International travelers targeted in immigration-themed phishing campaign

Last updated: 13 February 2025
Passport control at Gatwick Airport
Oli Scarff/Getty Images

A sophisticated phishing campaign that first targeted travelers heading to Singapore has expanded to exploit those traveling to other nations, including the United Kingdom and Malaysia.

According to a new research report by email security firm Cofense, the threat actors behind the attacks are targeting individuals trying to navigate those nation’s immigration systems before arriving at their destination.

Specifically, researchers say the social engineering campaign is exploiting the online submission process for immigration arrival cards, which users must complete before entering a country.

ADVERTISEMENT

The scam, initially detected in September 2023 targeting travelers to Singapore, has been aimed at high-level executives.

How it Works

The scam itself is said to be especially effective during peak travel seasons (and given the current political climate in the US), where people are more likely to act quickly without verifying legitimacy.

Preying on the traveler's sense of urgency and unfamiliarity with immigration procedures – typical social engineering tactics – researchers say the scam begins with a phishing email “notifying the victim about the status of their arrival card and the urgent action they need to take.”

The attackers, who have already created fake immigration portals identical to the destination country’s official government websites, use the spoofed email to entice the victim to click on a link that redirects them to the fake government domains.

Cofense immigration phishing scam emails
Examples of phishing emails notifying the user about the status of their arrival card. Both emails use authoritative-sounding wording to invoke urgency, such as “arrival card or document is required.” Images by Cofense.

Using “fear-inducing language,” the fake "immigration" site then pressures the victim to “act immediately by threatening denied entry to the visiting country due to non-compliance,” the research found.

The sites continue to trick the user into entering sensitive personal and financial information, including credit card numbers, under the false pretenses of a required payment for processing their immigration arrival card.

ADVERTISEMENT

Once a victim inputs their information, their personal data is “immediately harvested and exfiltrated to attacker-controlled servers in real-time,” researchers said

Cofense warns that the stolen data can be sold on dark web markets, used for fraudulent transactions, or leveraged in follow-up attacks, such as identity theft.

Ernestas Naprys jurgita Paulius Grinkevičius B&W Niamh Ancell BW
Google News Follow us

Attackers using sophisticated tactics

Cofense researchers say they discovered fake websites depicting both the Immigration & Checkpoints Authority (ICA) of Singapore and the Malaysian Immigration Department.

The research found the websites are meticulously designed, featuring government logos, authentic-looking forms, navigation menus, and legitimate-looking payment gateways that are nearly identical to those nations' actual immigration portals.

Cofense immigration phishing scam payment form
Attackers create credential phishing pages that include an “Edit” option to give them more legitimacy. Images by Cofense.

The attackers were also said to continuously update the fraudulent portals in order to match any changes made on the official government pages, further enhancing their credibility.

Even more deceptive, “several parts in the fake immigration portals are already auto-filled with Personally Identifiable Information (PII) [which users can actually edit] making the page seem even more legitimate,” Cofense said.

For example, some of the partially pre-filled forms show the victim’s dates email address, mobile phone number, passport numbers, and even dates of arrival to the destination country already populated.

ADVERTISEMENT
Cofense immigration phishing scam prepopulated forms
Attackers use pre-populated forms exposing the victim’s sensitive personal information, including first/last name, date of birth, country of birth, passport number, email, mobile number, and arrival date in Singapore. Images by Cofense.

The researchers say that some of this information has been confirmed as legitimate, suggesting that hackers may be purchasing stolen personal data, such as passport details from the dark web.

Reports of past data breaches, including leaks of Philippines passport data, support this theory, researchers said.

Protecting Yourself

As phishing tactics become more advanced, staying vigilant is crucial.

“The dual exploitation of personal information and financial data makes this campaign particularly dangerous for victims,” Cofense says.

To avoid falling victim to this or similar immigration entry phishing scams:

  • Always verify immigration-related websites by checking the official government domain.
  • Be wary of urgent emails demanding immediate action, especially those requesting payment.
  • Never enter personal or financial information on sites you haven’t independently verified.
  • Use cybersecurity tools such as browser extensions that flag malicious sites.

As cybercriminals are constantly adapting, travelers must do the same when it comes to protecting their information.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Cybercrime karma: Babuk 2 ransomware steals from fellow crooks, makes fraudulent claims
Chinese satellites “dogfighting” in space, US Space Force says
ChatGPT just made you a criminal – with zero evidence
Dark Crystal trojan targets Ukrainians via Signal messages
Better update now – a critical security flaw found in Apache Tomcat
Maximum risk flaw affects major server remote management system MegaRAC
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked