{"id":2342,"date":"2025-08-17T20:55:39","date_gmt":"2025-08-17T20:55:39","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/08\/17\/home-office-phishing-scam-targets-uk-immigration-sponsors\/"},"modified":"2025-08-17T20:55:39","modified_gmt":"2025-08-17T20:55:39","slug":"home-office-phishing-scam-targets-uk-immigration-sponsors","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/17\/home-office-phishing-scam-targets-uk-immigration-sponsors\/","title":{"rendered":"Home Office Phishing Scam Targets UK Immigration Sponsors"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

An active phishing campaign is impersonating the Home Office to compromise UK organizations licensed to sponsor foreign workers and students.<\/p>\n

The sophisticated campaign, which closely mimics official UK Home Office communications and web pages, aims to compromise sponsor license holders\u2019 Sponsorship Management System (SMS) credentials.<\/p>\n

The compromised credentials are used to facilitate a range of elaborate immigration fraud schemes, extortion attempts and other monetization schemes, according to an investigation by cybersecurity firm Mimecast.<\/p>\n

The most elaborate of these involves creating fake job offers and visa sponsorship schemes, with threat actors observed charging victims between \u00a315,000-\u00a320,000 ($20,186-$26,914) for non-existent employment opportunities.<\/p>\n

The attacks target UK organizations holding sponsor licences across all industries and sectors, with particular focus on companies actively managing visa sponsorship programs and regular SMS system users.<\/p>\n

\u201cThe threat actors demonstrate advanced understanding of government communication patterns and user expectations within the UK immigration system,\u201d the researchers noted.<\/p>\n

Samantha Clarke, threat research engineer at Mimecast, told Infosecurity <\/em>that around 8000 emails related to this campaign were observed in the first half of July 2025. The campaign ramped up in early August, with around 2500 emails sent in the first six days of the month.<\/p>\n

On July 10, the Home Office issued\u00a0a notification\u00a0on the Sponsorship Management System (SMS) as well as direct communications to sponsors’ key contacts and authorizing officers, warning of phishing scams that could compromise SMS account security.<\/p>\n

Organizations Sent Fake Home Office Warnings<\/strong><\/h2>\n

The campaign begins with target organizations being sent emails containing urgent alerts around SMS notifications or system alerts requiring immediate attention.<\/p>\n

SMS is the online tool used by sponsors to manage their license and meet their duties to notify the Home Office of changes in circumstances.<\/p>\n

These emails contain a link that direct users to fraudulent login pages designed to prompt them into entering SMS authentication credentials.<\/p>\n

The Mimecast report, published on August 12, highlighted common subject lines used in the initial phishing email. These include \u2018A new message has been posted to your Sponsorship Management System\u2019 and \u2018Message Notification from SMS\u2019.<\/p>\n<\/p><\/div>\n

\"Example
Example urgent warning phishing email impersonating the UK Home Office. Source: Mimecast<\/figcaption><\/figure>\n
\n

When the link on the initial email is clicked, the user is first sent to a CAPTCHA-gated URL, which acts as a filtering mechanism. They are then redirected to a phishing page that closely replicates the authentic SMS interface.<\/p>\n

The researchers said this replication is achieved through direct copying of the official SMS login page HTML, hotlinking of official assets and minimal but critical changes to the form submission process.<\/p>\n

The user credentials, once inputted, are sent to an attacker-controlled script rather than the legitimate authentication system.<\/p>\n<\/p><\/div>\n

\"The
The fake SMS log in page. Source: Mimecast<\/figcaption><\/figure>\n
\n

Follow-on Immigration Fraud and Extortion Schemes<\/strong><\/h2>\n

Once the attackers have captured the SMS credentials, they engage in a range of monetization schemes.<\/p>\n

These include:<\/p>\n