Scam alert: copycat Which? website taken down

Impersonation scammers masqueraded as Which? to phish for people's details
Chiara CavaglieriSenior researcher & writer

Chiara is an award-winning investigative reporter who specialises in banking and fraud, joining Which? in 2015 following six years as a personal finance journalist at a national newspaper.  

Hand holding phone with Which? logo on screen

A fake Which? website featuring a bogus article about the best debit cards to use in 2025 was set up by scammers looking to steal contact details. 

Which? is no stranger to impersonation attempts – we’ve seen fake emails sent to colleagues purporting to be from our CEO Anabel Hoult, bogus Which? Best Buy badges created by rogue businesses and phishing scams claiming to offer the chance to win a £500 gift voucher from ‘the Consumers’ Association’. 

Big banks, popular shopping brands and delivery companies are more common targets, though any brand can be a target. Which? caught this one early as none of the links worked, but the website looked set to steal sensitive data, including email addresses and phone numbers.

Read on to find out more about this Which? impersonation scam and how to spot a copycat website.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts
Sign up

Copycat Which? website 

This fake website attempted to mimic a Which? article about debit cards. The website was created in mid-July 2025 and quickly taken down by the National Cyber Security Centre (NCSC) when we reported it a few weeks later. 

We're not entirely sure what these scammers intended, because none of the links worked and although it featured a 'registration feedback form' asking for names, email addresses and phone numbers, this form didn't work when we inspected it. We suspect it was discovered before the creators had time to finish setting it up. 

This type of personal data can be very useful to a scammer, as they can send victims more personalised phishing messages and perhaps attempt to use their details to bypass certain security measures. 

Screenshot of copycat website intended to impersonate Which?

How to spot a Which? impersonator 

The correct web address for Which? is which.co.uk, including our subdomains such as computing.which.co.uk. We also list genuine Which? email addresses on our Which? Member FAQs.

But scammers hope victims don’t look too closely at the actual email or web address (which can be tricky to see on some devices), so caution is your strongest defence. 

Be on guard for unusual messages or requests, even if they seem to come from friends, relatives or colleagues at first glance. Contact the individual or business directly, either in person or via a trusted phone number, to make sure it was really them.

Steer clear of any adverts you spot online, as scammers can pay to appear at the top of your social media feeds or search engine results. Which? investigators spot malicious adverts on a horrifyingly regular basis, so your safest bet is to avoid them entirely.

It's also a good idea to use a free domain checker, such as ICANN Lookup, to see when any given website was first created (the genuine Which? website was created in July 1995). If a website has been created recently, it could be a sign of a scam.

Explanation of the Which? web address including subdomain
Explanation of the Which? web address including subdomain

key information

Which? banking expert Chiara Cavaglieri

'It was rather confronting to see my own name on a fake Which? website, the first time in 10 years of writing about scams. A clever copycat website stole our branding and featured a fake article about debit cards, apparently written by yours truly. 

'We work with a brand protection partner to detect unauthorised use of our logo and brand name. So, thankfully, this was spotted within a couple of weeks of being created and taken down by the NCSC soon after. We think we caught it just in time (none of the links worked and a ‘registration form’ created to steal contact details only gave an error message when completed). 

'But the uncomfortable truth is that fraudsters can mimic any website they want with shocking ease. Phishing kits are sold, traded and even given away online, complete with instruction manuals to help scammers mimic their chosen brand. I once watched an ethical hacker create a highly convincing fake John Lewis website in less than five minutes, but artificial intelligence (AI) has made life even easier for cyber criminals.'

You can report scam emails, texts and websites to the NCSC. As of June 2025, it has removed 225k scams across 405,000 suspicious websites.

Which? calls for action on fraud

Criminals often encourage people to visit fake websites through ads plastered across search engines, social media sites or other smaller platforms that are less well-regulated. 

While the Online Safety Act will crack down on fraudulent advertising on major platforms like Google and Instagram, the government has failed to announce a plan to combat scam ads on websites that sit outside the Act's scope. 

The government is working on a new Fraud Strategy, which should set out a range of ambitious initiatives to reduce online fraud. It’s key that this includes legislation to regulate the digital advertising ecosystem, including the open display market, to stop criminals using it to target and defraud victims.

More on this

Related articles