If you’ve ever gotten a vague email asking you to “subscribe or unsubscribe” or to “confirm your subscription” you may be tempted to click “Unsubscribe”. Don’t!
The trap is simple – a spammer sends out thousands (or millions) of emails with no images or attachments, only a link (or two).
One of the ways to recognize these spam links is that they don’t often have any other content other than the unsubscribe link. There’s no indication of what newsletter or website you’re actually unsubscribing from.
Real newsletters will also have an unsubscribe link, but it’s usually quite small and buried at the bottom of the email. Real newsletters also make it very obvious where they are coming from.
If you click on the link a couple of things could happen. One is annoying, and the other is quite a bit worse.
The best-case scenario if you click on the unsubscribe link is that you send an indication to the spammer that your email address is being actively monitored. They can send this interaction either by sending an email reply to the scammer or redirecting you to a specific web address that will indicate your specific email address. This will put your email address on an “active” list to receive additional spam or scam emails.
However, some of these spam emails go a step further into malware territory. If you’ve been reading my monthly security updates then you know that Chrome is finding and fixing actively exploited security vulnerabilities (called zero-day vulnerabilities) every month. It’s not just Chrome, either, both Firefox, Safari, and all major browsers are doing the same. These spam websites could potentially deliver malware that exploits these vulnerabilities on an unpatched system (you are keeping up-to-date with Windows and browser updates, right?).
If you receive a generic email asking if you want to unsubscribe, the safest thing to do is simply delete it. If you’re using something like Gmail, you may also want to mark it as “Junk” (which will help Gmail filter these out in the future).
Like I’ve said before, clicking on a link in an email – especially if you don’t know where the email came from – is a legitimate risk not only to your email inbox, but your computer, your network, and maybe even your workplace.