We’ve all been there—our inbox fills with unwanted emails and the easiest solution seems to be clicking the “unsubscribe” link at the bottom. Sadly, clicking ‘unsubscribe’ links isn’t always safe anymore! If the email hasn’t come from a trusted source that simple action could open the door to cybercriminals!
Read time: 3 mins
Recent warnings from cybersecurity experts reveal that hackers are now exploiting our desire to declutter our inbox! How very rude indeed! Instead of removing you from a mailing list, unsubscribe links in suspicious emails can be used to identify you as an active user, harvest your personal data, or redirect you to phishing websites. It’s a tactic that’s growing in popularity, and it poses a real risk to both individuals and businesses.
How Cybercriminals Use ‘Unsubscribe’ Links
According to DNSFilter’s CTO TK Keanini, around 1 in 644 unsubscribe clicks leads to a harmful destination. “There’s a big difference between the unsubscribe function embedded by your email client and the one coded into the email itself,” Keanini explained. “The latter can send you out of the protected environment of your email platform and onto the open web, where you’re far more vulnerable.”
While 1 in 644 might seem small at first glance, the sheer volume of emails sent daily turns it into a serious concern. These malicious links can:
- Track your clicks to confirm your email is active.
- Lead to spoofed login pages to steal credentials.
- Launch malware or tracking scripts via your browser.
- Profile you for more targeted attacks in the future.
Even worse, attackers are getting so much better at making their messages look legitimate, thanks to AI, increasing the chances that users will engage.
Safer Ways to Manage Email
Fortunately, there are safer alternatives. Most modern email clients, including Gmail, Outlook, Apple Mail and others, use a function known as list-unsubscribe headers. These headers are recognised by the email platform and often display a safe, in-built unsubscribe button near the top of the message, such as Gmail’s “Unsubscribe” link next to the sender’s name, Apple Mail’s grey “Unsubscribe” button below the subject, or Outlook’s banner option above the message content.
Since list-unsubscribe headers are rendered by the email provider itself (not the email sender) they don’t carry the same risks and, therefore, act as a kind of trusted bridge between you and the sender’s database (if that database exists at all).
If that safe option isn’t available, don’t risk it. Instead:
- Block the sender.
- Set up email filters.
- Consider using disposable or aliased email addresses to protect your identity.
- Mark the message as spam (use sparingly though, since this one could inadvertently lead a genuine sender to get blacklisted!)
What Businesses Should Do
This issue also impacts businesses relying on email marketing. If recipients don’t trust unsubscribe links, legitimate messages may be ignored or flagged as spam. To build trust, businesses could and should:
- Use secure, standards-based unsubscribe headers (mass-mailing platforms may already do this for you)
- Avoid embedded HTML unsubscribe links where possible.
- Be transparent about data handling practices.
There’s more information about secure, standards-based unsubscribe headers and how they work here
Note: The above link takes you to an easy to read blog post about secure, standards-based unsubscribe headers on a secure and legitimate website, but it’s a company we don’t have an established relationship with, so we can’t absolutely guarantee accuracy of all the content.
Additionally, businesses should train staff to understand clicking on ‘Unsubscribe’ isn’t always safe, so they should avoid clicking unsubscribe links in unexpected emails. Regular security training, including Phishing simulations (such as those available with KnowBe4), and robust email protection tools can all help reduce risk.
Final Thoughts
What used to be a simple way to clean up your inbox is now a potential cyber threat. The humble unsubscribe link has been weaponised, turning user habits into vulnerability points. By staying cautious and adopting safer practices, both individuals and organisations can better protect themselves in today’s evolving threat landscape.
STOP – THINK – DON’T CLICK unless you are 100% certain the email has definitely come from a trusted source AND the link is legitimate – check where the URL really goes by hovering your mouse pointer over it and reading the URL very, very carefully!
