Rising cases of digital scams prompt RBI move to shift to exclusive web domains
Digital fraud is on the rise in India, with significant increases in both the number and value of fraudulent activities in recent years. The trend underscores the need for continuous vigilance, user education, and robust security measures to protect consumers and maintain trust in the digital financial ecosystem.
In the financial year 2024, India incurred losses exceeding ₹1.7 billion due to cyber fraud, particularly in credit card, debit card, and internet banking sectors. Between January and April 2024, over 740,000 cybercrime cases were reported, indicating a substantial surge in such incidents. The RBI has reported that frauds related to digital payments, including cards and internet transactions, accounted for 10.4 per cent of the total fraud amount in the fiscal year ended March 2024, up from 1.1 per cent in the previous fiscal year.
Several factors have contributed to the spike in digital fraud. The swift increase in digital payment adoption, driven by initiatives like the Unified Payments Interface (UPI), has expanded the target base for fraudsters. They are employing advanced methods, including phishing, vishing, and social engineering, to deceive users into revealing sensitive information. To add to this, many users remain unaware of the latest fraud tactics, making them more susceptible to scams.
Not surprisingly, therefore, RBI Governor Sanjay Malhotra has emphasised a zero-tolerance policy toward financial fraud and mis-selling, and announced exclusive internet domains ‘.bank.in’ and ‘.fin.in’ for banks and non-banks to curb cyber threats and phishing. The Institute for Development and Research in Banking Technology (IDRBT) will oversee registrations starting April.
Additionally, RBI has extended mandatory two-factor authentication (AFA) for international digital payments involving offshore merchants to strengthen security. The Governor has highlighted rising digital fraud incidents, urging collective action from stakeholders. To boost retail participation in government securities, RBI has also expanded access to the NDS-OM platform for non-bank brokers registered with SEBI.
The change in internet domains for banks and non-banks can help curb financial fraud in several ways. Banks and financial institutions migrating to secure top-level domains (TLDs) like .bank, .finance, or .secure must adhere to strict security protocols. These domains are harder for fraudsters to access, reducing the risk of phishing attacks and website spoofing.
With a unique, verified domain, customers can confidently recognise legitimate bank websites, decreasing their likelihood of falling for fraudulent sites. Domains such as .bank are restricted only to verified financial institutions.
Domain providers for financial TLDs often require institutions to implement higher security standards like multi-factor authentication (MFA), encryption, and regular security checks, creating robust defenses against hacking attempts.
Since malicious actors cannot easily obtain restricted domains (like .bank), it becomes more difficult to set up fraudulent sites mimicking genuine financial institutions.
Domain restrictions make it easier for customers to identify official websites, reducing the effectiveness of fraud schemes that exploit brand similarity (e.g., fake domains with slight variations).
Further, the shift towards secure domains by financial regulators worldwide may encourage the harmonisation of security practices, benefiting international users and institutions alike.
There are, however, certain challenges that must be overcome. Migration to secure domains might involve costs and require changes in IT infrastructure and customers must be educated to recognise and trust these new secure domains.
While there is no doubt that domain changes would contribute to a more secure digital banking ecosystem, success requires complementary measures like user awareness campaigns and strong IT security frameworks.