For more than a year, I have been plagued by cold calls and spam emails. Like most people, I usually just hang up on nuisance callers. But these weren’t just dodgy salesman or scammers trying their luck.
Many were calling from reputable energy firms, and one was even a major charity. Yet I’d never been a customer and certainly hadn’t signed up for sales calls.
So how on earth had they got my mobile number — and why did they think they had permission to call me?
Money Mail editor Victoria Bischoff has been plagued by unwanted sales calls for more than a year (file picture)
Someone must be handing out my contact details — no doubt for a tidy profit — and I wanted to know who.
On the trail of the mystery phone pests
It began with a phone call from Scottish Power while on holiday in Devon in October 2020. Surprised to receive a cold call on my mobile, I asked the salesman how he had got my number. But he refused to say and my request for a callback from a manager was ignored.
I might have let it go, but around the same time I was also being bombarded with spam emails from a host of companies I’d never heard of. One firm, Job Crown, sent 11 emails in just three days.
Many had an old postcode in the subject line along with phrases such as ‘urgent employment or ‘applicants requested’.
Another firm, called Super Savvy Me, sent 19 emails — 11 of which were reminding me to confirm my password. Yet I had never heard of the firm nor opened an account.
Something fishy was going on, so I asked each company how they had got my email address. Under data protection laws — General Data Protection Regulation or GDPR — you are entitled to know what data companies hold on you and where they got it from.
You can request this information by making a so-called ‘subject access request’. But getting answers is far from easy. And I soon found myself down a rabbit hole.
Take Job Crown, for example. It claimed to have got my email address from a company called Prize Reactor, who in turn said it had received my details from its partner site, The Secret For You.
From there, I was directed to the site owner, Response Concepts — which then pointed me to data collector, Green Flamingo.
Is your head spinning yet?
When Green Flamingo eventually handed over all the data it held on me, it was clear something was amiss. It claimed I had participated in two contests organised for a website called The Secret For You — which seems to be an online clothes store.
One on October 9 at 5.20am and another on October 21 at 19.56. There was the first clue that it wasn’t me.
There is no way on earth I’d be awake at 5.20am, let alone messing about on my phone or computer.
The firm also provided two different dates of birth for me — neither of which was close to accurate.
And the postcode given was more than a decade out of date. Plus I’d never lived at the house number on record.
Green Flamingo also supplied two IP addresses, 12-digit codes that identify what device was used to access the internet. After Googling ‘What is my IP address’, I found neither matched my own.
So, of all the data it held, only my name, email address and mobile phone number were correct.
It was clear someone else had entered my details into the website — but who?
And why was this website permitted to share my contact information with whoever it fancied?
Uncovering a tangled web
Green Flamingo said that by providing my data I had also given consent for it to be used for marketing purposes and to be contacted by third parties — which is where Scottish Power came back into the picture.
It turns out the energy giant had also sourced my details from the website The Secret For You.
Scottish Power said it contracts data firms to provide ‘leads’ that give it permission to contact people about its services.
These leads are generated when a person has visited a particular website.
It pointed me to Response Concepts, which describes itself as ‘a lead generation agency that acquires opt-in data on behalf of its clients from data collection companies’ — such as Green Flamingo.
A spokesman suggested that someone else had used my information to sign up to these websites.
A check on the website, Have I Been Pwned, which tells you if your details have been leaked, shows that my email address has been involved in 11 separate data breaches. So it wouldn’t be difficult for someone to find.
I’m not suggesting any of the firms named here are the guilty party. But it does raise concerns as to what checks are carried out to ensure data is accurate and legally obtained before being sold on.
Know your rights: Under data protection laws you are entitled to know what data companies hold on you and where they got it from
Going round in circles
Meanwhile, I’d also gone to battle with another energy firm, Utilita, after receiving a call out of the blue in January.
After some back and forth, I received a call from a very friendly man called Ian who works for a firm called Lead365 — which is the data processor responsible for delivering information to Utilita.
Ironically, to find out how the energy firm had come to get my personal details, I had to pass strict privacy checks.
But as they, too, had the wrong date of birth and an out-of-date address, this involved a frustrating guessing game.
It turns out Utilita had also gathered my information from a number of websites — including, you guessed it, The Secret For You, along with another called ‘hnm.uk-freebies.com’.
Ian said he thought it was most likely that an automated ‘bot’ had scraped information from social media sites to fill in the gaps needed to create a full data profile.
It may have then merged this with correct information, including my phone number and email address, which was why some details were old or wrong.
He added it was unlikely someone was doing it to make money as they would only be paid ‘fractions of pennies’ for selling this type of data.
By now, more calls were flooding in and I was also receiving endless emails from a firm called CashbackDiscount — most of which are addressed to someone called Sean Shaw.
