An active phishing campaign is impersonating the Home Office to compromise UK organizations licensed to sponsor foreign workers and students.
The sophisticated campaign, which closely mimics official UK Home Office communications and web pages, aims to compromise sponsor license holders’ Sponsorship Management System (SMS) credentials.
The compromised credentials are used to facilitate a range of elaborate immigration fraud schemes, extortion attempts and other monetization schemes, according to an investigation by cybersecurity firm Mimecast.
The most elaborate of these involves creating fake job offers and visa sponsorship schemes, with threat actors observed charging victims between £15,000-£20,000 ($20,186-$26,914) for non-existent employment opportunities.
The attacks target UK organizations holding sponsor licences across all industries and sectors, with particular focus on companies actively managing visa sponsorship programs and regular SMS system users.
“The threat actors demonstrate advanced understanding of government communication patterns and user expectations within the UK immigration system,” the researchers noted.
Samantha Clarke, threat research engineer at Mimecast, told Infosecurity that around 8000 emails related to this campaign were observed in the first half of July 2025. The campaign ramped up in early August, with around 2500 emails sent in the first six days of the month.
On July 10, the Home Office issued a notification on the Sponsorship Management System (SMS) as well as direct communications to sponsors' key contacts and authorizing officers, warning of phishing scams that could compromise SMS account security.
Organizations Sent Fake Home Office Warnings
The campaign begins with target organizations being sent emails containing urgent alerts around SMS notifications or system alerts requiring immediate attention.
SMS is the online tool used by sponsors to manage their license and meet their duties to notify the Home Office of changes in circumstances.
These emails contain a link that direct users to fraudulent login pages designed to prompt them into entering SMS authentication credentials.
The Mimecast report, published on August 12, highlighted common subject lines used in the initial phishing email. These include ‘A new message has been posted to your Sponsorship Management System’ and ‘Message Notification from SMS’.
Example urgent warning phishing email impersonating the UK Home Office. Source: Mimecast
When the link on the initial email is clicked, the user is first sent to a CAPTCHA-gated URL, which acts as a filtering mechanism. They are then redirected to a phishing page that closely replicates the authentic SMS interface.
The researchers said this replication is achieved through direct copying of the official SMS login page HTML, hotlinking of official assets and minimal but critical changes to the form submission process.
The user credentials, once inputted, are sent to an attacker-controlled script rather than the legitimate authentication system.
The fake SMS log in page. Source: Mimecast
Follow-on Immigration Fraud and Extortion Schemes
Once the attackers have captured the SMS credentials, they engage in a range of monetization schemes.
These include:
- Selling access to compromised accounts on dark web forums
- Conducting extortion schemes against affected organizations
- Facilitating fraudulent Certificate of Sponsorship (CoS) issuance
- Creating fake job offers and visa sponsorship schemes via seemingly legitimate visa documents
Mimecast advised UK organizations holding sponsor licenses to deploy anti-phishing tools that can detect government impersonation attempts and suspicious URL patterns.
Additionally, firms should implement URL rewriting and sandboxing to analyze links before user interaction takes place.
Image credit: James Copeland / Shutterstock.com
No tags.
