Risks of ‘Unsubscribing’ from Unwanted Email

Unsubscribe email risks.jpg

We all receive loads of unwanted email solicitations, warnings, and advertisements.  It can be overwhelming to the point of being obnoxious.  Some days it feels like an unending barrage of distracting deliveries which requires a constant scrubbing of my inbox. 

Beyond being frustrating, there are risks.  In addition to the desired and legitimate uses of email, there are several shady and downright malicious uses.  Email is a very popular method for unscrupulous marketers, cyber criminals, and online threats to conduct social engineering types of attacks.  Spam, phishing, and fraud are common.  Additionally, many attackers seeking to install malware will use email as a delivery mechanism.  Electronic mail can be an invasive communication mechanism, so care must be taken. 

Unfortunately, like most people, I tend to make my own situation even worse.  In my professional role, I devour a tremendous amount of industry data, news, and reports to keep on the pulse of change for technology and security.  This usually requires me to ‘register’ or provide my email address before I get a ‘free’ copy of some analysis I desire.  I could just give a false email, but that would not be ethical in a business environment.  It is a reasonable and expected trade, where both parties benefit.  I get the information I seek and some company gets a shot at trying to sell me something.  Fair enough, so I suffer and give my real work email.  In this tacit game, there is an escape clause.  I can request to no longer be contacted with solicitations after the first email lands in my inbox.  Sounds simple, but it is not always that easy.

The reality is I receive email from many more organizations than I ‘register’ with.  Which means someone is distributing my electronic address to many others.  They in turn repeat and now the tsunami surging into my inbox gains strength.  I become a target of less-than-ethical marketers, cyber attackers, and a whole lot of mundane legitimate businesses just trying to reach new customers.

Some include an ‘unsubscribe’ link at the bottom which holds an appealing lure of curbing the flood of email destined for the trash anyways.  But be careful.  Things are not always as they seem.  While attempting to reduce the load in your inbox, it might actually increase the amount of spam, and worst case you could be infecting your system with malware by clicking that link.  Choose wisely!

Recommendations for using ‘unsubscribe’:

Rule #1: If it is a legitimate company sending the email, use the ‘unsubscribe’ option.

Make sure the link points back to a domain associated with the purported sender.  Legit companies or their marketing vendor proxy will usually honor the request.

Rule #2: If it is a shady company do not ‘unsubscribe’, just delete.

If your mail service supports it, setup a BLOCK or SPAM rule to automatically filter future messages for these.

If it is seriously malicious, the ‘unsubscribe’ link may take you to a site preconfigured to infect or compromise your system.  This is just another way bad guys get people to click on embedded email links.  DON’T FALL FOR IT!  It may result in a possible malware infection or system compromise.

If it is semi-malicious, like a spam monster who will send mail to any address they can find, then clicking the ‘unsubscribe’ link actually tells them this is a valid email address where someone is reading the mail.  Which is valuable for them to know as they can sell that email address as ‘validated’ to others and use it for future campaigns.  End result: more spam.

Rule #3: Some spam and solicitations don’t offer any ‘unsubscribe’ option.

Just delete.  Probably not a professional company you want to patronize anyways.

If you are in a work environment, be sure to know and follow your corporate policies regarding undesired email.  Many companies have security tools which can inspect, validate, or block bad messages.  Additionally, they may have solutions which leverage employees reporting of bad email to better tune such protections. 

Just remember, if you are not sure the email is legit; don’t open or click anything, and NEVER open any attachments, including PDFs, office documents, HTML files, or any executables.  Only open attachments from trusted sources as they can be used by attackers to deliver Trojans which may infect your system with malware, ransomware, or other remote manipulation tools.  Cybercriminals often look like real companies with real products.  Make email life easier by ‘unsubscribing’ with care and necessary forethought.

Interested in more?  Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

Published on Categories SecurityTags ,
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.