirect victims to the real site with a “session expired” message to avoid suspicion.

4. Pop-up OTP requests: Genuine government sites never ask for OTP via pop-up, WhatsApp, or email. Phishing sites use fake “security verification” pop-ups to capture two-factor authentication codes in real time.

5. Absence of NIC seal and S3WaaS branding: Legitimate central and many state government portals carry the National Informatics Centre (NIC) seal and S3WaaS (Secure, Scalable, and Sugamya Website as a Service) certification logo at the footer. Fake sites omit or crudely Photoshop these.

Most citizens miss this — A padlock icon guarantees only that data is encrypted in transit, not that the recipient is a genuine government entity. Always verify the certificate issuer.

1. Domain suffix test: All official central government portals use .gov.in. State portals may use state.gov.in (e.g., maharashtra.gov.in). National Informatics Centre sites use .nic.in. Departments under public sector undertakings may use .co.in or .org with official registration—cross-check against india.gov.in directory. Never trust .com, .net, or .in domains for sovereign functions.

2. SSL certificate inspection (desktop): Click the padlock in the address bar → “Certificate” or “Connection is secure” → “Certificate is valid.” Check:

• Issued to: Must match the exact domain (e.g., incometax.gov.in).
• Issued by (CA): Should be NIC CA or Controller of Certifying Authorities (CCA) India or another government-approved CA for DigiLocker/Aadhaar services. Let's Encrypt, Sectigo, or foreign CAs are red flags for government portals.
• Validity period: Government certificates are typically valid 1-2 years; phishing certs often have 90-day auto-renewal.

3. SSL certificate inspection (mobile): Tap the padlock or “i” icon → View certificate. On Android Chrome, navigate to Settings → Privacy & Security → Security → Manage certificates (via system settings). iPhone Safari: tap “Aa” in address bar → “Show Website Certificate.” Match the issuer to NIC CA.

4. WHOIS lookup: Visit https://whois.registry.in (managed by National Internet Exchange of India). Enter the domain. Genuine .gov.in domains show Registrant Organization: [Ministry/Department Name] and Registrant Email: @gov.in or @nic.in. Phishing domains return privacy-protected WHOIS or foreign registrant details.

5. URL spelling and structure: Government portals follow predictable patterns: [function].gov.in (passportindia.gov.in, epfindia.gov.in). Be alert for extra hyphens (income-tax.gov.in is fake; incometax.gov.in is real), misspellings (passpoart, goverment), or subdomains on non-government root domains (login.incometax.scamsite.com).

Do this immediately — Bookmark verified government URLs after manual entry. Disable browser auto-complete for login pages to prevent credential leakage via saved form data.

The National Informatics Centre (NIC), under the Ministry of Electronics and Information Technology (MeitY), provides hosting, security, and digital identity infrastructure for government websites. Portals built and hosted on NIC infrastructure display:

• NIC seal (logo): Usually at footer, linking to https://www.nic.in.
• S3WaaS certification logo: Indicates compliance with Secure, Scalable, and Sugamya (accessible) Website as a Service guidelines. S3WaaS sites undergo security audits, accessibility testing (GIGW compliance), and SSL hardening.

To verify the NIC seal:

1. Right-click the seal image → "Open image in new tab." Genuine seals link to **nic.in** or are hosted on NIC infrastructure.
2. Check the footer text for **"Designed, Developed and Hosted by National Informatics Centre."**
3. Cross-reference the site against the **NIC portal directory** at https://www.nic.in (select "Services" → "Website Hosting").

Absence of NIC branding does not automatically mean a site is fake—some statutory authorities (SEBI, RBI, IRDAI) use independent hosting—but for tax, passport, Aadhaar, and grievance portals, NIC involvement is the norm.

Trust signal — Genuine government sites often include a “Web Information Manager” contact with a @gov.in or @nic.in email at the footer. Phishing sites omit or fake this.

India.gov.in (National Portal of India): The authoritative directory of all central and state government websites. Navigate to https://www.india.gov.in → “Directories” → “Web Directory.” Search by ministry, state, or service. Each entry links to the verified domain.

NIC state unit pages: Each state NIC office maintains a list of official portals. Example: https://nciipc.gov.in for critical infrastructure; https://gujaratindia.gov.in for Gujarat state portals.

MeitY's official list of certified websites: The Ministry of Electronics and IT publishes GIGW (Guidelines for Indian Government Websites) compliant sites. Reference the latest guidance at https://www.meity.gov.in.

