What Are the Risks of Clicking "Unsubscribe" Links?

Many users unsubscribe from emails regularly, whether it's a newsletter they no longer wish to receive or an unwanted subscription they don't recall signing up for. However, what many users may not know is that one in every 644 unsubscribe clicks can lead to a potentially malicious website.

Phishing scams turned more complex as they transformed from basic scams to intricate operations, enabling cybercriminals to elevate their attack methods, such as disguising malicious links with ‘unsubscribe’ buttons in emails.

Malicious actors exploit unsubscribe links to confirm active email addresses. As Masha Sedova, VP of Human Risk Strategy at Mimecast explained, "The way the attack works is it confirms that the inbox receiving this phishing attack is legitimate and there's a real human clicking the link."

This ultimately helps phishers. They send out mass campaigns, knowing some inboxes are real and some aren't monitored. The attacker's goal is to narrow down their target list, identifying active leads and determining which emails are worth pursuing in later, more targeted campaigns. This is how they prioritize their attacks from a "marketing" perspective, Sedova stated.

Perry Carpenter, Chief Human Risk Management Strategist at KnowBe4, stated, “Cybercriminals can build emails to hide the true URL string behind seemingly innocuous text.” All the hacker needs to do is craft something that looks like an email somebody wouldn't want to receive, like a piece of spam. Then, at the top or footer, it says 'if you don't want to receive these emails anymore, click unsubscribe.' That unsubscribe link can then lead either to a legitimate unsubscribe page or, more dangerously, wherever the attacker wants. It's super easy to do, Carpenter said.

Although the risks of unsubscribing via links may seem low, it's crucial to exercise caution.

How Can Users Identify Legitimate Emails and Unsubscribe Options?

The first step a user should take before unsubscribing is to determine if the email is from a legitimate company. As Sedova explained, "If a user flags a real business as spam, it takes away the business's ability to communicate," ultimately hindering their ability to conduct business and engage with current and potential customers.

If a user is confident the email is from a newsletter they signed up for, or a legitimate business like a local gym or Amazon, then it's generally safe to click unsubscribe. However, if the user clicks to unsubscribe from an unfamiliar email or newsletter and is directed to a website that "Asks for user credentials, jump ship; that's not the unsubscribe experience we are looking for," Sedova stated. But, if it doesn't ask for credentials and simply confirms the user has been removed from the mailing list (e.g., "You've been unsubscribed"), then they're usually safe from a phishing attack.

 Carpenter also added, "If it's the first time receiving an email and the user doesn't remember signing up for that service, then don't click on it right away. Maybe delete it or set a rule within the inbox."

Employees should also report suspicious emails to their security team for review before clicking an "unsubscribe" button. As Chris Taylor, Principal Consultant at Taksati Consulting, noted in his RSAC™ 2024 webcast, "Don't forward the email to the security team as the coding in the email goes away; instead, create a new email and forward it as an attachment to the security team."

It's also worth noting that most legitimate businesses offer easy opt-outs due to regulations and laws like the CAN-SPAM Act, which we will discuss later in this blog. Therefore, if unsubscribing becomes a hassle, exercise caution with such email(s).

Determining if an unsubscribe link is legitimate can be difficult because many marketing links are routed through third-party tracking services. For instance, a user might hover over a link and see a complicated URL. This is because the email takes the user through several different agency tracking services, such as Constant Contact. While Constant Contact is a legitimate service, they might be sending emails on behalf of a large company like Amazon or Walmart. In this scenario, when a user hovers over the link, they won't see "Amazon" or "Walmart" in the URL; but will see "Constant Contact," as Carpenter explained. Therefore, using best judgment is key when unsubscribing from links.

What Are Safer Alternatives and Best Practices for Managing Unwanted Emails?

Sedova highlighted a couple of safer ways to stop receiving spam than clicking “unsubscribed” button:

• Mark as Spam or Junk: This moves the email out of the inbox and tells the email provider the sender isn't trustworthy. If enough people mark emails from a particular sender as spam, that sender's reputation will drop, and their emails will eventually go directly to spam for everyone.
• Block Sender: This stops all future emails from a specific sender from reaching your inbox.

These methods can significantly reduce unwanted emails, though they don't guarantee complete elimination. For that, users need to unsubscribe, using best judgment to decide when it's safe to do so.

Simply ignoring or deleting unwanted emails, rather than unsubscribing, can leave a user more vulnerable to phishing attacks. Studies show that cognitive overload is a major reason people click on phishing links, as Sedova explained. When users are under pressure, like facing a deadline or dealing with a high volume of emails, they're more likely to click on a phishing email.

Sedova recommends maintaining good email hygiene to minimize this mental load. Unsubscribing can help with this by reducing the number of emails a user receives.

How Email Security Has Evolved to Combat Spam and Phishing

Email security has come a long way in fighting spam and phishing. Services like Gmail and Outlook now integrate security features directly into their platforms, making it safer to manage unwanted emails.

Carpenter highlights that Gmail's unsubscribe option, visible within its interface, is generally trustworthy. While attackers can mimic these features, if a user is reasonably sure the sender is a legitimate company and the option appears within an email client's interface (not just in the email message itself), it's a much safer way to unsubscribe.

Advancements in email security are set to incorporate sophisticated AI embedded directly into email clients and/or gateway solutions. This can allow the AI to identify and flag suspicious characteristics that current security measures might miss. For example, it could alert a user to emails using highly emotional language or warn if a link leads to an untrustworthy site. By surfacing these "red flags" directly in the email header or interface, AI can empower users to make more informed decisions and avoid potential threats, Carpenter explained.

Carpenter also highlighted the CAN-SPAM Act, a federal law that regulates commercial emails. Companies violating these regulations, such as not providing a clear unsubscribe option or using misleading information, can face hefty fines from the Federal Trade Commission (FTC). For details on the CAN-SPAM Act's requirements, visit the FTC website.

Ultimately, if a user maintains a strong security posture—meaning their systems are patched, extensions are up to date, and browsers are current—Sedova believes that unsubscribing offers greater benefits by reducing cognitive load compared to the risks of unsubscribing.