UKVI has warned sponsors about phishing emails that mimic official Home Office communications and the Sponsorship Management System (SMS) login page. The goal of these scams is to capture user credentials and assign Certificates of Sponsorship (CoS) without authority. This update explains what to watch for and the practical steps to secure your account and data.
SMS Scam Alert
UKVI has issued an email to all sponsor licence holders warning of phishing scams. It says that emails are circulating that appear to be from the Home Office, with common themes including: warnings about compliance action or suspension unless you log in; instructions to update SMS account details; or to reconcile a duplicate CoS.
These scam messages contain links to fake pages that copy the SMS login screen to harvest usernames and passwords.
Targets include shared inboxes listed on company websites and personal work emails.
Some organisations have also seen a spike in spam to obscure genuine CoS payment notifications.
UKVI Advice: Immediate Checks to Perform
Always access the SMS through GOV.UK, and not through email links. You can do this by searching “GOV.UK”, opening the homepage, searching “UK visa sponsorship management system”, selecting the official page, then clicking Start now to log in. These steps are UKVI’s guidance and should be followed every time you access SMS.
The following checks are taken directly from UKVI’s email alert to sponsor licence holders. UKVI advises these to be completed as soon as possible to detect and mitigate any unauthorised activity:
- Log in to the SMS using the secure route through GOV.UK, then review: Manage Level 1 and 2 users (contact details unchanged), Licence Summary (Authorising Officer and Key Contact correct), Request changes to licence details > View recent and outstanding change requests, Request renewal of annual CoS/CAS allocations and Request CoS/CAS allocation increase.
- Skilled Worker sponsors: check Workers > Defined CoS for recently submitted, granted or withdrawn requests.
- All other work routes: check Workers > View CoS for recently assigned CoS.
- Withdraw any suspicious requests or CoS where the function is available.
- Use Change password to set a new, long, unique password for every SMS user.
UKVI advises repeating these checks at least monthly, led by a Level 1 User, and recording the date, user, findings and any actions taken.
If you spot anything irregular, such as unexpected user changes, unexplained requests or CoS activity, stop using any email links, change passwords, withdraw unauthorised items where possible and follow the steps in the Reporting a suspected compromise section below.
If you clicked a suspicious link or entered credentials
The steps below are taken directly from UKVI’s email alert. They represent UKVI’s prescribed actions and are reproduced here for clarity. Follow them immediately if there is any chance your details were entered on a fake SMS page.
- Reset your SMS password immediately via the secure access route set out above (navigate through GOV.UK, do not use email links).
- Complete the checks listed in Section 2 and withdraw any unauthorised requests or CoS where that option is available.
After resetting passwords and withdrawing items, alert all Level 1 and Level 2 Users to change their passwords and pause any non-urgent CoS activity until your review is complete.
Reporting a suspected compromise
UKVI’s email sets out the following reporting process. Use the subject line “SMS Account Compromise” and include: your organisation name and sponsor licence number, the user(s) affected, copies of the phishing email(s), whether links were clicked and when, whether passwords were changed, and details of any suspicious SMS activity with actions taken.
- Employers: businesshelpdesk@homeoffice.gov.uk
- Educators: Studyengagementteam@homeoffice.gov.uk
Where UKVI confirms a compromise, they may deactivate affected users and provide reactivation steps, cancel CoS issued without authority, and take appropriate action regarding any visa applications linked to those CoS.
Keep a simple incident log capturing dates, who reported, what was found, and remedial steps. This supports any UKVI follow-up and strengthens your sponsor compliance record.
SMS Best Practices
UKVI’s security advice is simple: do not use links in emails to access SMS. Always reach the system through GOV.UK, by searching “GOV.UK”, opening the homepage, searching “UK visa sponsorship management system”, selecting the official page, then clicking Start now to log in. These steps are UKVI’s guidance and should be followed every time you access SMS.
UKVI also confirms it will only send sponsor-licence communications to the email address(es) listed for your nominated key personnel.
Any message that asks you to “verify” credentials or urgently “log in to avoid suspension” should be treated as suspicious.
Beyond that, apply standard good practice. Do not share SMS usernames or passwords and avoid password reuse across licences or systems.
Use long, unique passwords for each user.
Deactivate Level 1 and Level 2 Users as soon as they leave or change role, and keep licence contacts, telephone numbers and email addresses current.
Keep at least one, and preferably two, active Level 1 Users to preserve operational continuity.
If you suspect a compromise, change all SMS user passwords immediately and alert all Level 1 and Level 2 Users to do the same.
For broader cyber hygiene, see the Government’s guidance at Cyber security guidance for business (GOV.UK), and report suspected scams to Action Fraud via Report visa and immigration scams (GOV.UK), or contact us for advice on sponsor licence and SMS management tailored to your organisation.
DMS Perspective
The operational impact of a phishing scam is immediate, from unauthorised CoS activity to potential licence scrutiny. While phishing remains a common route to SMS breaches, steps can (and should) be taken to reduce the risk.
Training for SMS users should be non-negotiable. The Home Office SMS guidance is dense and far from user-friendly, but there is no excuse or allowance for avoidable errors. Our Level 1 and Level 2 User training provides practical, scenario-based guidance on how your users access, operate and manage the SMS to mitigate compliance and security risks.
Secure SMS management is a core sponsor compliance control. Good security is mostly process, and organisations that treat SMS access like any other critical system, with clear ownership and basic discipline, reduce risk dramatically and are able to demonstrate to the Home Office that the licence is being managed with appropriate governance.
Need Assistance?
If you want confidence that your sponsor licence is protected and your team is doing the right thing every time, we can help. We work with sponsor licence holders to support with day-to-day licence management through the SMS, through to regular compliance auditing and training programmes:
- Immigration audit. A focused review that tests your SMS controls, user permissions, recent CoS activity, record-keeping against Appendix D and incident readiness. You get a clear risk report with priority fixes and an action plan your team can implement immediately.
- SMS user training. Role-based sessions for Level 1 and Level 2 Users that cut through the dense Home Office guidance. We teach the secure access protocol, red-flag spotting, monthly housekeeping checks and the compromise playbook. Delivered live with scenarios and take-away checklists so users build muscle memory.
- Sponsor licence management. Ongoing Level 1 support, monthly licence housekeeping, defined CoS handling, change requests, allocation management and renewal diary control. We monitor for anomalies and act fast if something looks wrong, with an incident log ready for UKVI.
If you would like to discuss an immigration audit, to book SMS training or to discuss support with your sponsor licence management, contact us.