Yet despite explaining that is not my name and I did not sign up, I continued to receive emails for weeks after alerting the firm.
Pretending to be me, but who?
The call from Octopus Energy was perhaps the most baffling.
The firm said my contact details had been provided by a lead agency called Choose Leads, which claimed I had entered an online competition to win a Kitchen Aid gadget on February 23.
I was also told someone had used an Associated Newspapers IP address to access the website, ‘Quiztionnaire’.
Yet a quick call to our IT department revealed the IP address was definitely not one of ours. Experts tell me IP addresses can be ‘spoofed’, so any computer could have been used to access the website.
Plus, I was in bed that day recovering from Covid, so wasn’t using a work computer to enter online competitions. The date of birth and address registered on the site were also incorrect.
It later emerged a mistake had been made. Octopus said that my details had in fact been entered in a competition to win £500 of North Face vouchers run by data controller Qubiq on February 23.
Further checks revealed the data had been inputted manually rather by a computer bot — which would mean someone is masquerading as me. But who?
I had also received a call from Diabetes UK around the same time. The charity said it had been given my details by a lead generator Membrain, which had sourced them from a competition website at 3.18am (!) on the same date.
Why are these major firms checking our credit ratings?
Weexpect companies to search our credit files when we apply for a loan or insurance quote — but why are they searching the records of people who aren’t their customers?
I tried to answer this question after discovering a host of insurers I’d never used had accessed my credit file multiple times over an 18-month period.
They all performed ‘soft searches’, where firms check your file to see your credit rating or verify your identity without it affecting your score.
Under Data Protection Act rules, everyone has a right to know what data is being collected about them, how it is used and whether it is shared with third parties
But when credit reference agency Experian contacted the insurers on my behalf to ask why they were looking at my file, they just deleted the search records and refused to say more.
Under Data Protection Act rules, everyone has a right to know what data is collected about them and how it is used, so I tried asking the insurers.
After approaching the AA, I was finally told it had been given my information by comparison site Moneysupermarket — which I hadn’t used in years.
Insurer First Central said the same. So I made a subject access request to find out what information Moneysupermarket held about me.
Eventually, I received documents showing it held a record of the main details of my personal life going back to 2010, including everywhere I had lived, cars I’d owned, my jobs, salaries, education status and even whether I was single.
Most of this data was based on searches I’d made more than five years ago — but after yet more identity checks, it turned out my husband used the site to search for car insurance in 2019 and listed me as a named driver.
When using the site, customers are asked to tick a box to accept its terms and conditions.
But many won’t realise that by doing so the firm can hold, access and share your data for years after, even if you do not buy a policy. Moneysupermarket’s terms are in the small print of an 8,000-word privacy policy.
Consumer rights expert Martyn James says our data is incredibly valuable to insurers. ‘It helps them target customers to market products but it also helps them profile drivers to refine their premium pricing,’ he explains.
A Moneysupermarket.com spokesperson says: ‘We place the highest importance on our customers’ privacy . . . It is down to the primary policyholder inputting additional driver details to seek consent for the additional data.’
So is all this legal?
General Data Protection Regulation (GDPR) was introduced in 2018 to give people more control over how organisations use their data.
But there are grey areas that are open to interpretation. And your information can still be shared with third parties even if you do not give explicit consent. Instead, firms can claim they have a ‘legitimate interest’ in doing so.
This is what might allow a competition website to legally share your data with its partners for related marketing purposes.
Firms are still obliged to abide by a check list of strict rules — such as ensuring the wording is clear and making it easy to opt out.
They are also not permitted to use pre-ticked boxes or any other method of ‘default consent’ such as vague small print.
Yet when I showed two of the competitions I had allegedly entered to GDPR expert Mark Gracey, he expressed concerns.
‘I would say the fact that they want to share your data with third-parties that don’t necessarily relate to the competition is not clear and relies on you to specifically read their privacy policy,’ he says.
‘There is no obvious way for you to unsubscribe — and GDPR requires opt-out to be as easy as opting-in. GDPR also requires that consent is freely given and refusing is not detrimental. So arguably, you should be able to enter the competition without your data being shared,’ he adds.
Firms are also prohibited from making marketing calls or sending emails and text messages without your permission under the Privacy and Electronic Communications Regulations (PECR).
Those who break the rules face fines of up to £500,000 and company directors can be held personally liable.
The Information Commissioner’s Office logged 60,363 complaints about nuisance calls and texts between April and September, and 130,046 about emails.
The law also states that if you request not to be called again, the firm should remove your details from its marketing lists.
And you can add your number to the Telephone Preference Service (tpsonline.org.uk).
This means a company cannot contact you unless they have express permission — though this won’t stop calls from fraudsters.
