Which? Market Research Email Mistaken For Phishing Scam

A recent market research email sent on behalf of consumer group Which? was mistaken for a phishing attempt.

The confusion was caused by them unexpectedly passing customer details to market research group Bonamy Finch, who sent out emails on behalf of Which?


Phishing is where scammers send you an email to try and persuade you to part with personal data, banking details, etc. that they can use to steal your identity or defraud you.

Often they will pretend to be from your bank, a company you do business with, or an official organisation such as HMRC or the police.

In fact Which? warns the public to be suspicious of unexpected emails.  Here is their advice on how to spot a phishing scam.

What Caused Confusion?

The confusion was caused by Bonamy Finch – a company probably previously unknown to many Which? customers – emailing out of the blue.

Which? could have avoided this confusion by contacting their subscribers to let them know to expect an email from Bonamy Finch.

Question of Consent

Which? could also have actively sought consent for customer data to be passed to a third party for market research, either by getting subscribers to check a consent box at sign-up or approaching them at a later date.

They are not legally obliged to do so, as general consent is given by subscribers agreeing to their privacy policy.  But rather than assuming their customers’ consent, it would have been best practice to actively seek it.

Their failure to do shows a surprising lack of transparency from a consumer group that calls for other organisations to act transparently, for example their campaign for active consent for direct marketing.

Reasonable Expectation

This really comes down to a question of reasonable expectation.  Anyone who read the Privacy Policy would understand that there are situations where their data may be passed to a third party.  Examples where this would be reasonable are:

  • For the monthly Which? magazine to be distributed.
  • As a result of the customer contacting Which? to ask, for example, for legal assistance.

It seems less reasonable for your data to be passed on for market research purposes.

The Good Guys Made a Bad Decision

I do not want to disproportionately criticise Which?  They carry out some excellent work that protect consumers and highlights & tackles bad practice by a range of organisations.

It just seems that in passing data to Bonamy Finch without active consent and compounding that by not alerting their customers to expect the email, they made a poor decision and failed to follow best practice.

This is not the first time Which? has been caught acting in an unexpected manner.  Earlier this year Radio 4 consumer programme You and Yours highlighted how people were inadvertently signing up to an on-going subscription to Which? (now at £10.75 per month) when they thought they were only agreeing to a 1-month trial for £1.  Which? has since made this much clearer in their sign-up process.