A coordinated phishing campaign is targeting organisations licensed to sponsor UK visas, impersonating the Home Office to steal login credentials for the Sponsorship Management System (SMS). The scheme allows cybercriminals to issue counterfeit Certificates of Sponsorship (CoS), triggering a surge in immigration fraud and financial extortion.
Phoney Emails, Real Damage
The attack follows a ruthlessly convincing template: emails are crafted to mimic official Home Office communications—complete with accurate branding, urgent warnings of compliance issues, and threats of account suspension. Recipients are directed via captcha-protected links to phishing sites nearly indistinguishable from the genuine SMS portal.
Once credentials are entered into these lookalike pages, they’re intercepted by attacker-controlled servers. With stolen access, criminals can create fake job offers and exploit visa sponsorships, charging victims between £15,000 and £20,000 ( approx INR 15.9 lakh and INR 21.2 lakh respectively) for fraudulent CoS documents.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Systemic Threat to Immigration Integrity
Mimecast’s Threat Research team warns this is more than isolated fraud—it’s a direct threat to the integrity of the UK immigration system. Compromised accounts may be sold on the dark web or used in elaborate scams that blend deception with official-seeming back-end processes.
Natasha Chell, Partner and Head of Risk & Compliance at Laura Devine Immigration, confirms that some sponsor organisations have already experienced breaches. She underscores the need for robust cybersecurity policies, staff training, and verifying any suspicious communications through official Home Office channels, not via links in unsolicited emails.
Defensive Measures and Vigilance
To curb the threat, Mimecast has introduced new email detection features for its clients. Recommended protective measures for organisations include enabling multi-factor authentication (MFA) on SMS accounts, rotating passwords regularly, and monitoring account activity for suspicious login patterns. Additionally, staff should be trained to recognise phishing hallmarks, such as deceptive URL structures, and urged to navigate directly to official government websites rather than clicking embedded links
