If you have ever received an email that looks like it's from UKVI, the Home Office or a "visa processing service" asking you to log in, verify your account, or pay a fee, you are not alone. Several of our customers have flagged near-identical messages over the last few months. This guide explains what these scams look like, what to do if you receive one, and how to keep your Sponsor Management System (SMS) account safe.
Why sponsor licence holders are being targeted
Once a business is issued a sponsor licence, its company name and Level 1 user details become discoverable through public registers and recruitment websites. Scammers use that information to send convincing emails that try to trick a Level 1 user into handing over SMS credentials, paying a fake fee, or downloading a malicious attachment. If a scammer gains access to your SMS account they can potentially issue or amend Certificates of Sponsorship in your name, which is a serious compliance risk.
This is happening to legitimate, fully-licensed sponsors. Receiving a phishing email is not a sign that anything is wrong with your licence, and it does not mean UKVI is contacting you.
What the scam emails look like
The subject lines we have seen sent to Borderless customers include:
"UKVI Immigration Casework Reachable for you Ref: [random alphanumeric string]"
"UKVI Immigration Support available for you Ref: [random alphanumeric string]"
"UKVI System Notifications available for you Ref: [random alphanumeric string]"
"UKVI Secure Mail available for you Ref: [random alphanumeric string]"
"Sponsor Management System Notification"
"Sponsorship Service Notification [Your Company Name]"
"SMS EMAIL from Home Office"
The body usually says something like "a notification is available for you" or "an update has been posted to your sponsor account" and includes a button or link to "log in" or "view your message". Some come with a PDF attachment titled along the lines of "info_UK Visas_Immigration.pdf" which can carry malware or open a fake login page.
Red flags to watch for
The Home Office, UKVI and the Sponsor Management System will never:
Email you a clickable login link to enter your SMS username and password
Ask you to "verify" or "reactivate" your SMS account by replying with credentials
Ask you to pay a fee through a link in an email rather than through the SMS or the GOV.UK pay service
Send a message with a long random reference string in the subject line
Other common red flags in these scam messages:
The sender domain is not @homeoffice.gov.uk or @digital.homeoffice.gov.uk. Look at the full address, not just the display name.
The email creates urgency ("respond within 24 hours", "your sponsor account is at risk").
The greeting is generic ("Dear Sponsor", "Dear Customer") rather than addressed to your Level 1 user by name.
Spelling, grammar, or formatting that feels slightly off compared to genuine GOV.UK correspondence.
Attachments your email provider flags with "possible virus on download".
What to do if you receive one
Do not click any link or open any attachment. Do not reply to the email.
Mark it as junk or spam in your email client so future messages from that sender are filtered.
Forward the email to [email protected]. This is the National Cyber Security Centre's Suspicious Email Reporting Service. Reports help take down fake websites and protect other businesses.
Forward it to the Home Office Business Helpdesk at [email protected] so the team is aware that sponsors are being targeted.
Let your CSM at Borderless know via support chat or email. We keep a running record of phishing patterns so we can warn other sponsors quickly.
What to do if you have already clicked a link or entered details
Take action quickly, but do not panic. The Home Office and Borderless will help you through the next steps.
Change your SMS password immediately through the official Sponsor Management System login page (https://pcs-sms.ukba.homeoffice.gov.uk). Do not use any link from the suspicious email.
Change the password on the email account that received the phishing email, especially if you used the same password elsewhere.
Notify your internal IT or security team so they can scan affected devices and check for any further compromise.
Report the incident to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2040.
Tell your Borderless CSM. We can help you check your SMS account for unexpected activity, review recent CoS assignments, and contact UKVI on your behalf if anything looks wrong.
Keeping your SMS account safe day-to-day
Use a strong, unique password for the SMS that is not used anywhere else.
Limit the number of Level 1 users on your account to people who genuinely need that level of access.
Review the user list inside the SMS regularly and remove anyone who has left the business.
If you have added Borderless as a Level 1 user or Representative, you can see exactly which actions we are taking on your behalf in the platform's activity feed, which makes unusual activity easier to spot.
How Borderless will contact you
Genuine emails from us come from an @getborderless.co.uk address. We will never ask you for your SMS password, and we will never ask you to log in to the SMS through a link in an email. If you ever want to verify whether a message claiming to be from Borderless is genuine, log in to your account and message us through the in-app support chat, or email [email protected].
Quick reference
Suspicious email? Forward it to:
[email protected] (NCSC reporting service)
[email protected] (Home Office Business Helpdesk)
Already clicked or entered details?
Change your SMS password through pcs-sms.ukba.homeoffice.gov.uk
Tell your IT team and your Borderless CSM
Report to Action Fraud on 0300 123 2040
If you are ever unsure whether a message is real, send it to your CSM before acting on it. We would much rather check a legitimate email for you than have to clean up after a successful scam.