A recent phishing campaign is targeting UK employer-sponsors, impersonating the Home Office and UK Visas & Immigration (UKVI) in an attempt to steal SMS (Sponsorship Management System) login credentials.
For businesses holding sponsor licences, this represents a serious threat. One that could lead to fraudulent activity, compliance breaches or reputational damage. This article covers what you need to know.
How does the scam work?
Mimecast, a cybersecurity firm, has identified deceptive emails that mimic official Home Office communications. The emails warn of alleged compliance issues or urgent account notifications and include links to fake login pages. Those pages are designed to look exactly like the SMS portal and harvest user credentials after captcha verification.
If a sponsor’s SMS account is compromised, attackers may:
- Issue fraudulent Certificates of Sponsorship
- Create fake job offers to facilitate immigration fraud
- Sell access to the compromised account
- Extort companies using stolen credentials
Mimecast reports that victims are being charged up to £20,000 for fake visa opportunities using hijacked sponsor licence credentials.
How the scam works and warning signs
The phishing emails typically use generic or publicly listed email addresses and include subject lines such as:
- “A new message has been posted to your Sponsorship Management System”
- “SMS System Notification – Action Required”
- “You Have a New SMS Account Notification”
The malicious links often impersonate government domains but actually redirect users to attacker-controlled servers. The use of captcha gates helps them bypass basic email filters.
Another alert came from the Home Office itself, which reminded sponsors that “the Home Office will never contact users to ask you for or to verify, SMS user ID or password. Nor will they provide a link or password with which to log into SMS.”
Emails may arrive at shared mailboxes because scammers scrape organisations’ websites to collect addresses. Because of that, even staff not directly involved in immigration compliance may receive fraudulent messages.
What sponsors should do to protect themselves
Here are preventive steps every licensed sponsor should take immediately:
- Enable multi-factor authentication for all SMS users
- Rotate credentials regularly and restrict access based on roles
- Monitor login history for unusual access or behaviour
- Use advanced email filtering, threat detection and sandboxing
- Educate HR, IT and compliance staff to spot phishing attempts
- Validate SMS-related communications via the official portal, not via email links
- Maintain an incident response plan. If you suspect compromise, change passwords, notify the Home Office and preserve any suspicious emails or URLs
Maintaining strong digital hygiene is more than just tech advice. It is essential to protecting your sponsorship rights.
Why this matters now
Invalid or exploited SMS access can lead to severe consequences. Beyond licence revocation, attackers might use your credentials to sponsor fake roles, expose your business to regulatory sanctions or harm your reputation in the migrant labour market.
This phishing threat arrives at a moment when sponsor licence enforcement is already intensifying. With a record number of licence revocations in 2024-25, regulators are scrutinising sponsor behaviour more closely than ever. A compromised account could trigger enforcement or suspicion.
How legal advisers can help
Specialist immigration solicitors can work with your IT and compliance teams to:
- Audit your SMS access procedures
- Review incidents and guide response
- Interface with the Home Office if account compromise occurs
- Advise on strengthening contract and personnel controls
Because phishing threatens the very foundation of SMS-based sponsorship, legal guidance is critical to avoid cascading compliance failures.
Please note that this article is solely for informational purposes. It’s not a substitute for legal advice. We encourage readers to contact Osbourne Pinner for case-specific guidance.
If you hold a UK sponsor licence and want to safeguard your SMS account and compliance protocols, contact our immigration experts. We can review your systems, help with remediation and support you in the event of a suspected breach.
For personalised advice, book a free 30-minute consultation. We have offices in Harrow, Canary Wharf, Piccadilly Circus and Manchester. Or you can speak to us remotely via video call if it’s easier. Book your session by calling 0203 983 5080, emailing [email protected] or using the form below.