But James Walker, chief executive of Rightly, a firm that helps customers manage their data, says: ‘The Government needs to change the outdated Data Protection Act and force companies to be more transparent about how they use consumer information and to treat personal data more fairly.’
A firm called Super Savvy Me, sent Victoria 14 emails – 11 of which were reminding her to confirm her password. Yet she had never heard of the firm nor opened an account
What was my outcome?
After investigating for more than a year, I’m sadly little closer to discovering exactly who has been giving out my contact details.
Most firms were reasonably quick to respond to subject access requests stating how they got hold of my data.
But when I pointed out the details were incorrect and that I had not given out the information, most went quiet. They just said that they had done their due diligence and that was that.
And as you can see from my experience, you end up being passed back and forth between them.
It’s clear we need far more transparency around how our details are traded. At present, as this sorry saga shows, once your data is out there, it could end up in anyone’s hands.
What the firms said
A Scottish Power spokesman says: ‘We treat this matter seriously and therefore would like to thank Mrs Bischoff for bringing this to our attention and we are now carrying out our own investigation’.
A Utilita spokesman said: ‘Our best practice methods far exceed the legal obligations that we are required to meet.’
A Diabetes UK spokesman apologises and says that no one should receive a ‘cold call’ from the charity.
Choose Leads, which provided Octopus Energy with my information, says it takes compliance very seriously, and takes steps to ensure any sources of data and collection websites comply with ICO guidelines.
Response Concepts says it performs ‘strict due diligence’ on its partners to ensure their methods are reliable — and that what happened to me is rare.
A spokesman for Octopus says analysis indicates my data was collected in a compliant manner, but that the firm would not be renewing its telesales agency contacts when they came to an end.
Green Flamingo did not respond to requests for a comment.
#fiveDealsWidget .dealItemTitle#mobile {display:none} #fiveDealsWidget {display:block; float:left; clear:both; max-width:636px; margin:0; padding:0; line-height:120%; font-size:12px} #fiveDealsWidget div, #fiveDealsWidget a {margin:0; padding:0; line-height:120%; text-decoration: none; font-family:Arial, Helvetica ,sans-serif} #fiveDealsWidget .widgetTitleBox {display:block; float:left; width:100%; background-color:#B11B16; } #fiveDealsWidget .widgetTitle {color:#fff; text-transform: uppercase; font-size:18px; font-weight:bold; margin:6px 10px 4px 10px; } #fiveDealsWidget a.dealItem {float:left; display:block; width:124px; margin-right:4px; margin-top:5px; background-color: #e3e3e3; min-height:200px;} #fiveDealsWidget a.dealItem#last {margin-right:0} #fiveDealsWidget .dealItemTitle {display:block; margin:10px 5px; color:#000; font-weight:bold} #fiveDealsWidget .dealItemImage, #fiveDealsWidget .dealItemImage img {float:left; display:block; margin:0; padding:0} #fiveDealsWidget .dealItemImage {border:1px solid #ccc} #fiveDealsWidget .dealItemImage img {width:100%; height:auto} #fiveDealsWidget .dealItemdesc {float:left; display:block; color:#e22953; font-weight:bold; margin:5px;} #fiveDealsWidget .dealItemRate {float:left; display:block; color:#000; margin:5px} #fiveDealsWidget .dealFooter {display:block; float:left; width:100%; margin-top:5px; background-color:#e3e3e3 } #fiveDealsWidget .footerText {font-size:10px; margin:10px 10px 10px 10px;} @media (max-width: 635px) { #fiveDealsWidget a.dealItem {width:19%; margin-right:1%} #fiveDealsWidget a.dealItem#last {width:20%} } @media (max-width: 560px) { #fiveDealsWidget #desktop {display:none} #fiveDealsWidget .widgetTitleBox {background-color:#e3e3e3; } #fiveDealsWidget .widgetTitle {color:#000} #fiveDealsWidget #mobile {display:block!important} #fiveDealsWidget a.dealItem {background-color: #fff; height:auto; min-height:auto} #fiveDealsWidget a.dealItem {border-bottom:1px solid #ececec; margin-bottom:5px; padding-bottom:10px} #fiveDealsWidget a.dealItem#last {border-bottom:0px solid #ececec; margin-bottom:5px; padding-bottom:0px} #fiveDealsWidget a.dealItem, #fiveDealsWidget a.dealItem#last {width:100%} #fiveDealsWidget .dealItemContent, #fiveDealsWidget .dealItemImage {float:left; display:inline-block} #fiveDealsWidget .dealItemImage {width:35%; margin-right:1%} #fiveDealsWidget .dealItemContent {width:63%} #fiveDealsWidget .dealItemTitle {margin: 0px 5px 5px; font-size:16px} #fiveDealsWidget .dealItemContent .dealItemdesc, #fiveDealsWidget .dealItemContent .dealItemRate {clear:both} }
