(UNITED KINGDOM) A sophisticated phishing campaign is impersonating the Home Office and targeting the Sponsorship Management System (SMS) used by UK employers and education providers. Attacks rose sharply through July and into early August 2025, aiming to steal SMS SMS logins and use compromised accounts to:

• issue fraudulent Certificate of Sponsorship (CoS) entries,
• extort organisations,
• trick migrants with fake jobs and visa documents sold for £15,000–£20,000.

The Home Office issued an official alert on 10 July 2025, sending SMS messages and direct emails to Key Contacts and Authorising Officers to warn sponsors and set out verification rules.

Campaign scale and tactics

Security firm Mimecast observed:
– about 8,000 campaign emails in the first half of July, and
– roughly 2,500 more between 1–6 August,

pointing to continued escalation. Computer Weekly reports attackers are targeting sponsor users across Worker, Temporary Worker, Student, and Child routes.

Key campaign techniques:
– Many lures are sent to generic company mailboxes scraped from websites rather than to named Key Personnel, increasing the chance that untrained staff will click.
– Emails commonly claim: “A new message has been posted to your Sponsorship Management System” or “Message Notification from SMS,” often paired with urgent compliance or suspension warnings.
– Links lead through a CAPTCHA step to a cloned page that visually mimics GOV.UK, with small code changes to capture credentials.
– Stolen logins are either resold on dark web forums or used directly to create fake CoS entries and pressure sponsors for payment.
– Downstream, migrants are targeted with convincing but fake sponsorship packages built using real sponsor details.

Most common red flags: messages sent to a shared inbox rather than named Key Personnel, urgent threats of licence action, and login pages that appear genuine but sit on non-GOV.UK domains reached after a CAPTCHA step.

Official guidance and verification rules (Home Office notice: 10 July 2025)

The Home Office specifies that legitimate sponsor-licence communications will only come via:

• Email addresses ending in @homeoffice.gov.uk, @fco.gov.uk, or @fcdo.gov.uk
• The Account Management Portal (AMP)
• The SMS message board

Important warnings:
– The Home Office will never ask you to verify your SMS User ID or password.
– The Home Office will not send a login link or a password to access SMS.

Go directly to the official GOV.UK page for the UK visa sponsorship management system:
https://www.gov.uk/uk-visa-sponsorship-management-system

If you suspect phishing or account compromise, take these steps immediately:
1. Change your SMS password immediately and require all Level 1 and Level 2 users to do the same.
2. Report to the Home Office:
– [email protected]
– 0300 123 4699
– Education providers: [email protected]
3. Review recent SMS activity, revoke any unauthorised CoS actions, and keep records of findings.

The Home Office also urges sponsors to keep user access tight:
– rotate strong, unique passwords;
– deactivate users who leave or change roles;
– ensure at least one (preferably two) active Level 1 users;
– keep contact details up to date.

Practical steps sponsors should take now

• Verify channels internally:
  • Remind staff that official sponsor emails only come from the domains listed above, or via AMP or the SMS message board.
  • Instruct users to never use an email login link to reach SMS; instead, type the address or use bookmarks for GOV.UK.
• Harden email and browser security:
  • Enable advanced anti-impersonation controls such as lookalike-domain detection, URL rewriting, and sandboxing for links and attachments.
  • Watch for CAPTCHA-gated redirect chains tied to SMS-themed messages.
• Lock down SMS access:
  • Enforce strong, unique passwords for all Level 1/2 users and rotate them regularly.
  • Deactivate any user who leaves or changes role.
  • Maintain at least one–two active Level 1 users at all times.
  • Check audit logs for unexpected CoS actions or message board posts.
• Train and test teams:
  • Run short, focused sessions for HR, compliance, and shared mailbox owners.
  • Use examples of current lures (e.g., “new message,” “suspension warning”) and rehearse verification without clicking links.
  • Consider simulated phishing exercises tied to SMS themes.
• Respond fast if someone clicks:
  1. Immediately rotate passwords for the affected user and prompt all SMS users to change theirs.
  2. Report to the Home Office using the contacts above.
  3. Review activity and revoke any unauthorised Certificate of Sponsorship entries.
  4. Notify anyone affected.
• Reduce exposure of contact points:
  • Remove or mask generic inboxes from public pages where possible.
  • Add filters and approval workflows for shared mailboxes.
  • Ensure Key Personnel details in SMS are current.

Technical notes for defenders

• CAPTCHA gates can bypass basic link scanners, while cloned GOV.UK assets lower suspicion.
• Layered controls and ongoing user education are essential.
• Security teams should:
  • add rules to catch government-brand lookalike domains,
  • adjust detections as lure wording evolves,
  • coordinate with vendors to ingest new indicators and tactics reported by Mimecast and the trade press.

Risks, impact, and compliance implications

Beyond sponsor licence risks, the campaign fuels a wider fraud marketplace. Investigations this year show rising visa scams—especially in care work—producing high losses for migrants. Compromised sponsor credentials enable fake documents to appear authentic, increasing harm to applicants who pay large fees and later discover the job or visa does not exist.

VisaVerge.com notes this fits a broader 2025 pattern of credible government-brand impersonation aimed at organisations and individuals.

The stakes for sponsors are high:
– A single stolen login can cause fraudulent CoS entries, data loss, and serious compliance trouble.
– Home Office compliance monitoring has tightened; irregular activity tied to your licence can trigger closer checks, case plans, or even suspension while the facts are investigated.
– Prompt reporting, clear documentation, and proof of remedial steps can help demonstrate good governance.

Outlook and wider advice

Given the early-August uptick and the financial incentives for criminals, further activity is likely. Expect:

• new lure copy,
• fresh domains,
• more redirect chains.

Sponsors should keep monitoring the SMS message board and AMP for Home Office updates on authentication or messaging. Security vendors are rolling out detections—coordinate with your provider to ingest indicators and tactics reported by Mimecast and the trade press.

For migrants and recruitment partners:
– Verify job offers carefully.
– Treat requests for large up-front fees or CoS entries that cannot be confirmed by normal checks as a warning.
– Employers should warn recruits and agencies that the SMS campaign is active and explain how genuine hiring works under UK rules.

The bigger picture is clear: with the Home Office’s verification rules, improved email security, and tight user management, sponsors can materially reduce risk and respond quickly when something looks wrong.