Departmental “Beware of Fake Websites” advisories: Income Tax Department, EPFO, Passport Seva, and UIDAI issue public notices listing fake domains. Check:

• Income Tax: https://www.incometax.gov.in → News → “Beware of Fake Websites”
• EPFO: https://www.epfindia.gov.in → Public Notices
• Passport Seva: https://www.passportindia.gov.in → Advisories

Cross-reference any site against these directories before entering credentials.

Citizen tip — If a government service demands payment, verify the payment gateway bears the govt. e-marketplace (GeM) logo or recognised bank/Protean (NSDL) branding, never unfamiliar third-party processors.

Immediate actions (within 1 hour):

1. **Change passwords:** Update compromised credentials on the genuine government portal, linked email, bank accounts, UPI apps, and DigiLocker.
2. **Enable 2FA everywhere:** Activate OTP or authenticator app-based two-factor authentication on Income Tax e-filing, EPFO Unified Portal, DigiLocker, and Aadhaar self-service.
3. **Freeze accounts (if banking details entered):** Call your bank helpline, request a temporary card/account freeze. For cyber-fraud, also call the national helpline **1930** and your PSP/UPI app's support.
4. **Check transaction history:** Log into genuine portals (net banking, Income Tax, EPFO) and review recent activity. Screenshot everything.

Evidence preservation (within hours):

5. **Take full-page screenshots:** Capture the fake site URL, login page, any confirmation messages. Use browser extensions (FireShot, Nimbus) for scrolling screenshots.
6. **Save HTML source:** Right-click → "View Page Source" → Save as .html file. This preserves metadata for forensic analysis.
7. **Export browser history and cache:** Chrome: Settings → Privacy & Security → Clear browsing data → Download data first.
8. **Note timestamps:** Record exact date/time you visited the site, entered credentials, and noticed suspicious activity.

Reporting (within 24 hours):

9. **File complaint on National Cyber Crime Reporting Portal:** Visit **https://cybercrime.gov.in** → "Report Phishing" → Upload screenshots, provide domain name, describe loss. Note the acknowledgment number.
10. **Report to CERT-In:** Email **[email protected]** with subject "Phishing Government Portal – [Domain]." CERT-In coordinates incident response and takedown.
11. **Inform the genuine department:** Use the grievance email (e.g., the Web Information Manager contact published at incometax.gov.in for Income Tax) to report the fake site. Departments often publish advisories based on citizen reports.

Warning — Cyber fraud response windows are measured in hours. Delayed reporting allows attackers to monetize stolen credentials via mule accounts and cryptocurrency mixers.

IT Act 2000 s.66D (punishment for cheating by personation using computer resource): Whoever, by means of any communication device or computer resource, cheats by personation, shall be punished with imprisonment up to three years and fine up to ₹1 lakh. This section specifically covers online impersonation, such as a fake government portal harvesting credentials.

Bharatiya Nyaya Sanhita 2023 (cheating provisions): Cheating is defined and punished under BNS s.318 (cheating, with imprisonment up to three years, or fine, or both; up to seven years where the offender dishonestly induces delivery of property). Where a fraudster also pretends to be a public servant, BNS s.204 (personating a public servant) applies. Operating a fake government website to defraud citizens engages these provisions alongside the IT Act.

IT Act 2000 s.43 (penalty for damage to computer systems): Unauthorized access, data theft, and introduction of malware attract compensation (adjudicated by the Adjudicating Officer under the IT Act).

IT Act 2000 s.70B (Indian Computer Emergency Response Team): CERT-In is the nodal agency for cybersecurity incident response. Under the IT (CERT-In and Manner of Performing Functions and Duties) Rules 2013, CERT-In can issue directions, coordinate with registrars on phishing domains, and share threat intelligence with law enforcement.

Bharatiya Nagarik Suraksha Sanhita 2023 s.173 (information in cognizable cases / FIR): Cyber fraud involving fake government websites is a cognizable offence. Under s.173(1), information may be given irrespective of the area where the offence is committed, so a victim may register a “zero FIR” at any police station or approach a Cyber Police Station.

Jurisdiction: For cyber offences the place of the offence can include where the accused operated, where the victim entered credentials, and where the loss occurred; the relevant place-of-trial provisions of the BNSS 2023 apply. For transnational cases, coordination proceeds via Interpol and mutual legal assistance treaties (MLATs), with the IT Act's extraterritorial reach under IT Act s.75 applying where a computer resource located in India is involved.

Most citizens miss this — Certain IT Act offences are compoundable under s.77A in defined circumstances, but the more serious cheating and computer-related offences are treated as substantive crimes; do not assume a settlement ends criminal liability.

