Category: Cyber Security | Published: 2025-07-03
Why the Unsubscribe Link Isn’t Always Safe
The warning comes from TK Keanini, Chief Technology Officer at cybersecurity firm DNSFilter. Speaking recently to The Wall Street Journal, Keanini explained that unsubscribe links embedded in spam emails are increasingly being used by cybercriminals as a means of identifying active users and directing them to malicious websites.
Not Just Theoretical
The risks are not just theoretical. For example, DNSFilter estimates that roughly one in every 644 clicks on an unsubscribe link leads to a harmful destination. That may sound like a small percentage, but across the billions of marketing emails sent each day, the number of victims quickly adds up.
Unlike legitimate unsubscribe tools offered by trusted senders, these deceptive links don’t remove you from a list. Instead, they exploit your trust - by either redirecting you to phishing pages designed to steal your personal information, or by quietly logging your interaction to flag your email address as a ‘live’ target for further attacks.
What Makes These Links So Dangerous?
Keanini warns that while many spam emails are caught by filters, some still slip through. Also, when users click the unsubscribe link at the bottom (thinking they’re taking control of their inbox) they’re often doing the exact opposite.
_“There’s a big difference between the unsubscribe function embedded by your email client and the one coded into the email itself,”_ Keanini explained. _“The latter can send you out of the protected environment of your email platform and onto the open web, where you’re far more vulnerable.”_
At best, this action notifies scammers that your address is actively monitored. At worst, it takes you to a spoofed landing page where you might be asked to enter your email address or login credentials under false pretences. Some pages can even exploit vulnerabilities in your browser to initiate malware downloads or install tracking scripts.
Security analysts have also warned that even a single click can help attackers build up a profile on a target. Over time, this can lead to more personalised phishing emails, fake login pages, or even ransomware attacks disguised as legitimate follow-ups.
Better Ways to Unsubscribe Safely
Fortunately, there are safer ways to manage unwanted emails. Most modern email clients, including Gmail, Outlook, Apple Mail and others, use a function known as list-unsubscribe headers. These headers are recognised by the email platform and often display a safe, in-built unsubscribe button near the top of the message, such as Gmail’s “Unsubscribe” link next to the sender’s name, Apple Mail’s grey “Unsubscribe” button below the subject, or Outlook’s banner option above the message content.
Since list-unsubscribe headers are rendered by the email provider itself (not the email sender) they don’t carry the same risks and, therefore, act as a kind of trusted bridge between you and the sender’s database (if that database exists at all).
Just Mark it as Spam or Block the Sender
If no list-unsubscribe option is present, experts recommend marking the message as spam, blocking the sender, or setting up an automated filter. In some cases, you can even block the sender’s IP address if they persist in using different email accounts.
Use Disposable Email Addresses
Another good practice is using email aliasing or disposable addresses. Gmail, for example, supports ‘plus addressing’, which lets users sign up to services using addresses like yourname+shopping@gmail.com. If that alias starts receiving spam, you can simply filter or delete it without affecting your main account.
Apple’s ‘Hide My Email’ feature offers a similar layer of privacy, creating unique, random addresses that forward to your inbox. This helps mask your real address from third parties and allows you to shut down addresses that become compromised.
Businesses and Marketing Teams
While this development raises new concerns for individuals, it also carries implications for legitimate businesses that rely on email marketing. For example, if users start to fear unsubscribe links, they may avoid interacting with even trusted messages, making it harder for businesses to stay compliant with laws like the UK’s Privacy and Electronic Communications Regulations (PECR) or GDPR.
Under these laws, all commercial emails must include a clear and effective opt-out mechanism. But if users don’t trust that mechanism, businesses may find themselves facing both technical and reputational risks.
Email marketers are now being encouraged to make use of trusted unsubscribe headers recognised by major email clients, rather than relying solely on HTML links in the message body. Tools like Mailchimp, HubSpot, and Campaign Monitor already support these built-in mechanisms, which reduce the need for external web redirects and improve user trust.
Really, therefore, transparency is key. Making sure that unsubscribe options are clear, legitimate, and functional will go a long way in protecting both customers and brands from reputational fallout or false positives in spam filters.
Business Users at Higher Risk
For business users, especially those using personal emails for professional tasks, the risks of phishing and malware attacks are actually significantly higher. For example, a successful scam could lead to leaked client data, ransomware disruption, or credential theft that compromises cloud-based systems and internal communications.
Businesses should, therefore, ensure staff are trained not to click unsubscribe links in suspicious or unexpected emails, even if they appear to be from reputable sources. Phishing simulations and email security briefings can help reinforce this behaviour.
Keanini points out that malicious unsubscribe links are unlikely to be the attacker’s only tool. _“Often, it’s part of a larger campaign,”_ he noted. _“They’re looking for a response - any sign that there’s a human on the other side. Once they get that, they plan their next move.”_
Safer Email Solutions for Businesses
Organisations looking to harden their defences should perhaps consider adopting enterprise-grade email protection tools that go beyond simple spam filtering. For example, providers like Proofpoint, Mimecast, and Barracuda (there are others) offer advanced threat protection that scans links in real-time, blocks phishing attempts, and provides safe-click technology.
Microsoft 365 and Google Workspace users can also leverage built-in protections such as Safe Links, quarantine reviews, and anti-spoofing measures to prevent dangerous emails from ever reaching end users.
Zero-trust email platforms are gaining traction as well. Tools like Proton Mail for Business and Tutanota offer end-to-end encryption, IP address masking, and strict sender verification, all designed to limit the exposure of user identities and block malicious redirections.
Cybersecurity Best Practices for Email
In addition to technical tools, businesses should encourage staff to follow core email hygiene principles, such as:
– Never click links in unsolicited or unfamiliar emails.
– Hover over links to preview the actual destination URL.
– Use multi-factor authentication (MFA) on all email accounts.
– Regularly update antivirus and anti-malware software.
– Report suspicious emails to the IT or security team for review.
– Conduct quarterly training on evolving phishing tactics.
By implementing a layered approach, combining user awareness, secure infrastructure, and smart email practices, organisations can drastically reduce the likelihood of falling victim to these increasingly sophisticated scams.
What Does This Mean For Your Business?
What this ul