Overview

• Attackers mimic official Home Office emails and use CAPTCHA-gated URLs to redirect users to near-identical fake Sponsorship Management System login pages.
• Hijacked credentials are sold on dark web forums and used to issue fake Certificates of Sponsorship, enable visa scams that have cost some migrants up to £20,000, and to extort organisations.
• Email volumes rose sharply in early August, with Mimecast logging about 2,500 phishing messages in the first six days of the month.
• The UK Home Office warned sponsor licence holders in July, and Mimecast has activated detection and blocking rules for its email security customers.
• Organisations are urged to enforce multifactor authentication, implement URL rewriting and sandboxing, rotate credentials and strengthen phishing-awareness training.