Cyber security firm uncovers phishing campaign targeting UK immigration system

Attackers impersonating official Home Office communications

Cyber security firm Mimecast has warned of a “significant threat” to the UK immigration system after uncovering a sophisticated phishing campaign aimed at sponsor licence holders.

UK-based cyber security firm Mimecast has warned of a “significant threat” to the UK immigration system after uncovering a sophisticated phishing campaign aimed at sponsor licence holders.

The attackers are impersonating official Home Office communications to steal login credentials for the Sponsorship Management System (SMS), a secure portal used by approved organisations to manage visa sponsorships.

According to Mimecast’s Threat Research team, the fraudulent emails carry urgent compliance warnings or account suspension threats and contain links to highly convincing fake SMS login pages. Once credentials are stolen, they are used to issue fraudulent Certificates of Sponsorship, enabling elaborate immigration scams.

The most lucrative schemes involve creating fake job offers and visa sponsorships, charging victims between £15,000 and £20,000 for non-existent roles. The compromised sponsor accounts make the associated documentation appear legitimate, helping scammers bypass initial checks.

Researchers found that the phishing sites, near-perfect clones of the legitimate Home Office portal, use copied HTML and official branding, but route login data to attacker-controlled scripts. The campaign also uses captcha-gated URLs and spoofed government domains to evade detection.

Mimecast has put detections in place to block the emails and is urging sponsor licence holders to enable multi-factor authentication, rotate credentials regularly and verify any urgent Home Office communications through official channels.

The phishing emails have been seen across multiple sectors, targeting any organisation with an active sponsor licence. Indicators of compromise include subject lines such as “New Message in Your UKVI Account” and “System Notification – Action Required”, as well as malicious URLs spoofing Home Office domains.

Mimecast advises sponsor licence holders to bolster email security controls, adopt multi-factor authentication, rotate credentials regularly and monitor SMS accounts for suspicious activity. It also recommends enhanced user training on recognising phishing attempts, establishing verification procedures for any SMS-related communications and implementing incident response plans in case of compromise.