Is Your Bank Website Real? RBI .bank.in Domain Rule

Quick answer. A genuine Indian bank website now ends in .bank.in (for example yourbank.bank.in). The Reserve Bank of India directed every regulated bank to move to this single, trusted address, and the migration deadline was 31 October 2025, so banks have shifted to it. Only RBI-regulated banks can get a .bank.in name, issued by one official registrar. Before you log in or pay, look at the end of the web address. If it does not end in .bank.in and you were expecting your bank, stop and check.

Fraudsters build fake bank pages that look real and steal your login and OTP. The .bank.in rule gives you one simple test to tell a real bank site from a fake one. This guide shows you what the rule is, how to read your bank address, and how to spot a fake site or SMS before you lose money.

Before this rule, banks used many different endings, and fraudsters copied them. Now there is one trusted ending. Here is what each signals.

The single most important habit is to read the address from the right side first. The real ending is the last part before the first single slash.

1. Look at the full web address in your browser bar, not just the page design.
2. Read it from the right. A genuine bank ends in .bank.in just before the first slash.
3. Watch for extra words after .bank.in, like yourbank.bank.in.login-verify.xyz. That extra tail means it is fake.
4. Never reach your bank by clicking a link in an SMS, email or WhatsApp. Type the address yourself or use your saved bookmark.
5. Check for the padlock and https, but remember a padlock alone does not prove the site is genuine.
6. If anything looks off, close the page and call the number printed on the back of your debit card.

For a wider method that also covers government portals, see our guide on how to verify a genuine government website in India.

The Reserve Bank of India announced exclusive .bank.in and .fin.in domains in its Statement on Developmental and Regulatory Policies dated 7 February 2025, and followed up with a circular on migration to the .bank.in domain dated 22 April 2025. The reason is simple. Phishing and fake-website fraud were rising, and ordinary customers had no easy way to tell a real bank page from a clever copy.

Under this scheme, IDRBT (the Institute for Development and Research in Banking Technology) is the exclusive registrar for .bank.in, authorised by NIXI under the Ministry of Electronics and Information Technology. Because only an RBI-regulated bank can be given a .bank.in address, the ending itself becomes a trust signal you can rely on. Banks needing to register contact IDRBT at [email protected]. The migration deadline was 31 October 2025, so banks have moved to their new addresses.

This is part of a wider push to protect customers online. If money already left your account to a wrong or fake party, read our steps on what to do when a wrong beneficiary is added in net banking.

Treat these as red flags and do not enter any details:

• The web address does not end in .bank.in, but the page claims to be your bank.
• The link came in an SMS, email or WhatsApp asking you to verify, unblock or reactivate your account.
• The page asks for your full card number, CVV, PIN, OTP or net-banking password together.
• The address has small misspellings, like hdfc-bank.secure.in or icicl.bank.in.xyz.
• You are rushed with threats, such as your account will be blocked in two hours.
• The page offers a refund, reward or cashback and asks you to log in to claim it.
• The padlock is shown, but the name in the address is not your bank.

A genuine bank will never ask for your OTP or full PIN by phone, SMS or web form. When borrowing online, the same caution applies, know your protections under digital lending DLG and borrower rights.

Banks regulated by RBI were directed to migrate to .bank.in, with a deadline of 31 October 2025, so genuine bank sites have moved to this address. A few may still redirect from an old .com address, but the trusted destination ends in .bank.in. If you are unsure, call the number on your debit card.

.bank.in is only for RBI-regulated banks. .fin.in is a separate trusted domain RBI created for non-bank financial entities. Both are part of the same effort to help you identify genuine financial websites and cut down phishing fraud.

IDRBT, the Institute for Development and Research in Banking Technology, is the exclusive registrar, authorised by NIXI under the Ministry of Electronics and Information Technology. Because the registrar checks that the applicant is an RBI-regulated bank, the ending itself is a sign of a genuine bank.

Read the address from the right and make sure .bank.in is the part just before the first single slash, with nothing extra after it like .bank.in.login.xyz. Confirm the bank name is spelt correctly. If anything is off, stop, do not enter your details, and contact your bank through its official number.

Call your bank immediately to block the card and account, and change your net-banking password. Report the fraud on the national cybercrime helpline 1930 or at cybercrime.gov.in. Acting fast gives the best chance of stopping or reversing the transaction.

Save this one-line test to your phone: a real Indian bank website ends in .bank.in, read from the right, with nothing extra after it.

• Bookmark your bank login page today and always open it from the bookmark.
• Never log in through a link in an SMS, email or WhatsApp.
• Share this check with family members who bank online, especially senior citizens.
• Report suspicious sites and messages on 1930 or cybercrime.gov.in.

For deeper, citizen-first guides on using your information rights to hold institutions accountable, see The RTI Playbook.