Indian courts have consistently treated online impersonation and phishing as serious offences under IT Act s.66D and the cheating provisions of the penal law. The settled position from reported phishing prosecutions is straightforward:

• The presence of an SSL certificate and a cloned design does not shield an operator from liability—if anything, a convincing clone shows premeditated intent to deceive.
• A victim's lack of technical sophistication is not a defence; government sites enjoy a presumption of trust that fraudsters exploit.
• Intermediaries, platforms, and domain registrars owe due-diligence obligations and must act on lawful takedown directions issued by CERT-In and the courts.

If you need authoritative citations for a specific FIR or prosecution, retrieve the current judgment text from a primary source such as indiankanoon.org or the relevant High Court website before relying on it.

Trust signal — Courts recognize that citizens rely on visual cues (logos, padlocks). Operators of fake sites cannot plead “the victim should have been more careful.”

CERT-In incident reporting:

1. **Email:** [email protected]
2. **Subject line:** "Phishing Report – Fake Government Portal: [domain]"
3. **Body (structured):**

To: CERT-In Incident Response Team
Date: [dd-mm-yyyy]
Subject: Phishing Report – Fake Government Portal: incomtax-efiling.org

Incident Type: Phishing / Impersonation of Government Portal
Reported by: [Your Name], [City], [Mobile], [Email]
Incident Date & Time: [dd-mm-yyyy], [HH:MM] IST

Fake Website Details:
- URL: https://incomtax-efiling.org/login
- IP Address: [from your WHOIS / lookup]
- Registrar: [registrar name]
- SSL Certificate Issuer: [e.g., Let's Encrypt - not NIC CA]
- Cloned Portal: Income Tax Department e-filing (genuine: incometax.gov.in)

Evidence Attached:
1. Full-page screenshot (filename: fake_site_screenshot.png)
2. HTML source code (filename: fake_page_source.html)
3. WHOIS lookup result (filename: whois_incomtax-efiling-org.pdf)

Action Requested:
- Coordinate domain takedown with the registrar.
- Add domain to CERT-In's phishing records.
- Issue / support a public advisory via incometax.gov.in.

I have also filed a complaint on cybercrime.gov.in (Acknowledgment No. [your number]).

[Your Signature]
[Mobile]
[Email]

Follow-up: CERT-In typically acknowledges receipt by auto-reply. Escalate if there is no response by contacting CERT-In through the details published at https://www.cert-in.org.in or the toll-free number 1800-11-4949.

Domain takedown timeline: Indian .in/.gov.in domains can usually be suspended quickly once a registrar acts. Foreign domains (.org, .com) hosted on international infrastructure can take longer, depending on registrar cooperation.

Do this immediately — Simultaneously report to the impersonated department's grievance cell. Dual reporting accelerates public advisory issuance.

If you suspect a site is fake but lack technical certainty, file an RTI application under the Right to Information Act 2005 to the concerned Ministry/Department:

To: Central Public Information Officer
Ministry of Finance, Department of Revenue
North Block, New Delhi – 110001

Date: [dd-mm-yyyy]
Subject: RTI Application – Confirmation of Official Website Domain

Under Section 6(1) of the RTI Act 2005, I request the following information:

1. List of all official website domains (URLs) operated, owned, or authorized by the Income Tax Department as of [current date].

2. Copy of any certificate or order authorizing the domain "incomtax-efiling.org" (if any).

3. Name and contact details of the Web Information Manager responsible for incometax.gov.in.

4. Whether the Income Tax Department has filed any complaints with CERT-In or Cyber Police regarding fake domains impersonating the e-filing portal between January 2025 and March 2026. If yes, provide the list of fake domains reported.

5. Copy of the latest public advisory issued by the Department warning citizens about phishing websites.

I am a citizen of India.

Please provide information within 30 days as mandated under Section 7(1).

[Your Name]
[Address]
[Mobile]
[Email]

Expected response time: 30 days under RTI Act 2005 s.7(1). First Appeal lies to the designated First Appellate Authority of the Department if information is refused; a second appeal to the CIC thereafter.

Use of RTI response: Once you receive official confirmation of legitimate domains, share it with police (as evidence), attach it to your CERT-In complaint, and publish in citizen forums to warn others.

Citizen tip — Public documents are admissible as evidence; under the Bharatiya Sakshya Adhiniyam 2023 (s.74, which replaced s.74 of the Indian Evidence Act 1872) records of public officers are treated as public documents. Photocopy and preserve any official reply for a cyber fraud FIR.

Rarely. Some autonomous bodies and public sector undertakings (e.g., csir.res.in, iitb.ac.in for education) use .in, .res.in, or .ac.in. Sovereign functions—tax, passport, PAN, Aadhaar, grievance redressal—always use .gov.in or .nic.in. Cross-check against india.gov.in directory. If in doubt, file an RTI to the nodal ministry.

No. HTTPS encrypts data but does not verify the site's identity beyond domain ownership. Phishing operators buy SSL certificates for fake domains. Always click the padlock and check Issued to (must match the exact domain) and Issued by (must be NIC CA or a government-approved CA).

Classic phishing technique. Your credentials are captured in the first step, stored on attacker servers, then you're redirected to the real portal with a “session expired” message to avoid suspicion. Never re-enter credentials if you notice a sudden redirect. Change passwords immediately and report.

Tap the padlock/info icon in the address bar → “Certificate” or “Connection is secure.” On Chrome Android, you can view certificate details via the “Details” button. Match the issuer to NIC CA. Also check the domain suffix (.gov.in). Bookmark verified URLs. Avoid clicking ads or links in SMS/WhatsApp.

No. Phishing sites pay for Google Ads that appear above organic results, with an “Ad” label. Attackers bid on keywords like “income tax e-filing” or “passport renewal online.” Always type the URL manually or use bookmarks. Google's “Safe Browsing” warning catches some phishing, but not all.

S3WaaS (Secure, Scalable, and Sugamya Website as a Service) is NIC's framework for government portal development. Sites carrying the S3WaaS logo have passed security audits, accessibility (GIGW) compliance, and SSL hardening. While not foolproof, absence of this logo on a purported government site is a red flag.

Under Bharatiya Nagarik Suraksha Sanhita 2023 s.173(1), police must register an FIR for a cognizable offence without delay. Cyber Police Stations are directed to act on I4C cases promptly. Investigation timelines vary (weeks for domestic cases; longer for transnational syndicates). You can seek progress updates as the investigation proceeds.

Yes. Under the zero-FIR provision in BNSS 2023 s.173(1), information about a cognizable offence may be given irrespective of where the offence was committed, so you may file at any police station or approach a Cyber Police Station. For high-value cases, I4C and the CBI's cyber wing may have concurrent involvement.

There is no automatic reimbursement. You must file a cyber fraud FIR, seek an account freeze via police/court, and may pursue IT Act 2000 s.43 compensation before the Adjudicating Officer. If a bank or payment gateway was negligent, you can pursue liability under the Consumer Protection Act 2019 and the RBI Ombudsman scheme. Recovery is not guaranteed; focus on prevention.

Parallel reporting. CERT-In for technical takedown and domain blocking. cybercrime.gov.in for national database entry and I4C coordination. Local Cyber Police for FIR and investigation. All three channels serve different functions. Time-stamp each report.

• RTI Assistant (drafter): https://righttoinformation.wiki/tools/rti-assistant — Generate custom RTI applications for official website confirmation and phishing complaint disclosure.
• PIO Reply Checker: https://righttoinformation.wiki/tools/pio-reply-checker — Validate response quality if a Ministry denies information or claims “no record” of fake site complaints.
• Citizen Crisis Response Network: https://righttoinformation.wiki/citizen-crisis-response-network — Multi-crisis checklist hub; escalation paths for cyber fraud, financial fraud, and identity theft.
• RTI Act 2005 Complete Guide: https://righttoinformation.wiki/rti-act-2005-complete-guide — Master reference for filing RTI to obtain official website lists, CERT-In reports, and public advisory copies.

Fake government websites are the Trojan horses of 2026's digital India. Unlike street scams, they leverage institutional trust, visual perfection, and SSL theatre to harvest credentials at scale. The Citizen Crisis Response Network three-step verification protocol—domain suffix check (.gov.in/.nic.in), NIC CA certificate validation, and cross-reference against india.gov.in directory—sharply reduces phishing risk. Combine this with immediate CERT-In reporting and zero-delay password rotation post-compromise, and you convert from potential victim to active cyber defender. The cheating provisions of the Bharatiya Nyaya Sanhita 2023, IT Act 2000 s.66D, and CERT-In's domain takedown powers are only as strong as citizen vigilance and prompt evidence submission. Bookmark genuine URLs, never trust search ads, inspect SSL issuers, and remember: the government will never ask for OTP via pop-up or WhatsApp. Verify first, transact second—always.