PanicStation.org
UK USA
uk Work & employment crises urgent passport scan request • asked to email id scan • hr wants passport copy • insecure channel id request • hiring paperwork time pressure • right to work check panic • share code instead of scan • employer checking service option • id documents over whatsapp • identity theft prevention step • recruiter asks for passport • onboarding document request • suspicious hr email request • send passport via sms • photo of passport request • job offer document verification • data protection at work • verify requester identity

What to do if…
you are asked to send passport or ID scans over an insecure channel urgently

Short answer

Pause and verify the request using a trusted route, then offer a safer alternative (secure upload, a compliant right to work check route, or in-person/physical original document checking) instead of sending scans over an insecure channel.

Do not do these things

  • Don’t send passport/ID scans to a personal email address, unknown mobile number, or a link you can’t verify.
  • Don’t let “urgent” pressure you into bypassing your employer’s normal HR/IT process.
  • Don’t assume a scan is acceptable for a manual right to work check — it isn’t.
  • Don’t send extra documents “just in case” (eg bank statement, NI letter, full passport plus driving licence).
  • Don’t share the scan in the email body or as an unprotected attachment.
  • Don’t keep forwarding the same scan to multiple people because “someone else asked”.

What to do now

  1. Stop and confirm who is asking. Reply briefly: “I can provide what you need, but not over an insecure channel. Please confirm the secure method.” Then verify independently by calling HR/onboarding using the company directory or a known HR number (not the one in the message).
  2. Ask what the check is actually for. Ask: “Is this for a right to work check, or a general onboarding ID check?” Then ask what exact document is needed, who will access it, and how long it will be kept.
  3. If this is right to work, offer the compliant route instead of emailing scans.
    • If you’re eligible for the online right to work service: offer to provide a share code (your employer checks it online).
    • If you can’t use the online service / don’t have a share code: ask HR to use the Employer Checking Service (where appropriate) rather than asking you to email scans.
    • If you’re a British or Irish citizen with a valid passport: ask whether they will do a digital right to work check using a Digital Verification Service (DVS), or a manual check.
  4. Be clear about the manual-check rule (this protects you). For a manual right to work check, the employer must be in physical possession of the original documents. They cannot rely on inspection via a live video link of a scanned/faxed copy. If needed, offer one of these safer options:
    • Bring the original to HR for them to check and copy, or
    • If you’re remote, ask HR whether you can post the original to HR (tracked/signed-for) so they can hold it while you do any live video identity matching, or
    • Use an employer-approved DVS route if you don’t want to send originals by post.
  5. Insist on a secure transfer method for any copies they genuinely need. Ask for a verified HR portal / secure upload or an IT-approved secure document process (and double-check the domain/owner before uploading).
  6. If you must send a file today, reduce the risk (only after verification).
    • Put the scan in a password-protected encrypted file (eg encrypted PDF/ZIP).
    • Send the password via a different channel (eg read it over the phone to HR on a known number).
    • Send only what’s requested, to a verified work address.
  7. Make a quick record. Save the request and your reply. Note what you sent, to whom, and how (date/time).
  8. If you already sent it insecurely, act quickly but calmly.
    • Tell HR and your IT/security team that personal ID was sent insecurely and ask them to restrict access and confirm deletion.
    • Treat any follow-up request for more documents, money, or “fees” as a red flag until independently verified.

What can wait

  • You don’t need to decide right now whether to escalate externally; first contain it by switching to verified HR contacts and a secure method.
  • You don’t need to send “backup” IDs today unless HR confirms they’re required for a specific, named process.
  • You don’t need to argue with the sender; it’s enough to move the request onto the proper channel.

Important reassurance

It’s normal to feel pressured when someone implies your start date depends on “sending it now”. Legitimate employers can complete right to work checks without you taking data-security risks — pressure is a reason to slow down.

Scope note

These are first steps to prevent irreversible mistakes (identity fraud/data leakage) while keeping onboarding moving. Later, if anything was mis-sent or mishandled, your organisation’s data protection/security contacts may need to follow their incident process.

Important note

This guide is general information, not legal advice. Employer processes vary; when unsure, prioritise verified contacts, compliant right-to-work routes, and secure transfer methods.

Additional Resources
Support us